Detection Opportunities

Detection as Code is one of the most important evolutions in modern security detection, and in this video, we break it down.I first encountered this concept as a Cloud Threat Detection Engineer at Datadog. Today, I’m joined by Dennis Chow, a Detection Engineering specialist and author of Automating Security Detection Engineering (which I had the honor of technically reviewing). Together, we explore what Detection as Code really means and walk through two hands-on CI/CD pipeline demos:🔹 Lab 1: Building SIEM detections with synthetic AI testing using Sumo Logic🔹 Lab 2: Policy-as-Code integration testing with Cloud Custodian on GCPYou’ll learn how Detection as Code leverages Git, automated testing, reproducibility, collaboration, and CI/CD to make detection engineering more scalable, accountable, and reliable.Dennis' BlogDennis' GithubDennis' LinkedIn_____________📁RESOURCES:→ GitHub repo for lab 1→ GitHub repo for lab 2→ Dennis’ book→ My book review→ Our podcast episode together_____________⚡️⁠⁠⁠⁠⁠⁠JOIN 6,000+ CWX MEMBERS ON DISCORD⁠⁠⁠⁠⁠⁠📰 ⁠⁠⁠⁠⁠⁠SUBSCRIBE TO THE CYBERWOX UNPLUGGED NEWSLETTER⁠⁠⁠⁠⁠⁠🥶 ⁠⁠⁠⁠⁠⁠CYBERWOX MERCH⁠⁠⁠⁠⁠⁠_____________🧬 CYBERWOX RESOURCES🔹 ⁠⁠⁠⁠⁠⁠Cyberwox Cybersecurity Notion Templates for planning your career⁠⁠⁠⁠⁠⁠🔹 ⁠⁠⁠⁠⁠⁠Cyberwox Best Entry-Level Cybersecurity Resume Template⁠⁠⁠⁠⁠⁠🔹 ⁠⁠⁠⁠⁠⁠Learn AWS Threat Detection with my LinkedIn Learning Course⁠⁠⁠⁠⁠⁠_____________📱 LET'S CONNECT → ⁠⁠⁠⁠⁠⁠IG⁠⁠⁠⁠⁠⁠→ ⁠⁠⁠⁠⁠⁠Threads⁠⁠⁠⁠⁠⁠→ ⁠⁠⁠⁠⁠⁠Substack⁠⁠⁠⁠⁠⁠→ ⁠⁠⁠⁠⁠⁠Twitter⁠⁠⁠⁠⁠⁠→ ⁠⁠⁠⁠⁠⁠Linkedin⁠⁠⁠⁠⁠⁠→ ⁠⁠⁠⁠⁠⁠Tiktok⁠⁠⁠⁠⁠⁠Email: [email protected]_____________⚠️DISCLAIMERThis description has some affiliate links, and I may receive a small commission for purchases made through these links. I appreciate your support!

Visit my ⁠sponsor⁠ to view the current average annual salary for a Cybersecurity degree and learn how to get started.I had the pleasure of hosting Dylan Williams and we explored how AI can be applied in cybersecurity, focusing on threat detection. We also examined how his project, D.I.A.N.A., turns threat intelligence reports into actual detections.Connect with DylanDylan's Resource on Applying LLMs & GenAI to CybersecurityDylan's MediumD.I.A.N.A ProjectDI.A.N.A App_____________TIMESTAMPS00:00 Intro01:39 Dylan's Background02:40 How Dylan started exploring AI03:07 SNHU04:36 Dylan's ChatGPT Moment06:22 Training LLMs for Cybersecurity09:53 Updating LLMs14:27 D.I.A.N.A - Detection and Intelligence Analysis for New Alerts17:07 Going from Threat Intelligence to Threat Detection32:02 Getting started with LLMs & Gen AI for Cybersecurity33:55 Connect with Dylan35:12 Outro_____________⚡️⁠⁠⁠⁠⁠JOIN 6,000+ CWX MEMBERS ON DISCORD⁠⁠⁠⁠⁠📰 ⁠⁠⁠⁠⁠SUBSCRIBE TO THE CYBERWOX UNPLUGGED NEWSLETTER⁠⁠⁠⁠⁠🥶 ⁠⁠⁠⁠⁠CYBERWOX MERCH⁠⁠⁠⁠⁠_____________🧬 CYBERWOX RESOURCES🔹 ⁠⁠⁠⁠⁠Cyberwox Cybersecurity Notion Templates for planning your career⁠⁠⁠⁠⁠🔹 ⁠⁠⁠⁠⁠Cyberwox Best Entry-Level Cybersecurity Resume Template⁠⁠⁠⁠⁠🔹 ⁠⁠⁠⁠⁠Learn AWS Threat Detection with my LinkedIn Learning Course⁠⁠⁠⁠⁠_____________📱 LET'S CONNECT → ⁠⁠⁠⁠⁠IG⁠⁠⁠⁠⁠→ ⁠⁠⁠⁠⁠Threads⁠⁠⁠⁠⁠→ ⁠⁠⁠⁠⁠Substack⁠⁠⁠⁠⁠→ ⁠⁠⁠⁠⁠Twitter⁠⁠⁠⁠⁠→ ⁠⁠⁠⁠⁠Linkedin⁠⁠⁠⁠⁠→ ⁠⁠⁠⁠⁠Tiktok⁠⁠⁠⁠⁠Email: [email protected]_____________⚠️DISCLAIMERThis description has some affiliate links, and I may receive a small commission for purchases made through these links. I appreciate your support!

