Windows by default records most of the activity happening on OS in the Windows logs and can be viewed in Windows Event Viewer. However the Sysmon is much better when it comes to providing visibility into the activities related to executions. Sysmon is a great tool which is used to monitor the system and log […]
Disable Microsoft Defender – Detection
This was simple detection where Microsoft Defender services were blocked and events were observed. Detection queries for the same are present at the end. Windows Defender alerts you when spyware or potentially unwanted software attempts to install itself or to run on your computer. Microsoft SpyNet is the online community that helps you decide the […]
Sysmon Playbook Event ID 15
When a file is downloaded from the internet it is saved to the local system. File streams are recorded by this event id when the file is being downloaded mostly from web browser. As evident in the picture we can see the Image is Chrome.exe and Target File Name is Mimikatz file. It is pertinent […]
What is SIEM and it’s functionality
SIEM is a tool that collects, aggregates, normalizes the data and analyses it according to pre-set rules and presents the data in human readable format. The video below talks in detail about the internal working of the SIEM solutions and how the different vendors use this functionality and different terminologies used by them. It briefly […]
What is Security Operations Center (SOC)
A Security Operation Center (SOC) is a centralized function within an organization employing people, processes, and technology to continuously monitor and improve an organization’s security posture while preventing, detecting, analyzing, and responding to cybersecurity incidents. Below you will find my presentation link for this topic where you can see complete video.
Alien Vault Reconfiguration
Alienvault-reconfig creates the live configuration, loads the appropriate values, and makes sure all appropriate changes are made to dependent service configurations. Alienvault-reconfig command will initiate those changes, writing them to the appropriate configuration files and database fields and restarting the appropriate services to load those changes. Some of the options that can be pursued to […]
Alien Vault Events Not Coming
Some of the options that can be pursued to troubleshoot and resolve this issue have been mentioned below: Login to Alien Vault server using putty with “root” credentials. After login, you will see the following screen. Select the “Jailbreak System” Click “Yes” or Press “Enter” from the keyboard and accept the “Jailbreak Commandline Notice” in […]
Alien Vault TCPdump Troubleshoot
Some of the options that can be pursued to troubleshoot and resolve this issue have been mentioned below: Login to Alien Vault server using putty with “root” credentials. After login, you will see the following screen. Select the “Jailbreak System” Click “Yes” or Press “Enter” from the keyboard and accept the “Jailbreak Commandline Notice” in […]
Alien Vault Configuration Backup
Backing up the configuration is one of the important thing that analyst should take care of. Since AlienVault configuration include system profile, network configuration, inventory data, plugins, correlation directives, and etc. For that, analyst must have a copy for the configuration file. STEPS Login via WinSCP to the Server. Be at this path: /var/alienvault/backup/ File […]
Alien Vault Update
If there is an update available from the Alien Vault please follow the below mentioned points. To check if there is an update available, go to your browser and type Alien Vault server URL. Login to Alien Vault and go to “Configurations –> Deployment” and look for any comments under the “New Updates” column.