Detection as Code is one of the most important evolutions in modern security detection, and in this video, we break it down.
I first encountered this concept as a Cloud Threat Detection Engineer at Datadog. Today, I’m joined by Dennis Chow, a Detection Engineering specialist and author of Automating Security Detection Engineering (which I had the honor of technically reviewing).
Together, we explore what Detection as Code really means and walk through two hands-on CI/CD pipeline demos:
🔹 Lab 1: Building SIEM detections with synthetic AI testing using Sumo Logic
🔹 Lab 2: Policy-as-Code integration testing with Cloud Custodian on GCP
You’ll learn how Detection as Code leverages Git, automated testing, reproducibility, collaboration, and CI/CD to make detection engineering more scalable, accountable, and reliable.
_____________
📁RESOURCES:
→ Our podcast episode together
_____________
⚡️JOIN 6,000+ CWX MEMBERS ON DISCORD
📰 SUBSCRIBE TO THE CYBERWOX UNPLUGGED NEWSLETTER
_____________
🧬 CYBERWOX RESOURCES
🔹 Cyberwox Cybersecurity Notion Templates for planning your career
🔹 Cyberwox Best Entry-Level Cybersecurity Resume Template
🔹 Learn AWS Threat Detection with my LinkedIn Learning Course
_____________
📱 LET'S CONNECT
Email: day@cyberwox.com
_____________
⚠️DISCLAIMER
This description has some affiliate links, and I may receive a small commission for purchases made through these links. I appreciate your support!
Visit my sponsor to view the current average annual salary for a Cybersecurity degree and learn how to get started.
I had the pleasure of hosting Dylan Williams and we explored how AI can be applied in cybersecurity, focusing on threat detection. We also examined how his project, D.I.A.N.A., turns threat intelligence reports into actual detections.
Dylan's Resource on Applying LLMs & GenAI to Cybersecurity
_____________
TIMESTAMPS
00:00 Intro
01:39 Dylan's Background
02:40 How Dylan started exploring AI
03:07 SNHU
04:36 Dylan's ChatGPT Moment
06:22 Training LLMs for Cybersecurity
09:53 Updating LLMs
14:27 D.I.A.N.A - Detection and Intelligence Analysis for New Alerts
17:07 Going from Threat Intelligence to Threat Detection
32:02 Getting started with LLMs & Gen AI for Cybersecurity
33:55 Connect with Dylan
35:12 Outro
_____________
⚡️JOIN 6,000+ CWX MEMBERS ON DISCORD
📰 SUBSCRIBE TO THE CYBERWOX UNPLUGGED NEWSLETTER
_____________
🧬 CYBERWOX RESOURCES
🔹 Cyberwox Cybersecurity Notion Templates for planning your career
🔹 Cyberwox Best Entry-Level Cybersecurity Resume Template
🔹 Learn AWS Threat Detection with my LinkedIn Learning Course
_____________
📱 LET'S CONNECT
Email: day@cyberwox.com
_____________
⚠️DISCLAIMER
This description has some affiliate links, and I may receive a small commission for purchases made through these links. I appreciate your support!
Visit my sponsor to view the current average annual salary for a Cybersecurity degree and learn how to get started.
Office365 Management Activity API
_____________
TIMESTAMPS:
00:00 Intro
00:36 Get-RoleGroup Operation
01:37 Enumeration is not logged??
05:53 SNHU
07:22 Using the Security Compliance Center EOPCmdlet
08:54 Abusing Purview Compliance & E-Discovery
10:21 Useful Log Fields & Key Fields of note
12:48 Attack Demo
14:45 Fields to Decipher
15:51 How To Detect/Analyse
17:59 Get-RoleGroupMember
19:39 Useful Log Fields
20:30 Attack Demo
23:01 Segmentation Of Behaviors
23:57 Connect-IPPSSession
26:07 Final Thoughts
27:40 Outro
_____________
⚡️JOIN 6,000+ CWX MEMBERS ON DISCORD
📰 SUBSCRIBE TO THE CYBERWOX UNPLUGGED NEWSLETTER
_____________
🧬 CYBERWOX RESOURCES
🔹 Cyberwox Cybersecurity Notion Templates for planning your career🔹 Cyberwox Best Entry-Level Cybersecurity Resume Template
🔹 Learn AWS Threat Detection with my LinkedIn Learning Course
_____________
📱 LET'S CONNECT
Email: day@cyberwox.com
_____________
⚠️DISCLAIMER
This description has some affiliate links, and I may receive a small commission for purchases made through these links. I appreciate your support!
