Sigma engine adds support for ee-outliers backend: start tagging your Sigma hits in Elasticsearch!

Introduction We are happy to announce that the awesome people maintaining the Sigma project on GitHub have merged our work to support the ee-outliers backend! So what you can you do with this? Sigma already contained support for Elasticsearch through the es-dsl and es-qs backends. However, these generate queries then need to be integrated by … Continue reading Sigma engine adds support for ee-outliers backend: start tagging your Sigma hits in Elasticsearch!

Email alerting on geographically suspicious firewall connections using logalert.py, geoiplookup and AbuseIPDB

Introduction Earlier this week, we released logalert.py, a simple python tool that can be used to pipe standard output to email for the purpose of alerting. In this blog post we want to give a concrete example of how logalert.py can be used to get simple & reliable email notifications about suspicious firewall connections, based on … Continue reading Email alerting on geographically suspicious firewall connections using logalert.py, geoiplookup and AbuseIPDB

Releasing logalert.py – Smart piping of command output to email for alerting

Introduction Today we are releasing a small but useful tool, logalert.py. This tool can be used to pipe standard output to email for the purpose of alerting. A simple caching system is used to avoid sending duplicate alerts within a certain timeframe. The tool was developed for cases where you want a simple and robust … Continue reading Releasing logalert.py – Smart piping of command output to email for alerting

Detecting suspicious child processes using ee-outliers and Elasticsearch

In this post, we will illustrate how ee-outliers can be used to detect suspicious child processes. This can be a very helpful way of spotting malicious endpoint activity during our Threat Hunting activities. A few examples where detecting suspicious child processes could help us: Detection of a malicious Microsoft Word file spawning cmd.exe Detection of … Continue reading Detecting suspicious child processes using ee-outliers and Elasticsearch

TLS beaconing detection using ee-outliers and Elasticsearch

Earlier today, we open-source ee-outliers, our in-house developed framework to detect outliers in events stored in Elasticsearch. This blog post is the first of several in which we want to dive a bit deeper in how we use ee-outliers ourselves in our own security monitoring activities. Today we will look at how ee-outliers can be … Continue reading TLS beaconing detection using ee-outliers and Elasticsearch

Announcement: open-sourcing ee-outliers

Today, we are excited to announce we are open-sourcing ee-outliers, our in-house developed framework to detect outliers in events stored in Elasticsearch! The framework was developed for the purpose of detecting anomalies in security events, however it could just as well be used for the detection of outliers in other types of data. We have … Continue reading Announcement: open-sourcing ee-outliers

Filtering out top 1 million domains from corporate network traffic

During network traffic analysis and malware investigations, we often use IP and domain reputation lists to quickly filter out traffic we can expect to be benign. This typically includes filtering out traffic related to the top X most popular websites world-wide. For some detection mechanisms, this technique of filtering out popular traffic is not recommended … Continue reading Filtering out top 1 million domains from corporate network traffic

Going beyond Wireshark: experiments in visualising network traffic

Introduction At NVISO Labs, we are constantly trying to find better ways of understanding the data our analysts are looking at. This ranges from our SOC analysts looking at millions of collected data points per day all the way to the malware analyst tearing apart a malware sample and trying to make sense of its … Continue reading Going beyond Wireshark: experiments in visualising network traffic

Using binsnitch.py to detect files touched by malware

Yesterday, we released binsnitch.py - a tool you can use to detect unwanted changes to the file sytem. The tool and documentation is available here: https://github.com/NVISO-BE/binsnitch. Binsnitch can be used to detect silent (unwanted) changes to files on your system. It will scan a given directory recursively for files and keep track of any changes it detects, based … Continue reading Using binsnitch.py to detect files touched by malware