Visit my sponsor to view the current average annual salary for a Cybersecurity degree and learn how to get started.⁠Purav's LinkedIn⁠⁠Deciphering UALExchange Admin Audit LoggingOffice365 Management Activity APIConnect-IPPSSession_____________TIMESTAMPS:00:00 Intro00:36 Get-RoleGroup Operation01:37 Enumeration is not logged??05:53 SNHU07:22 Using the Security Compliance Center EOPCmdlet08:54 Abusing Purview Compliance & E-Discovery10:21 Useful Log Fields & Key Fields of note12:48 Attack Demo14:45 Fields to Decipher15:51 How To Detect/Analyse17:59 Get-RoleGroupMember19:39 Useful Log Fields20:30 Attack Demo23:01 Segmentation Of Behaviors23:57 Connect-IPPSSession26:07 Final Thoughts27:40 Outro_____________⚡️⁠⁠⁠⁠JOIN 6,000+ CWX MEMBERS ON DISCORD⁠⁠⁠⁠📰 ⁠⁠⁠⁠SUBSCRIBE TO THE CYBERWOX UNPLUGGED NEWSLETTER⁠⁠⁠⁠🥶 ⁠⁠⁠⁠CYBERWOX MERCH⁠⁠⁠⁠_____________🧬 CYBERWOX RESOURCES🔹 ⁠⁠⁠⁠Cyberwox Cybersecurity Notion Templates for planning your career⁠⁠⁠⁠🔹 ⁠⁠⁠⁠Cyberwox Best Entry-Level Cybersecurity Resume Template⁠⁠⁠⁠🔹 ⁠⁠⁠⁠Learn AWS Threat Detection with my LinkedIn Learning Course⁠⁠⁠⁠_____________📱 LET'S CONNECT → ⁠⁠⁠⁠IG⁠⁠⁠⁠→ ⁠⁠⁠⁠Threads⁠⁠⁠⁠→ ⁠⁠⁠⁠Substack⁠⁠⁠⁠→ ⁠⁠⁠⁠Twitter⁠⁠⁠⁠→ ⁠⁠⁠⁠Linkedin⁠⁠⁠⁠→ ⁠⁠⁠⁠Tiktok⁠⁠⁠⁠Email: [email protected]_____________⚠️DISCLAIMERThis description has some affiliate links, and I may receive a small commission for purchases made through these links. I appreciate your support!

Learn how to decipher the Microsoft Unified Audit Log (UAL) from a Digital Forensics & Incident Response (DFIR) perspective with Purav Desai, an experienced M365/Azure Incident Responder. In today's episode, we explore the Add-RoleGroupMember operation in Exchange Online.Purav's LinkedInDeciphering UALMicrosoft Application IDsPermission Alert Policy_____________TIMESTAMPS:00:00 Intro00:48 Add-RoleGroupMember Overview03:22 The Result Status04:53 The Application IDs08:59 Key Fields of Note10:39 Fields to Decipher20:14 Detection - Permission Alert Policies23:18 Custom Alerting24:32 Final Thoughts25:39 Outro_____________⚡️⁠⁠⁠JOIN 6,000+ CWX MEMBERS ON DISCORD⁠⁠⁠📰 ⁠⁠⁠SUBSCRIBE TO THE CYBERWOX UNPLUGGED NEWSLETTER⁠⁠⁠🥶 ⁠⁠⁠CYBERWOX MERCH⁠⁠⁠_____________🧬 CYBERWOX RESOURCES🔹 ⁠⁠⁠Cyberwox Cybersecurity Notion Templates for planning your career⁠⁠⁠🔹 ⁠⁠⁠Cyberwox Best Entry-Level Cybersecurity Resume Template⁠⁠⁠🔹 ⁠⁠⁠Learn AWS Threat Detection with my LinkedIn Learning Course⁠⁠⁠_____________📱 LET'S CONNECT → ⁠⁠⁠IG⁠⁠⁠→ ⁠⁠⁠Threads⁠⁠⁠→ ⁠⁠⁠Substack⁠⁠⁠→ ⁠⁠⁠Twitter⁠⁠⁠→ ⁠⁠⁠Linkedin⁠⁠⁠→ ⁠⁠⁠Tiktok⁠⁠⁠Email: [email protected]_____________⚠️DISCLAIMERThis description has some affiliate links, and I may receive a small commission for purchases made through these links. I appreciate your support!

