Keeping an eye out for new detection content
In a previous post I’ve spoken about aggregation of all my sources of information and storing the important bits automatically.
In this post I want to point you towards some great resources to monitor apart from the many smart people on Twitter, which you should definitively do so as well. These will help you develop your detection capabilities a lot quicker and based on research done by a lot of smart people. Obviously not everything can simply immediately be enabled to alert. Always validate, test and tailor the rules to your environment, additionally assess the logic for it’s applicability. Whether it being used in a Threat Hunt, Forensic Investigation or an alerting Detection rule clearly has different expected results.
I’m starting tho map the sources I monitor are the following in the following Git repository ;
Fortunately you don’t have to F5 all these websites manually on a daily basis, as mentioned before I use Feedly for this.
Most blogs have an easy way to follow through the RSS feeds they provide. Github also has this feature, albeit a bit hidden.
When looking at a repository you want to monitor, you can click the Watch button, which based on your preferences will email or notify you on the website. I don’t like this way and want to do this from Feedly, so there is another way.
Lets use the example of https://github.com/olafhartong/sysmon-modular, in this case monitoring the root of this repo makes most sense, since there are multiple interesting sub folders to keep track of, in that case adding /commits/master.atom to the URL will provide you with a RSS file to monitor in your reader. The resulting URL will look like this: https://github.com/olafhartong/sysmon-modular/commits/master.atom
Should you only want to monitor a sub directory the process is the same, in the case of the Atomic Red Team only the Atomics might be relevant to track in that case add it like this; https://github.com/redcanaryco/atomic-red-team/commits/master/atomics.atom
Following these commits will give you the commit messages, which not all developers always are very descriptive at, including myself sometimes. Still you’re one click removed from the actual content which will help you quite a lot.