Detection Opportunities

Detection-as-Code & CI/CD in Detection Engineering with Dennis Chow | EP. 9

Detection as Code is one of the most important evolutions in modern security detection, and in this video, we break it down. I first encountered this concept as a Cloud Threat Detection Engineer at Datadog. Today, I’m joined by Dennis Chow, a Detection Engineering specialist and author of Automating Security Detection Engineering (which I had the honor of technically reviewing). Together, we explore what Detection as Code really means and walk through two hands-on CI/CD pipeline demos: 🔹 Lab 1: Building SIEM detections with synthetic AI testing using Sumo Logic 🔹 Lab 2: Policy-as-Code integration testing with Cloud Custodian on GCP You’ll learn how Detection as Code leverages Git, automated testing, reproducibility, collaboration, and CI/CD to make detection engineering more scalable, accountable, and reliable. Dennis' Blog [https://dwchow.medium.com/] Dennis' Github [https://github.com/dc401/] Dennis' LinkedIn [https://www.linkedin.com/in/dwchow/] _____________ 📁RESOURCES: → GitHub repo for lab 1 [https://github.com/dc401/cwx-demo-sumo] → GitHub repo for lab 2 [https://github.com/dc401/cwx-demo-gcp] → Dennis’ book [https://amzn.to/3WAi5XY] → My book review [https://youtu.be/jq97mTm7s9w] → Our podcast episode together [https://youtu.be/HZHoRnGm-Go] _____________ ⚡️⁠⁠⁠⁠⁠⁠JOIN 6,000+ CWX MEMBERS ON DISCORD⁠⁠⁠⁠⁠⁠ [https://discord.gg/cyberwoxacademy] 📰 ⁠⁠⁠⁠⁠⁠SUBSCRIBE TO THE CYBERWOX UNPLUGGED NEWSLETTER⁠⁠⁠⁠⁠⁠ [https://cyberwoxunplugged.com] 🥶 ⁠⁠⁠⁠⁠⁠CYBERWOX MERCH⁠⁠⁠⁠⁠⁠ [https://store.cyberwox.com] _____________ 🧬 CYBERWOX RESOURCES 🔹 ⁠⁠⁠⁠⁠⁠Cyberwox Cybersecurity Notion Templates for planning your career⁠⁠⁠⁠⁠⁠ [https://daycyberwox.gumroad.com/l/cyberlearningframework] 🔹 ⁠⁠⁠⁠⁠⁠Cyberwox Best Entry-Level Cybersecurity Resume Template⁠⁠⁠⁠⁠⁠ [https://daycyberwox.gumroad.com/l/cybersecurityresume] 🔹 ⁠⁠⁠⁠⁠⁠Learn AWS Threat Detection with my LinkedIn Learning Course⁠⁠⁠⁠⁠⁠ [https://www.linkedin.com/learning/introduction-to-aws-threat-detection/] _____________ 📱 LET'S CONNECT → ⁠⁠⁠⁠⁠⁠IG⁠⁠⁠⁠⁠⁠ [https://www.instagram.com/daycyberwox ] → ⁠⁠⁠⁠⁠⁠Threads⁠⁠⁠⁠⁠⁠ [https://www.threads.net/@daycyberwox] → ⁠⁠⁠⁠⁠⁠Substack⁠⁠⁠⁠⁠⁠ [https://substack.com/@cyberwox] → ⁠⁠⁠⁠⁠⁠Twitter⁠⁠⁠⁠⁠⁠ [https://twitter.com/DayCyberwox ] → ⁠⁠⁠⁠⁠⁠Linkedin⁠⁠⁠⁠⁠⁠ [https://www.linkedin.com/in/dayspringjohnson/] → ⁠⁠⁠⁠⁠⁠Tiktok⁠⁠⁠⁠⁠⁠ [https://www.tiktok.com/@cyberwox] Email: day@cyberwox.com _____________ ⚠️DISCLAIMER This description has some affiliate links, and I may receive a small commission for purchases made through these links. I appreciate your support!