Learn how to decipher the Microsoft Unified Audit Log (UAL) from a Digital Forensics & Incident Response (DFIR) perspective with Purav Desai, an experienced M365/Azure Incident Responder. In today's episode, we explore the Add-RoleGroupMember operation in Exchange Online.
_____________
TIMESTAMPS:
00:00 Intro
00:48 Add-RoleGroupMember Overview
03:22 The Result Status
04:53 The Application IDs
08:59 Key Fields of Note
10:39 Fields to Decipher
20:14 Detection - Permission Alert Policies
23:18 Custom Alerting
24:32 Final Thoughts
25:39 Outro
_____________
⚡️JOIN 6,000+ CWX MEMBERS ON DISCORD
📰 SUBSCRIBE TO THE CYBERWOX UNPLUGGED NEWSLETTER
_____________
🧬 CYBERWOX RESOURCES
🔹 Cyberwox Cybersecurity Notion Templates for planning your career🔹 Cyberwox Best Entry-Level Cybersecurity Resume Template
🔹 Learn AWS Threat Detection with my LinkedIn Learning Course
_____________
📱 LET'S CONNECT
→ IG
Email: day@cyberwox.com
_____________
⚠️DISCLAIMER
This description has some affiliate links, and I may receive a small commission for purchases made through these links. I appreciate your support!
Learn how to decipher the Microsoft Unified Audit Log (UAL) from a Digital Forensics & Incident Response (DFIR) perspective with Purav Desai, an experienced M365/Azure Incident Responder.
Learn about auditing solutions in Microsoft Purview
_____________
TIMESTAMPS
00:00 Intro
00:20 Deciphering New-RoleGroup
09:06 Key Fields
10:11 Deciphering with Exchange Online PowerShell
13:42 Detection Opportunities
16:16 SIEM & Attacker Tactics
21:43 Outro
_____________
⚡️JOIN 6,000+ CWX MEMBERS ON DISCORD
📰 SUBSCRIBE TO THE CYBERWOX UNPLUGGED NEWSLETTER
_____________
🧬 CYBERWOX RESOURCES
🔹 Cyberwox Cybersecurity Notion Templates for planning your career🔹 Cyberwox Best Entry-Level Cybersecurity Resume Template
🔹 Learn AWS Threat Detection with my LinkedIn Learning Course
_____________
📱 LET'S CONNECT
→ IG
Email: day@cyberwox.com
_____________
⚠️DISCLAIMER
This description has some affiliate links, and I may receive a small commission for purchases made through these links. I appreciate your support!
Email: day@cyberwox.com
Learn how to decipher the Microsoft Unified Audit Log (UAL) from a Digital Forensics & Incident Response (DFIR) perspective with Purav Desai, an experienced M365/Azure Incident Responder.
Learn about auditing solutions in Microsoft Purview
_____________
TIMESTAMPS
00:00 Intro
00:49 Microsoft 365 Auditing
04:43 The Deciphering UAL Project
07:55 Accessing Purview Audit
17:41 Outro
_____________
⚡️JOIN 6,000+ CWX MEMBERS ON DISCORD
📰 SUBSCRIBE TO THE CYBERWOX UNPLUGGED NEWSLETTER
_____________
🧬 CYBERWOX RESOURCES
🔹 Cyberwox Cybersecurity Notion Templates for planning your career
🔹 Cyberwox Best Entry-Level Cybersecurity Resume Template
🔹 Learn AWS Threat Detection with my LinkedIn Learning Course
_____________
📱 LET'S CONNECT
→ IG
Email: day@cyberwox.com
_____________
⚠️DISCLAIMER
This description has some affiliate links, and I may receive a small commission for purchases made through these links. I appreciate your support!
Email: day@cyberwox.com
This episode covers an attack scenario very similar to the one that led to the breach of US Bank Capital One. @0xd4y goes over the attack scenario using CloudGoat by Rhino Security Labs, and I detect his activities using AWS CloudTrail Lake.
