CVE-2021-34527 (CVE-2021-1675) PrintNightmare – Detection by SIEM Guide

CVE-2021-1675

Overview The Microsoft Windows Print Spooler service fails to restrict access to the RpcAddPrinterDriverEx() function, which can allow a remote authenticated attacker to execute arbitrary code with SYSTEM privileges on a vulnerable system. (Source: https://www.kb.cert.org/vuls/id/383432) Guide to detect by SIEM: GPO: Verify the Event logs are enabled: Microsoft-Windows-SMBClient/Security Microsoft-Windows-PrintService/Admin Microsoft-Windows-PrintService/Operational WEF: Configure the WEF subscription […]

How to prevent your SIEM from being blind

Learn how to porevent you SIEM from being blind. An article by Mr. Eli Bentiah CyberSIEM's CEO.

How to prevent your SIEM from being blind Getting log files from multiple systems requires additional actions such as correct permissions, appropriate network settings, proper resources allocations, and KeepAlive alerts. But what happens if something goes wrong? Apparently, the log files will not arrive. We will focus on a problem that can cause peripheral blindness […]

CSV to ActiveList

CSV to ActiveList

When you want to add external information to Active Lists in ArcSight as a solution, you have to build a custom flex connector, parse the data, and create a pre-persistent rule that will add the information to the Active List.

Active List With Dynamic TTL

Active List With Dynamic TTL

The CyberSIEM team has developed a tool that makes taking care of these exclusions as simple as creating an Active List.

Rules based on aggregate SUM

Rules based on aggregate SUM

How to create a data monitor which will collect the information from the last X time, and sum the quantity and create a rule that use the audit events of the Data Monitor to check if the value is more than a specific threshold.

Contain from Active List

Contain from Active List

Have you ever wanted to create a rule that has the ‘Contain From Active List’ condition in ArcSight?