Anyone ever setup the 'Repositories' feature in Microsoft Sentinel and had it work across multiple tenants? 👀

As a detection engineer, detection objectively sucks compared to prevention ;) Stop the baddies first, and keep the SOC alerts low :))

In keeping with the tenets of Elastic's detection engineering maturity model, I am going to spin up a DaC lab and see how we go. The native Sentinel 'Repositories' feature is a little underbaked, and I need to support multiple SIEM platforms, so should be good fun. 😎

After 6 years in the industry and multiple years fiddling with ci/cd pipelines, the day has come for me to finally perform a 3-way git merge

Reminder to attend your local #bsides! TIL about MITRE Engage. Feeling the deception itch...

If anyone has designed Detection as Code repos and pipelines with CI/CD pushing content to *many* SIEM instances simultaneously, I'd love to talk! Designing something similar and I want to compare notes.

Today's a rare moment where I'm thankful the majority of orgs I know have migrated to M365 and SharePoint Online 👀

Detection as Code update: * I have a YAML to ARM script (I'm working in Sentinel) turning the psuedo code into an analytics rule * I have a script for deploying ARM templates into different (or multiple) Sentinel instances * A basic CI/CD pipeline Just need to put it all

Cajoling cloud CI/CD pipelines and fudged together shell scripts might as well be one of the circles of hell

Any MISP peeps out there: How do y'all handle IOC decay? Are you running any decay models on short-lived IOCs?

EDR companies. (Specifically their marketing departments)

Zero Cool day!

Enjoyable leak from NK And Twitter/X is blocking the URL :( http[s]://data.ddosecrets.com/APT%20Down%20-%20The%20North%20Korea%20Files/

Shoutout to the folks at CrowdStrike who maintain FalconPy. Honestly such a great and easy to use wrapper for the bajillions of APIs that exist. My Detection as Code repo now supports NG-SIEM rules, alongside MS Sentinel 🤘🤘

Gonna have to update my post on medium about infosec note taking 😎