A SIEM right out-of-the-box knows nothing.
It's just a fancy log collector until a cybersecurity professional teaches it what malicious activity looks like.
I learnt this the hard way building my first detection from scratch
Full walkthrough👇
https://t.co/DHo82WpDsV
@sarveshtiwarit A small addition that might pay dividends later on is writing reports of cybersecurity exercises that you do. And push them on GitHub.
Over time, this becomes public proof of not only your technical competency but also your communication skills
DAILY CYBER REP 4 (beginner)
User clicks email link.
Soon after, their machine starts beaconing to 185.220.101.45 every 60s.
What do you investigate FIRST?
A) Browser history
B) Email sender domain
C) Destination IP reputation
D) Login history
@TheCyberPatron_ A false positive means SIEM raised an alert on a benign activity.
A false negative means the system didn't recognize a malicious activity.
A false negative carries significantly more impact than a a false positive.
@whoischizu@Ahmed___khaan I setup two VMs in VirtualBox. Ubuntu VM for Splunk. Windows VM as my victim machine. Logs flowed from windows to Ubuntu.
Then I simulated attacks using something called Atomic Red Team. Allows you to simulate ATT&CK TTPs with just a command.
@cyber_with_tega Is any of the documentation public?
I really struggle with documenting, and understanding what to document, when to document.
If I pause to document it feels like I lose momentum and flow
@TheCyberPatron_ A false positive means SIEM raised an alert on a benign activity.
A false negative means the system didn't recognize a malicious activity.
A false negative carries significantly more impact than a a false positive.
Which protocol is responsible for translating human-readable website names (like https://t.co/F9s7YDeg1k) into numerical IP addresses?
A. DHCP
B. HTTP
C. DNS
D. SMTP
@CyberRacheal DNS (Domain Name Service) translates domain names to respective IP addresses.
I recently wrote a small writeup about how this protocol is used by attackers to exfiltrate data.
https://t.co/wMs9lEUzuM
@Ahmed___khaan Yes, on both actually.
Tryhackme - I'm currently doing SOC level 2 learning path
LetsDefend - I use it mainly to practice alert investigation. The one thing I don't do yet is go deeper into each alert.
I tend to just follow the playbooks provided.