Logstash Performance Degradation Memory Leak
I have a couple of windows server data collectors which slowly over time suffer an ingestion degradation as shown above. Restarting logstash on the server would bring ingrestion rates back…
Posted inBreach
Manage My Health Breach
Manage My Health, primarily used as a GP Patient portal was hacked on and data was stolen relating to a large number of New Zealanders. What do we know so…
Posted inAI sentinel SentinelOne
A long way to go for AI implementations in SIEM platforms
Trend Agentic AI SIEM The Trend Agentic AI SIEM agent is another example of a company rushing out an AI function without proper design considerations. Rather than focusing on some…
Posted inNifi sentinel SentinelOne
Nifi Groovyscript to convert JSON table array to key value JSON format
If you have data in a nested table array you can convert it to the standard key:value JSONpair by using the below groovyscript. Below is a sample of the data…
Posted inSentinelOne siem
SentinelOne AI SIEM Indicator API
Ever wondered how you get the indicator tab in the SentinelOne AI SIEM alerts populated? Sadly the official documentation is more misleading than helpful so hopefully I can shed some…
Posted inSentinelOne siem
Threat Intelligence in SentinelOne AI Siem
Endpoint URL: https://{your sentinelone console domain}/web/api/v2.1/threat-intelligence/iocs
Headers Required: Authorization Content-Type
Official Documentation: https://{your sentinelone console domain}/new-api-docs
Limitations of the SentinelOne AI SIEM Threat Intelligence API:
- It can take up to 25 minutes for a new IoC to become active.
- The database can hold up to 1 million IoC entries per scope and an error shows after the limit is reached.
- The DELETE command does not filter by method, pattern, or patternType.
These values under data are required fields: "source", "type", "value", and "method".
"Type" and "method" must be in upper case.
The “validUntil” field is mandatory, and must contain a date, for example, 2021-03-20 09:14:47.779000. “validUntil” determines when the IOC expires.
If the expiration date (“validUntil”) is left blank, by default it will be the upload date plus a default offset value:
- 14 days for IPs
- 90 days for URLs and domains
- 180 days for file hashes (SHA1, SHA256, and MD5)
The maximum offset values allowed are:
- 30 days for IPs
- 180 days for URLs and Domains
- 180 days for hashes (SHA1, SHA256, and MD5)
IOC types it can handle are (uppercase) SHA1, SHA256, MD5, IPV4, IPV6, DNS, URL
The upload date is when the API gets a request to create an IOC.
If the expiration date is later than the upload date plus the the maximum offset value allowed, it will be adjusted to the upload date plus the maximum offset value allowed.
Posted inNifi
NiFi Groovy Script to Find 1st and Last IPs in Subnet
Takes a subnet cidr from a flowfile attribute called subnetCidr as shown below and returns the first and last usable IP addresses as attributes Add the below code into the script…
Posted inThreat Intelligence
Unusual user agent VPN attempts CitrixReceiver/23.11.1.41 Windows/10.0 AuthManager/23.11.0.9 (Release) X1Class CWACapable CWA/23.11.1.41
We're seeing unusual patterns of login attempts against our customers netscalers with the only thing in common the user-agent: CitrixReceiver/23.11.1.41 Windows/10.0 AuthManager/23.11.0.9 (Release) X1Class CWACapable CWA/23.11.1.41 Some are brute force…
Posted inThreat Intelligence
Netscaler Credential Stuffing Attack
We have recently identified another new persistent citrix netscaler credential stuffing attack against one of our customers using recently compromised credentials from users who had fallen victim to infostealers. This…
Posted insentinel Threat Intelligence
Credential stuffing attacks against Azure Portal from Set User Agent and Device
We have recently identified a persistent credential stuffing attack against some of our customers. Credential stuffing is a cyberattack method in which attackers use lists of compromised user credentials to breach into a system.…