Learn how to decipher the Microsoft Unified Audit Log (UAL) from a Digital Forensics & Incident Response (DFIR) perspective with Purav Desai, an experienced M365/Azure Incident Responder.⁠Purav's LinkedIn⁠⁠Deciphering UAL⁠⁠Learn about auditing solutions in Microsoft Purview⁠_____________TIMESTAMPS00:00 Intro00:20 Deciphering New-RoleGroup09:06 Key Fields10:11 Deciphering with Exchange Online PowerShell13:42 Detection Opportunities16:16 SIEM & Attacker Tactics21:43 Outro_____________⚡️⁠⁠JOIN 6,000+ CWX MEMBERS ON DISCORD⁠⁠📰 ⁠⁠SUBSCRIBE TO THE CYBERWOX UNPLUGGED NEWSLETTER⁠⁠🥶 ⁠⁠CYBERWOX MERCH⁠⁠_____________🧬 CYBERWOX RESOURCES🔹 ⁠⁠Cyberwox Cybersecurity Notion Templates for planning your career⁠⁠🔹 ⁠⁠Cyberwox Best Entry-Level Cybersecurity Resume Template⁠⁠🔹 ⁠⁠Learn AWS Threat Detection with my LinkedIn Learning Course⁠⁠_____________📱 LET'S CONNECT → ⁠⁠IG⁠⁠→ ⁠⁠Threads⁠⁠→ ⁠⁠Substack⁠⁠→ ⁠⁠Twitter⁠⁠→ ⁠⁠Linkedin⁠⁠→ ⁠⁠Tiktok⁠⁠Email: [email protected]_____________⚠️DISCLAIMERThis description has some affiliate links, and I may receive a small commission for purchases made through these links. I appreciate your support!Email: [email protected]

Learn how to decipher the Microsoft Unified Audit Log (UAL) from a Digital Forensics & Incident Response (DFIR) perspective with Purav Desai, an experienced M365/Azure Incident Responder.Purav's LinkedInDeciphering UALLearn about auditing solutions in Microsoft Purview_____________TIMESTAMPS00:00 Intro00:49 Microsoft 365 Auditing04:43 The Deciphering UAL Project07:55 Accessing Purview Audit17:41 Outro_____________⚡️⁠JOIN 6,000+ CWX MEMBERS ON DISCORD⁠📰 ⁠SUBSCRIBE TO THE CYBERWOX UNPLUGGED NEWSLETTER⁠🥶 ⁠CYBERWOX MERCH⁠_____________🧬 CYBERWOX RESOURCES🔹 ⁠Cyberwox Cybersecurity Notion Templates for planning your career⁠🔹 ⁠Cyberwox Best Entry-Level Cybersecurity Resume Template⁠🔹 ⁠Learn AWS Threat Detection with my LinkedIn Learning Course⁠_____________📱 LET'S CONNECT → ⁠⁠IG⁠⁠→ ⁠⁠Threads⁠⁠→ ⁠⁠Substack⁠⁠→ ⁠⁠Twitter⁠⁠→ ⁠⁠Linkedin⁠⁠→ ⁠⁠Tiktok⁠⁠Email: [email protected]_____________⚠️DISCLAIMERThis description has some affiliate links, and I may receive a small commission for purchases made through these links. I appreciate your support!Email: [email protected]