Applying AI, LLMs & Prompt Engineering for Threat Detection with Dylan Williams | EP. 8

Visit my ⁠sponsor⁠ [https://snhu.edu/cyberwox] to view the current average annual salary for a Cybersecurity degree and learn how to get started. I had the pleasure of hosting Dylan Williams and we explored how AI can be applied in cybersecurity, focusing on threat detection. We also examined how his project, D.I.A.N.A., turns threat intelligence reports into actual detections. Connect with Dylan [https://www.linkedin.com/in/dylan-williams-a2927599/] Dylan's Resource on Applying LLMs & GenAI to Cybersecurity [https://start.me/p/9oJvxx/applying-llms-genai-to-cyber-security] Dylan's Medium [https://medium.com/@dylanhwilliams] D.I.A.N.A Project [https://github.com/dwillowtree/diana] DI.A.N.A App [https://dianast.streamlit.app/] _____________ TIMESTAMPS 00:00 Intro 01:39 Dylan's Background 02:40 How Dylan started exploring AI 03:07 SNHU 04:36 Dylan's ChatGPT Moment 06:22 Training LLMs for Cybersecurity 09:53 Updating LLMs 14:27 D.I.A.N.A - Detection and Intelligence Analysis for New Alerts 17:07 Going from Threat Intelligence to Threat Detection 32:02 Getting started with LLMs & Gen AI for Cybersecurity 33:55 Connect with Dylan 35:12 Outro _____________ ⚡️⁠⁠⁠⁠⁠JOIN 6,000+ CWX MEMBERS ON DISCORD⁠⁠⁠⁠⁠ [https://discord.gg/cyberwoxacademy] 📰 ⁠⁠⁠⁠⁠SUBSCRIBE TO THE CYBERWOX UNPLUGGED NEWSLETTER⁠⁠⁠⁠⁠ [https://cyberwoxunplugged.com] 🥶 ⁠⁠⁠⁠⁠CYBERWOX MERCH⁠⁠⁠⁠⁠ [https://store.cyberwox.com] _____________ 🧬 CYBERWOX RESOURCES 🔹 ⁠⁠⁠⁠⁠Cyberwox Cybersecurity Notion Templates for planning your career⁠⁠⁠⁠⁠ [https://daycyberwox.gumroad.com/l/cyberlearningframework] 🔹 ⁠⁠⁠⁠⁠Cyberwox Best Entry-Level Cybersecurity Resume Template⁠⁠⁠⁠⁠ [https://daycyberwox.gumroad.com/l/cybersecurityresume] 🔹 ⁠⁠⁠⁠⁠Learn AWS Threat Detection with my LinkedIn Learning Course⁠⁠⁠⁠⁠ [https://www.linkedin.com/learning/introduction-to-aws-threat-detection/] _____________ 📱 LET'S CONNECT → ⁠⁠⁠⁠⁠IG⁠⁠⁠⁠⁠ [https://www.instagram.com/daycyberwox ] → ⁠⁠⁠⁠⁠Threads⁠⁠⁠⁠⁠ [https://www.threads.net/@daycyberwox] → ⁠⁠⁠⁠⁠Substack⁠⁠⁠⁠⁠ [https://substack.com/@cyberwox] → ⁠⁠⁠⁠⁠Twitter⁠⁠⁠⁠⁠ [https://twitter.com/DayCyberwox ] → ⁠⁠⁠⁠⁠Linkedin⁠⁠⁠⁠⁠ [https://www.linkedin.com/in/dayspringjohnson/] → ⁠⁠⁠⁠⁠Tiktok⁠⁠⁠⁠⁠ [https://www.tiktok.com/@cyberwox] Email: day@cyberwox.com _____________ ⚠️DISCLAIMER This description has some affiliate links, and I may receive a small commission for purchases made through these links. I appreciate your support!

Get-RoleGroup - Detecting Attacker Enumeration in Microsoft 365 Exchange with Purav Desai | EP. 7

