FT) PJCS26 Garchomp LF) WCS2026 EventCode(ZA or SV) or Event distribution Pokemon(ZA or SV or HOME) #PokémonTrade ※ I would like to trade for the Pokémon either by receiving it from the recipient or using the initial software mark.

FT) PJCS26 Garchomp etc LF) WCS2026 EventCode(ZA or SV) or Event distribution Pokemon(ZA or SV or HOME) #PokémonTrade ※ I would like to trade for the Pokémon either by receiving it from the recipient or using the initial software mark.

Day 91/100 Hands-on with Splunk Enterprise today 🔍 Analyzed Sysmon logs Investigated suspicious process (SharePoint.exe in Temp 👀) Tracked network connections (EventCode 3) Practiced threat hunting & log correlation Getting better at detecting anomalies 🚀 #Cyber

普通はエントリーしたタイミングでメール届くらしいけど俺にはなぜかメールが来てなかったっぽい。ちなみにMyWhoosh内でEventCode入力すれば予選イベント出てきた。それにしても全日程コース違うからこれはワンチャン予選レース全出場必須なのか🤔

🛡️ SIEM Log Correlation & Detection Eng (SOC Analyst Focus) **Core Concept** - SIEM ingests logs from FW, EPs, servers, PAM (e.g., CyberArk), and cloud services. - Correlation rules detect suspicious patterns across logs. - Analysts tune rules to cut FPs while catching real threats. **Data Sources** - Auth Logs: Win Event IDs (4624/4625/4672), Linux auth.log. - Net Logs: FW denies, IDS/IPS alerts, NetFlow. - Priv Access Logs: CyberArk vault access, sess recordings, cred checkouts. - Cloud Telemetry: AWS CloudTrail, Azure AD sign-ins, GCP audit logs. **Correlation Techniques** - Rule-based: e.g., 5 failed logins (4625) → successful (4624) from same IP = brute force success. - Temporal: Link events in a time window (e.g., priv esc <10 min after login). - Cross-source: VPN login foreign country PAM cred checkout unusual outbound traffic = insider threat. - Behavioural: Compare vs historical baseline (e.g., normal UK login → sudden Russia). **Detection Engineering **: SOC analysts write detection logic in query languages. See few examples below: - Splunk SPL: ```spl index=wineventlog EventCode=4625 OR 4624 | stats count by Account_Name, src_ip | where count > 5 ``` - Azure Sentinel KQL: ```kql SecurityEvent | where EventID in (4624, 4625) | summarize Count=count() by Account, IPAddress, bin(TimeGenerated, 10m) | where Count > 5 ``` **Challenges** - FPs: Broad rules create noise. - Data Norm: Standardise varied log formats. - Scalability: Efficient indexing for billions of EPS. - Enrichment: Add TI feeds, geoIP, and asset criticality to logs. **SOC Analyst Workflow** 1. Alert fires from the SIEM rule. 2. Triage: Check user/device/time/geo context. 3. Deep dive: Pivot to related logs (EP, PAM, FW). 4. Map to MITRE ATT&CK (e.g., T1078 Valid Accounts). 5. Respond: Escalate IR, isolate host, revoke creds. 6. Feedback: Tune the rule for better accuracy. **Real-World Ex (PAM Integration)** - CyberArk logs: Privileged credentials checkout at 2 AM. - SIEM correlates w/ VPN login foreign IP large outbound transfer. - Investigation → compromised priv acct. - Containment: Disable acct, revoke vault access, block IP. #SOC_Analysts #ThreatHunting #IncidentResponse #SecurityAnalysts #BlueTeam #DigitalForensics #CyberSecurity #NetworkSecurity #MalwareAnalysis #SOC

📍The Storacha x Xenea event.' Sign Up for a Free Starter Plan' 📌 Event Code 👉 STORA2 #Eventcode #Xenea #Storacha

XENEA × STORACHA Event Code for 2000 Gems? 💎 #Xenea #xeneawallet #storacha #storachaeventcode #eventcode

Who Want Xenea × Storacha Sign Up to a Free Starter Plan Event? #xenea #xeneaeventcode #storacha #storachaeventcode #eventcode

Storacha × XENEA Event Code dropping in few minutes Do Follow 🔔 & Retweet 🔁 and Be Ready ✅ #storacha #xeneaevent #storachaevent #eventcode

نصائح : 💡 1- في حال كنت تفضل واحد من الsiem's عالثاني يمديك تستخرج الlogs و تحطها في الثاني . 2- حاول تستفيد من خاصية الwildcard قد ما تقدر مثال طلب منك تجيب له تحميل ملف exe من http بدل ما تدور eventcode معين جرب تستخدم http*.exe , حتسهل عليك كثير.