This episode covers an attack scenario very similar to the one that led to the breach of US Bank Capital One.  @0xd4y  goes over the attack scenario using CloudGoat by Rhino Security Labs, and I detect his activities using AWS CloudTrail Lake._____________🧬 VIDEO RESOURCES🔹 Segev's YouTube Channel:  @0xd4y  🔹 Segev's walkthrough🔹 Former AWS engineer convicted over hack that cost Capital One $270m🔹 CloudGoat🔹 Instance Metadata🔹 Sneaky Endpoints🔹 AWSealion🔹 GuardDuty Findings🔹 CloudTrail Lake_____________⏰ TIMESTAMPS00:00 Intro00:34 Attack Scenario00:51 Key Terminology01:41 Cloud Attack Walkthrough - CloudGoat10:06 Attack Detection Walkthrough - CloudTrail Lake13:44 Remediation & Final Thoughts_____________⚡️⁠JOIN 6,000+ CWX MEMBERS ON DISCORD⁠📰 ⁠SUBSCRIBE TO THE CYBERWOX UNPLUGGED NEWSLETTER⁠🥶 ⁠CYBERWOX MERCH⁠_____________🧬 CYBERWOX RESOURCES🔹 ⁠Cyberwox Cybersecurity Notion Templates for planning your career⁠🔹 ⁠Cyberwox Best Entry-Level Cybersecurity Resume Template⁠🔹 ⁠Learn AWS Threat Detection with my LinkedIn Learning Course⁠_____________📱 LET'S CONNECT → ⁠⁠IG⁠⁠→ ⁠⁠Threads⁠⁠→ ⁠⁠Substack⁠⁠→ ⁠⁠Twitter⁠⁠→ ⁠⁠Linkedin⁠⁠→ ⁠⁠Tiktok⁠⁠Email: [email protected]_____________⚠️DISCLAIMERThis description has some affiliate links, and I may receive a small commission for purchases made through these links. I appreciate your support!Email: [email protected]

GCP Service Accounts are interesting cloud identities. Let's review how they contributed to a Cryptocurrency Mining Attack in this Case._____________🧬 EPISODE RESOURCES🔹How A Compromised AWS Lambda Function Led to a Phishing Attack🔹GCP Lateral Movement & PrivEsc🔹GCP Service Accounts🔹 DEFCON 30 Cloud Village - Weather Proofing GCP Defaults🔹GCP IAM basic and predefined roles reference_____________⏰ TIMESTAMPS00:00 How GCP Service Accounts Work02:12 Initial Access - Stolen Service Account Credentials02:52 Attack Flow 03:33 Privilege Escalation - Permission Upgrades03:50 Detection Opportunity 104:04 Defense Evasion - Firewall Rule Modification05:19 Detection Opportunity 205:38 1,600 VMs created during attack05:51 Persistence - New Token Creations06:16 Final Thoughts_____________⚡️⁠JOIN 6,000+ CWX MEMBERS ON DISCORD⁠📰 ⁠SUBSCRIBE TO THE CYBERWOX UNPLUGGED NEWSLETTER⁠🥶 ⁠CYBERWOX MERCH⁠_____________🧬 CYBERWOX RESOURCES🔹 ⁠Cyberwox Cybersecurity Notion Templates for planning your career⁠🔹 ⁠Cyberwox Best Entry-Level Cybersecurity Resume Template⁠🔹 ⁠Learn AWS Threat Detection with my LinkedIn Learning Course⁠_____________📱 LET'S CONNECT → ⁠⁠IG⁠⁠→ ⁠⁠Threads⁠⁠→ ⁠⁠Substack⁠⁠→ ⁠⁠Twitter⁠⁠→ ⁠⁠Linkedin⁠⁠→ ⁠⁠Tiktok⁠⁠Email: [email protected]_____________⚠️DISCLAIMERThis description has some affiliate links, and I may receive a small commission for purchases made through these links. I appreciate your support!Email: [email protected]

In this video, I’ll be going over detection opportunities at various stages of cloud security attacks.Compromised Cloud Compute Credentials: Case Studies From the Wild_____________TIMESTAMPS00:00 Intro00:40 The Attack Case02:12 The Attack Graph02:44 The Attack Flow 03:06 Detection Opportunity 1: Enumeration/Reconnaissance/Discovery - Cloud Infrastructure Discovery05:27 Detection Opportunity 2: Persistence - Create Cloud Account 08:19 Detection Opportunity 3: Impact - Resource Hijacking09:54 Detection Opportunity 4: Defense Evasion - Indicator Removal10:23 Detection Opportunity 5: Credential Access - Stealing an application access token12:04: Conclusion_____________⚡️JOIN 6,000+ CWX MEMBERS ON DISCORD📰 SUBSCRIBE TO THE CYBERWOX UNPLUGGED NEWSLETTER🥶 CYBERWOX MERCH_____________🧬 CYBERWOX RESOURCES🔹 Cyberwox Cybersecurity Notion Templates for planning your career🔹 Cyberwox Best Entry-Level Cybersecurity Resume Template🔹 Learn AWS Threat Detection with my LinkedIn Learning Course_____________📱 LET'S CONNECT → ⁠⁠IG⁠⁠→ ⁠⁠Threads⁠⁠→ ⁠⁠Substack⁠⁠→ ⁠⁠Twitter⁠⁠→ ⁠⁠Linkedin⁠⁠→ ⁠⁠Tiktok⁠⁠Email: [email protected]_____________⚠️DISCLAIMERThis description has some affiliate links, and I may receive a small commission for purchases made through these links. I appreciate your support!Email: [email protected]