Grid Field – DB Entry Mirroring​

Grid Field – DB Entry Mirroring This post is the 2nd part, of a two-part use case on Grid Field in SOAR, written by our SOAR expert Ben Aviv. For reading the first part, please click here. Some use-cases require the analysts to add or update external DB entries, for example blacklisting the incident offender […]

How to use a Grid Field​

How to use a grid field In this post, our SOAR expert, Mr.Ben Aviv, will demonstrate how to use a grid field in XSOAR (Demisto). This action is a daily activity in every SOC, we intend to help you fully understand how to use and manage the grid field. This post is one of the […]

Remote Code Execution Vulnerability CVE-2021-40444

About CVE-2021-40444  Microsoft is investigating reports of a remote code execution vulnerability in MSHTML that affects Microsoft Windows. Microsoft is aware of targeted attacks that attempt to exploit this vulnerability by using specially-crafted Microsoft Office documents. An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the […]

“It’s good to be the king” – is that so?

king

“It’s good to be the king” – is that so? In every kingdom, you will find only one king. But as always, there are some exceptions. In the modern technical environment, there is more than one king, or in our case, more than one Administrator/Power user. Today, we can find more than one technical team […]

Advanced Linux threats Monitoring

Linux monitoring by CyberSIEM

In this article, we will discuss UnixLinux’s standard Monitoring capabilities and will present CyberSIEM’s unique developments that expand and upgrade Linux Monitoring Capabilities. These capabilities are being deployed at our customer’s monitored environment.   TrendMicro’s article “A Look at Linux”, discusses how Linux has become an attractive target for attackers, as well as how it […]

CVE-2021-34527 (CVE-2021-1675) PrintNightmare – Detection by SIEM Guide

CVE-2021-1675

Overview The Microsoft Windows Print Spooler service fails to restrict access to the RpcAddPrinterDriverEx() function, which can allow a remote authenticated attacker to execute arbitrary code with SYSTEM privileges on a vulnerable system. (Source: https://www.kb.cert.org/vuls/id/383432) Guide to detect by SIEM: GPO: Verify the Event logs are enabled: Microsoft-Windows-SMBClient/Security Microsoft-Windows-PrintService/Admin Microsoft-Windows-PrintService/Operational WEF: Configure the WEF subscription […]

CVE-2020-16898 – Bad Neighbor – Monitoring By SIEM

eve-2020-16898 bad neighbour Siem content

CVE-2020-16898 – Bad Neighbor SIEM Content Packages A remote code execution vulnerability exists when the Windows TCP/IP stack improperly handles ICMPv6 Router Advertisement packets. An attacker who successfully exploited this vulnerability could gain the ability to execute code on the target server or client. An attacker would have to send specially crafted ICMPv6 Router Advertisement […]

CVE-2019-0708 – BlueKeep – Monitoring By SIEM

eve-2019-0708 blue keep Siem content

CVE-2019-0708 BlueKeep – SIEM Content Packages Bluekeep is a critical vulnerability that allows an attacker to send malicious packets to a vulnerable target over RDP and remotely execute commands with elevated privileges. The vulnerability occurs during pre-authorization and does not require any user interaction, which makes it really critical. This vulnerability will affect these OS […]

CVE-2020-1350 – SigRed – Monitoring By SIEM

SIEM Content Packages For CVE-2020-1350 – SigRed By CyberSIEM “SIGRed (CVE-2020-1350) is a wormable, critical vulnerability (CVSS base score of 10.0) in the Windows DNS server that affects Windows Server versions 2003 to 2019, and can be triggered by a malicious DNS response. As the service is running in elevated privileges (SYSTEM), if exploited successfully, […]

CVE-2020-1472 – ZeroLogon – Monitoring by SIEM

SIEM Content Packages For CVE-2020-1472 – ZeroLogon By CyberSIEM As you know, one of the most critical vulnerabilities has recently been published – ZeroLogon An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC), aka ‘Netlogon Elevation of Privilege […]