Deadwood 2020 (Virtual Con)
Back To Schedule
Friday, September 25 • 11:00am - 11:50am
Converting Blue Team expertise of customer networks into advanced host-based alerting

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

What happens when the dream of host event log aggregation is realized and you have to figure out what to do with ALL that data? Through solutions such as Splunk and the Elastic Stack, many blue teamers finally have access to millions/billions of windows event logs, Sysmon, endpoint protection logs, and other log types. Often the challenge of creating alerts off this data looks a lot like attempt to implement Sigma and hope you can alert on evil. This presentation will describe how to transform a blue team’s knowledge of a customer’s network into advanced signature creation. We will cover my experiences in tuning to a customer’s traffic and creating alerts on the negative space, simplify complex Sigma rules, future proof alerts against schema changes, and consider search performance at the same time. Additionally this presentation will show how to take events collected during Red Team engagements and build alerting that is specific to the customer environment that will pay dividends in the future.

avatar for Stephen Spence

Stephen Spence

Stephen Spence is currently a Cybersecurity Analyst at DISA Defensive Operations Center - Europe.  He enjoys implementing creative solutions to improve detection and alerting. Before joining the team, he worked in most of the varied aspects of the cyber profession from vulnerability... Read More →

Friday September 25, 2020 11:00am - 11:50am MDT
Track 2