_____________
🧬 VIDEO RESOURCES
🔹 Segev's YouTube Channel: @0xd4y
🔹 Former AWS engineer convicted over hack that cost Capital One $270m
_____________
⏰ TIMESTAMPS
00:00 Intro
00:34 Attack Scenario
00:51 Key Terminology
01:41 Cloud Attack Walkthrough - CloudGoat
10:06 Attack Detection Walkthrough - CloudTrail Lake
13:44 Remediation & Final Thoughts
_____________
⚡️JOIN 6,000+ CWX MEMBERS ON DISCORD
📰 SUBSCRIBE TO THE CYBERWOX UNPLUGGED NEWSLETTER
_____________
🧬 CYBERWOX RESOURCES
🔹 Cyberwox Cybersecurity Notion Templates for planning your career
🔹 Cyberwox Best Entry-Level Cybersecurity Resume Template
🔹 Learn AWS Threat Detection with my LinkedIn Learning Course
_____________
📱 LET'S CONNECT
→ IG
Email: day@cyberwox.com
_____________
⚠️DISCLAIMER
This description has some affiliate links, and I may receive a small commission for purchases made through these links. I appreciate your support!
Email: day@cyberwox.com
GCP Service Accounts are interesting cloud identities. Let's review how they contributed to a Cryptocurrency Mining Attack in this Case.
_____________
🧬 EPISODE RESOURCES
🔹How A Compromised AWS Lambda Function Led to a Phishing Attack
🔹GCP Lateral Movement & PrivEsc
🔹 DEFCON 30 Cloud Village - Weather Proofing GCP Defaults
🔹GCP IAM basic and predefined roles reference
_____________
⏰ TIMESTAMPS
00:00 How GCP Service Accounts Work
02:12 Initial Access - Stolen Service Account Credentials
02:52 Attack Flow
03:33 Privilege Escalation - Permission Upgrades
03:50 Detection Opportunity 1
04:04 Defense Evasion - Firewall Rule Modification
05:19 Detection Opportunity 2
05:38 1,600 VMs created during attack
05:51 Persistence - New Token Creations
06:16 Final Thoughts
_____________
⚡️JOIN 6,000+ CWX MEMBERS ON DISCORD
📰 SUBSCRIBE TO THE CYBERWOX UNPLUGGED NEWSLETTER
_____________
🧬 CYBERWOX RESOURCES
🔹 Cyberwox Cybersecurity Notion Templates for planning your career
🔹 Cyberwox Best Entry-Level Cybersecurity Resume Template
🔹 Learn AWS Threat Detection with my LinkedIn Learning Course
_____________
📱 LET'S CONNECT
→ IG
Email: day@cyberwox.com
_____________
⚠️DISCLAIMER
This description has some affiliate links, and I may receive a small commission for purchases made through these links. I appreciate your support!
Email: day@cyberwox.com
In this video, I’ll be going over detection opportunities at various stages of cloud security attacks.
Compromised Cloud Compute Credentials: Case Studies From the Wild
_____________
TIMESTAMPS
00:00 Intro
00:40 The Attack Case
02:12 The Attack Graph
02:44 The Attack Flow
03:06 Detection Opportunity 1: Enumeration/Reconnaissance/Discovery - Cloud Infrastructure Discovery
05:27 Detection Opportunity 2: Persistence - Create Cloud Account
08:19 Detection Opportunity 3: Impact - Resource Hijacking
09:54 Detection Opportunity 4: Defense Evasion - Indicator Removal
10:23 Detection Opportunity 5: Credential Access - Stealing an application access token
12:04: Conclusion
_____________
⚡️JOIN 6,000+ CWX MEMBERS ON DISCORD
📰 SUBSCRIBE TO THE CYBERWOX UNPLUGGED NEWSLETTER
_____________
🧬 CYBERWOX RESOURCES
🔹 Cyberwox Cybersecurity Notion Templates for planning your career
🔹 Cyberwox Best Entry-Level Cybersecurity Resume Template
🔹 Learn AWS Threat Detection with my LinkedIn Learning Course
_____________
📱 LET'S CONNECT
→ IG
Email: day@cyberwox.com
_____________
⚠️DISCLAIMER
This description has some affiliate links, and I may receive a small commission for purchases made through these links. I appreciate your support!
Email: day@cyberwox.com