Visit my sponsor [https://snhu.edu/cyberwox] to view the current average annual salary for a Cybersecurity degree and learn how to get started. ⁠Purav's LinkedIn⁠ [ https://www.linkedin.com/in/purav-da346393/] ⁠Deciphering UAL [https://github.com/PuravsPoint/DecipheringUAL] Exchange Admin Audit Logging [https://learn.microsoft.com/en-us/purview/audit-log-activities#exchange-admin-activities] Office365 Management Activity API [https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema#enum-auditlogrecordtype---type-edmint32] Connect-IPPSSession [https://learn.microsoft.com/en-us/powershell/module/exchange/connect-ippssession?view=exchange-ps] _____________ TIMESTAMPS: 00:00 Intro 00:36 Get-RoleGroup Operation 01:37 Enumeration is not logged?? 05:53 SNHU 07:22 Using the Security Compliance Center EOPCmdlet 08:54 Abusing Purview Compliance & E-Discovery 10:21 Useful Log Fields & Key Fields of note 12:48 Attack Demo 14:45 Fields to Decipher 15:51 How To Detect/Analyse 17:59 Get-RoleGroupMember 19:39 Useful Log Fields 20:30 Attack Demo 23:01 Segmentation Of Behaviors 23:57 Connect-IPPSSession 26:07 Final Thoughts 27:40 Outro _____________ ⚡️⁠⁠⁠⁠JOIN 6,000+ CWX MEMBERS ON DISCORD⁠⁠⁠⁠ [https://discord.gg/cyberwoxacademy] 📰 ⁠⁠⁠⁠SUBSCRIBE TO THE CYBERWOX UNPLUGGED NEWSLETTER⁠⁠⁠⁠ [https://cyberwoxunplugged.com] 🥶 ⁠⁠⁠⁠CYBERWOX MERCH⁠⁠⁠⁠ [https://store.cyberwox.com] _____________ 🧬 CYBERWOX RESOURCES 🔹 ⁠⁠⁠⁠Cyberwox Cybersecurity Notion Templates for planning your career⁠⁠⁠⁠ [https://daycyberwox.gumroad.com/l/cyberlearningframework]🔹 ⁠⁠⁠⁠Cyberwox Best Entry-Level Cybersecurity Resume Template⁠⁠⁠⁠ [https://daycyberwox.gumroad.com/l/cybersecurityresume] 🔹 ⁠⁠⁠⁠Learn AWS Threat Detection with my LinkedIn Learning Course⁠⁠⁠⁠ [https://www.linkedin.com/learning/introduction-to-aws-threat-detection/] _____________ 📱 LET'S CONNECT → ⁠⁠⁠⁠IG⁠⁠⁠⁠ [https://www.instagram.com/daycyberwox ] → ⁠⁠⁠⁠Threads⁠⁠⁠⁠ [https://www.threads.net/@daycyberwox] → ⁠⁠⁠⁠Substack⁠⁠⁠⁠ [https://substack.com/@cyberwox] → ⁠⁠⁠⁠Twitter⁠⁠⁠⁠ [https://twitter.com/DayCyberwox ] → ⁠⁠⁠⁠Linkedin⁠⁠⁠⁠ [https://www.linkedin.com/in/dayspringjohnson/] → ⁠⁠⁠⁠Tiktok⁠⁠⁠⁠ [https://www.tiktok.com/@cyberwox] Email: day@cyberwox.com _____________ ⚠️DISCLAIMER This description has some affiliate links, and I may receive a small commission for purchases made through these links. I appreciate your support!

Add-RoleGroupMember - Detecting Persistence in Microsoft 365 Exchange with Purav Desai | EP. 6