In follow up to my latest post timelining sysmon logs, heres the search I wrote to include all events between a 4624 (logon) and the 4625 (logoff). This one doesn't work perfectly in all scenarios. However, I've triaged plenty of malicious activity very quickly using this. ============================== index=eventlogs LogName IN ($sources$) EventCode IN ($eventid$) ComputerName=$host$ $search$ | eval includeEventId=if("$eventid$"=="*", "yes", if(isnull(mvfind(split("$eventid$", ","), tostring(EventCode))), "no", "yes")) | eval excludeEventId=if("$removeeventid$"=="*", "no", if(isnull(mvfind(split("$removeeventid$", ","), tostring(EventCode))), "no", "yes")) | eval includeSource=if($sources$=="*", "yes", if(isnull(mvfind(split($sources$, ","), LogName)), "no", "yes")) | eval excludeSource=if("$removesources$"=="*", "no", if(isnull(mvfind(split("$removesources$", ","), LogName)), "no", "yes")) | where includeEventId="yes" AND excludeEventId="no" AND includeSource="yes" AND excludeSource="no" | eval timex=_time | where timex >=$start$ AND timex <=$end$ | eval TimeX=if(timex == 0 OR timex== 0, "Original",null())| fillnull EventCode value="" | eval LogName="Log: ". LogName. "(" . EventCode. ")" | fillnull LogName value="" | sort _time | table LogName, Message, RecordNumber, _time ==============================

📅 Date : 29th July 2025 💡XENEA & Syntax Verse Event Task. Event Name : Register the Syntax Verse app! ➡️ Code: XeneaCollab #xenea #xeneawallet #xeneaquiz #syntax #syntaxverse #syntaxevent #eventcode #xeneaeventcode #syntaxverseeventcode #syntaxeventcode

👨‍💻 مثال من الواقع: 🔔 تنبيه: "محاولات تسجيل دخول متعددة على حساب إداري من موقع غير معروف" كمحلل SOC، راح تستخدم Splunk بهالطريقة: index=windows sourcetype=WinEventLog:Security EventCode=4625 Account_Name="admin" | stats count by src_ip | sort - count . . .

すきなEventCodeとかねぇよww 1603ぐらいしか知らんがな... (Horizon ClientとVC C の依存関係で死ぬほど見た)

残業でwindowsのイベントログと睨めっこしてるんだけど、弊社ァ面接で好きなEventCodeの番号は？と聞かれた思い出がフラッシュバックした。

Telling the auditors we monitor account lockouts (we look for EventCode 4740 in Splunk) (every employee laptop is a Mac)

Really like this list, want to riff of most the same points - Naming experience with using offensive tooling during a SOC interview has been an odd trend for me that usually doesn’t pan out. If candidate can’t cite detection/artifact related tidbits around it, best case is at least proving enough exp to where they could translate the usage knowhow into then finding it. - If I google a full sentence in your resume or long enough tool list and get an exact match, I will pick that out and you ask to elaborate. Dont be in that situation. - if you put Kali or ParrotOS or Pentoo or Backtrack in your resume, I am judging. In same vein don’t overuse the words cyber or hacking (personal annoyance) - Referencing AD/windowseventlogs details from a DC you’ve used before -beyond- memorizing an eventcode is gucci. On the job you can look up an event ID anyway. - you should have at least a handful of stories in mind to talk about to help cover open-ended past investigation questions

Kostenlose EX-Farbe 1 für Bison direkt sofort zum einlösen im Spiel! Danke @CAPCOM_Germany 🤩 sieht super aus! #streetfighter6 #SF6 eventcode Color

claude (honey) says: I've created a set of advanced SIEM queries that demonstrate various security detection scenarios. Each query includes: 1. Lateral Movement Detection (SPL) - Tracks authentication patterns - Uses statistical analysis to identify anomalies - Includes threshold-based alerting // SPL Query - Detect potential lateral movement by tracking unusual authentication patterns sourcetype=winevent_security EventCode=4624 | eval hour=strftime(_time,"%H") | stats count BY src_ip dest_ip hour user | where count > 10 | eventstats avg(count) as avg_auth_per_hour stdev(count) as stdev_auth BY src_ip | where count > avg_auth_per_hour (3 * stdev_auth) | sort - count | rename src_ip as Source_IP, dest_ip as Target_IP, user as Username | table Source_IP Target_IP Username hour count avg_auth_per_hour