In this post, we’ll explore how files get stored in a Vertex Axon and recorded on the Vertex Synapse platform. The Axon is a tool for storing binary data securely within the Synapse framework; it indexes binaries using SHA-256 hash so that no duplicate storage occurs. By default, blobs are stored inside an LMDB Slab.

In this blog post, I will provide insight into tracking organizations using the Vertex Synapse system. This centralized intelligence platform will store all important data and intelligence. The core component of the system is open source.

The previous posts looked on how we could hunt on forged EVTX files. However, in the course of an incident response or advanced threat hunting, not all logs lies in properly formated EVTX files. For example, some firewalls export their logs in JSON format, some application will output XML. On Windows servers, these might eventually reach an event log but on Linux, it will most likely remains as it is. As I don’t like wasting my time, I want to leverage Sigma rules on JSON and XML files. Today, I focus my post on JSON files.

Previous post explained my process for developing Sigma rules to detect suspicious activity. A key element in developing such rules is the log file itself. While incident response will provides you plenty of (large) event logs with malicious activity, it might be time-consuming to read hundreds of thousands log lines to find the one you are interested in detecting. Or you might not even have the possiblity to get such event logs; For example, a new version of SysMon is released and you would like to test the new capabilities.

From my experience, when you find evidence of malicious activity in a log file, there is probably more somewhere else, and the actor is likely to continue using the same tools and techniques unless you detect it. Instead of just looking at lines in a log file, when you discovered a malicious activity, write a detection rule that can be applied to all your systems for retro-hunting, added to your detection stack for future events, and shared with peers and partners to benefit the greater good.

Synapse is a collaborative cyber threat intelligence platform provided by Vertex. The platform allows the analyst to share a common database to perform their analysis and reporting.

This blog is generated using Jekyll and the templating engine is Liquid. I wanted to display var tags = [ tag1, tag2, tag3 ] with the tags of the post at the end of the page. Note that the comma after tag3 is absent.

I decided to start diving a lot more into Kubernetes as it appears to become the standard way of deploying web applications. I have a lot to catch up as cloud was barely a buzzword when I was a student.

I finally setup a central repository for all my notes. I’ll mostly write about cyber security and software engineering.