Learn how to decipher the Microsoft Unified Audit Log (UAL) from a Digital Forensics & Incident Response (DFIR) perspective with Purav Desai, an experienced M365/Azure Incident Responder. In today's episode, we explore the Add-RoleGroupMember operation in Exchange Online. Purav's LinkedIn [ https://www.linkedin.com/in/purav-da346393/] Deciphering UAL [https://github.com/PuravsPoint/DecipheringUAL] Microsoft Application IDs [https://learn.microsoft.com/en-us/troubleshoot/azure/entra/entra-id/governance/verify-first-party-apps-sign-in] Permission Alert Policy [https://learn.microsoft.com/en-us/purview/alert-policies#permissions-alert-policies] _____________ TIMESTAMPS: 00:00 Intro 00:48 Add-RoleGroupMember Overview 03:22 The Result Status 04:53 The Application IDs 08:59 Key Fields of Note 10:39 Fields to Decipher 20:14 Detection - Permission Alert Policies 23:18 Custom Alerting 24:32 Final Thoughts 25:39 Outro _____________ ⚡️⁠⁠⁠JOIN 6,000+ CWX MEMBERS ON DISCORD⁠⁠⁠ [https://discord.gg/cyberwoxacademy] 📰 ⁠⁠⁠SUBSCRIBE TO THE CYBERWOX UNPLUGGED NEWSLETTER⁠⁠⁠ [https://cyberwoxunplugged.com] 🥶 ⁠⁠⁠CYBERWOX MERCH⁠⁠⁠ [https://store.cyberwox.com] _____________ 🧬 CYBERWOX RESOURCES 🔹 ⁠⁠⁠Cyberwox Cybersecurity Notion Templates for planning your career⁠⁠⁠ [https://daycyberwox.gumroad.com/l/cyberlearningframework]🔹 ⁠⁠⁠Cyberwox Best Entry-Level Cybersecurity Resume Template⁠⁠⁠ [https://daycyberwox.gumroad.com/l/cybersecurityresume] 🔹 ⁠⁠⁠Learn AWS Threat Detection with my LinkedIn Learning Course⁠⁠⁠ [https://www.linkedin.com/learning/introduction-to-aws-threat-detection/] _____________ 📱 LET'S CONNECT → ⁠⁠⁠IG⁠⁠⁠ [https://www.instagram.com/daycyberwox ] → ⁠⁠⁠Threads⁠⁠⁠ [https://www.threads.net/@daycyberwox] → ⁠⁠⁠Substack⁠⁠⁠ [https://substack.com/@cyberwox] → ⁠⁠⁠Twitter⁠⁠⁠ [https://twitter.com/DayCyberwox ] → ⁠⁠⁠Linkedin⁠⁠⁠ [https://www.linkedin.com/in/dayspringjohnson/] → ⁠⁠⁠Tiktok⁠⁠⁠ [https://www.tiktok.com/@cyberwox] Email: day@cyberwox.com _____________ ⚠️DISCLAIMER This description has some affiliate links, and I may receive a small commission for purchases made through these links. I appreciate your support!

New-RoleGroup - Detecting Privilege Escalation in Microsoft 365 with Purav Desai | EP. 5

Learn how to decipher the Microsoft Unified Audit Log (UAL) from a Digital Forensics & Incident Response (DFIR) perspective with Purav Desai, an experienced M365/Azure Incident Responder. ⁠Purav's LinkedIn⁠ [https://www.linkedin.com/in/purav-da346393/] ⁠Deciphering UAL⁠ [https://github.com/PuravsPoint/DecipheringUAL] ⁠Learn about auditing solutions in Microsoft Purview⁠ [https://learn.microsoft.com/en-us/purview/audit-solutions-overview] _____________ TIMESTAMPS 00:00 Intro 00:20 Deciphering New-RoleGroup 09:06 Key Fields 10:11 Deciphering with Exchange Online PowerShell 13:42 Detection Opportunities 16:16 SIEM & Attacker Tactics 21:43 Outro _____________ ⚡️⁠⁠JOIN 6,000+ CWX MEMBERS ON DISCORD⁠⁠ [https://discord.gg/cyberwoxacademy] 📰 ⁠⁠SUBSCRIBE TO THE CYBERWOX UNPLUGGED NEWSLETTER⁠⁠ [https://cyberwoxunplugged.com] 🥶 ⁠⁠CYBERWOX MERCH⁠⁠ [https://store.cyberwox.com] _____________ 🧬 CYBERWOX RESOURCES 🔹 ⁠⁠Cyberwox Cybersecurity Notion Templates for planning your career⁠⁠ [https://daycyberwox.gumroad.com/l/cyberlearningframework]🔹 ⁠⁠Cyberwox Best Entry-Level Cybersecurity Resume Template⁠⁠ [https://daycyberwox.gumroad.com/l/cybersecurityresume] 🔹 ⁠⁠Learn AWS Threat Detection with my LinkedIn Learning Course⁠⁠ [https://www.linkedin.com/learning/introduction-to-aws-threat-detection/] _____________ 📱 LET'S CONNECT → ⁠⁠IG⁠⁠ [https://www.instagram.com/daycyberwox ] → ⁠⁠Threads⁠⁠ [https://www.threads.net/@daycyberwox] → ⁠⁠Substack⁠⁠ [https://substack.com/@cyberwox] → ⁠⁠Twitter⁠⁠ [https://twitter.com/DayCyberwox ] → ⁠⁠Linkedin⁠⁠ [https://www.linkedin.com/in/dayspringjohnson/] → ⁠⁠Tiktok⁠⁠ [https://www.tiktok.com/@cyberwox] Email: day@cyberwox.com _____________ ⚠️DISCLAIMER This description has some affiliate links, and I may receive a small commission for purchases made through these links. I appreciate your support! Email: day@cyberwox.com