GEKO is an open-source tool that automates threat-hunting by connecting threat intelligence from OpenCTI with detection rules in Elasticsearch. It analyzes threat actors' techniques, inventory detection rules, and generates a report card on defense effectiveness, enabling security analysts to focus on relevant threats instead of unnecessary rules, enhancing their detection capabilities.

This post details the setup of Logstash for managing Elastic Agents through Fleet. It covers installation, certificate generation for secure communication, and configuring Fleet outputs. Additionally, it highlights scenarios where Logstash enhances data processing, routing, and control before reaching Elasticsearch, emphasizing its flexibility for Elastic Stack deployments.

The post outlines the setup of the Elastic Stack’s Fleet in an air-gapped environment, detailing steps to load the Elastic Package Registry (EPR) and configure Kibana. It includes instructions for setting up an HTTP server for agent binaries, adding a Fleet Server, and setting up encryption. The conclusion hints at future topics.

This post provides a detailed guide on installing Elasticsearch and Kibana in an air-gapped environment. It includes steps for installing, configuring system services, generating enrollment tokens, and optional TLS setup. The process culminates with connecting to Kibana via a browser and preparing for the next phase of setup.

This blog series instructs on installing the Elastic Stack—Elasticsearch, Logstash, Kibana, and Fleet agents—in air-gapped environments for enhanced security. The guide outlines prerequisites, lab setup, and necessary packages, emphasizing the importance of proper file transfer and organization. Future posts will detail Elasticsearch and Kibana installation processes.

Executive Summary In March 2025, Google’s Threat Intelligence Group (GTIG) documented a complex espionage operation attributed to the PRC-nexus actor UNC6384, overlapping historically with tradecraft seen in TEMP.Hex / Mustang Panda. The campaign hijacks captive-portal flows to redirect victims to a fake “Adobe plugin update” site, delivering a signed downloader (STATICPLUGIN) that ultimately DLL-sideloads CANONSTAGER and deploys…

The post explores the vital role of Security Operations Centre (SOC) analysts in cybersecurity. It outlines their daily tasks, including triaging alerts, deep investigations, and collaboration across teams. The challenges they face, such as alert fatigue, and the rewards of preventing threats are emphasized. The importance of continuous improvement and effective tool usage is also highlighted.

Cybersecurity breaches commonly arise from avoidable misconfigurations rather than elite hackers. Key issues include exposing RDP, weak passwords, permissive firewalls, unsecured file shares, outdated software, lack of multi-factor authentication, misconfigured cloud storage, excessive user privileges, inadequate logging, and poor backup practices. Addressing these can significantly enhance security.

A Sophos investigation revealed over 140 GitHub repositories distributing backdoored malware disguised as game cheats and hacking tools, targeting inexperienced cybercriminals. Threat actors used automation for legitimacy, raising concerns about open-source exploitation. Elastic Security's strategies, including detection rules, help safeguard against such malicious activities within developer environments.

This blog post presents useful PowerShell commands aimed at security engineers and system administrators, focusing on audit and log analysis, malware and threat hunting, and system hardening. Key commands include monitoring login events, checking for suspicious scheduled tasks, verifying Windows Defender status, and disabling SMBv1 to enhance system security.