Setup and Securing Winlogbeat

Winlogbeat is a lightweight open-source Windows agent that uses the Windows API to ship different event logs to Logstash or Elasticsearch. I have been a Splunk user for quite some time, but I have started to also leverage the Elastic Stack at work and in my home lab. This post is for my reference and anyone trying to configure … Read more

Ingesting PCAP Files with Zeek and Splunk

Whenever I want to analyze a relatively small packet capture (PCAP), I load it up in Wireshark and get the job done. However, this process does not scale and becomes a problem with large-sized pcap files. Even if you split, let’s say, a 25 terabyte PCAP up into smaller chunks, can you imagine how long it would … Read more

Blue Team Tactics: Honey Tokens Pt. III

This is the final part of a multipart blog post, read part one and two then continue here. In part 2, we simulated adversary interaction with our deployed tokens and then leveraged Windows Event Viewer to assess the generated artifacts. What follows will be several options for getting the audit logs from the endpoints to … Read more