Managing SIEM Log Collectors at Scale with Ansible and GitHub Actions – Part 1

A Security Operations Center (SOC) watches an organization’s IT systems for cyber threats 24/7. It quickly finds and fixes security problems and uses Security Information and Event Management (SIEM) tools to collect and analyze alerts and logs. SIEMs depend on log Collectors servers, which gather data from many sources and send it to the SIEM. … Continue reading Managing SIEM Log Collectors at Scale with Ansible and GitHub Actions – Part 1 →

Validate your Windows Audit Policy Configuration with KQL

We provide a KQL query that will help you validate your defined Windows audit security policy configuration. Defining a Windows audit policy is an important step in establishing a robust security posture. Ensuring that the audit policy is applied consistently across your environment is just as important as defining that policy and quality controls should be in place.

Hunting for Remote Management Tools

In today's digital landscape, Remote Management and Monitoring (RMM) tools have become indispensable for organizations seeking to streamline IT operations, enhance productivity, and ensure seamless remote support. However, within our threat hunting and incident response engagements we often see that these tools, while beneficial, can also pose significant security risks if not properly managed. This … Continue reading Hunting for Remote Management Tools →

RPC or Not, Here We Log: Preventing Exploitation and Abuse with RPC Firewall

Welcome, readers, to the first installment of our blog series "Preventing Exploitation and Abuse with the RPC Firewall".In this post, we'll delve into how to create rules for the RPC firewall and how to deploy them onto our servers.In the year 2024, we'll release the second part of this series, where we'll explore detection possibilities … Continue reading RPC or Not, Here We Log: Preventing Exploitation and Abuse with RPC Firewall →

Enforcing a Sysmon Archive Quota

This blog post will create a Sysmon archive quota through WMI event consumption to avoid storage exhaustion.

Detecting & Preventing Rogue Azure Subscriptions

In this blog post we will cover why rogue subscriptions are problematic and revisit a solution published a couple of years ago on Microsoft's Tech Community. Finally, we will conclude with some hardening recommendations to restrict the creation and importation of Azure subscriptions.