Say you have a well managed SIEM and a functional SOAR but with few integrations at this time. What open source tools or tools from potential existing products would you build or like to have to let you SOC be more efficient?
#soc #soclife

I can see alerts popping like mushrooms ... Let me finish my coffee 🤣 mortacci vostri ...

#soclife #SecurityOperationsCentre

#soclife #cybersecurityanalyst

My face when a specific connector hasn't been connected/set properly ...

#soclife

Friday on SOC duty, shift is almost over with the other lot starting soon. It was a relatively quiet and enjoyable day ... But I know that the system knows I am about to finish, and I know that the system is ready to swamp me with alerts 15 minutes before I finish, as it does normally ... So please system hold on until five past ... Please

#SecurityOperationsCentre #soclife #blueteam

I mean, this shows fantastic leadership. He convinced almost an entire shift of 7 analysts to say, "fuck your end-of-year bonuses."

When you can convince those under your leadership to forgo extra pay just to "stick it to the man," you've got leadership skills.

Misguided, but skilled.
#SocLife #Leadership

Well, any advice from SOC leadership on what to do when a shift manager convinces almost an entire shift to invalidate that shift's end-of-year employee reviews by having them all enter the same low review score in each category for each other (all but one obeyed)?
#SocLife #SocLeadership #LeadershipTip

My stress levels at work, today.
#SOCDirector #SOCLife #Deadlines

Y'all...

Just discovered an alert from mid-September with the following PS command...

powershell.exe -Command Add-MpPreference -ExclusionPath 'C:\Users\username*'

where 'username' is the real username.

WTAF...
Now usernameImAThreatActor has all of their files excluded from Defender scans...

The analyst closed it as "file was not infected."

#SOCLife #BlueTeam #ScreamingIntoTheVoid

When you're called at 5:30am on a Sunday because there's been active alerting on a host for RDP to foreign IP addresses (yes, plural), and the activity was basically ignored for 13 hours, overnight...

Calling the customer's CISO so they can get an immediate response kicked off is not how I like to start my Sunday.

Finding out two shifts passed on escalating this activity is also awful, and I'll be addressing that tomorrow, while I try to reclaim my weekend morning.

#SOCLife

When the WHOIS privacy setting points to Panama, your only option is to send the analyst a link to the accompanying Van Halen song during report review. #music #infosec #soclife

Advanced hunting in ms defender still going slow or not at all. #SOCLife

Sometimes I am in awe and hate how much other groups can leapfrog ahead of what I'm getting to do just cause they get to design their own strategy. #SOCLife #Blueteaming