As companies migrate to cloud, so too do opportunist adversaries. That's why our Elastic Security team members have created free detection rules for protecting users' cloud platforms like AWS and Okta. Learn more in this blog post.

Cloud monitoring and detection challenges

Ingesting and searching cloud logs with Elastic

Detecting attackers operating in cloud environments

Monitoring AWS CloudTrail logs to detect suspicious behavior

Simulating adversary behavior in AWS

Detecting and investigating the suspicious behavior in AWS

Detecting suspicious behavior in Okta logs

Conclusion

Security operations: Cloud monitoring and detection with Elastic Security

Learn how Elastic Endpoint Security and Elastic SIEM can be used to hunt for and detect malicious persistence techniques at scale.

Persistence via scheduled tasks (T1053)

Real-world example: APT34 scheduled tasks abuse

Hunting for scheduled tasks

Other scheduled task considerations

Persistence via BITS jobs (T1197)

Hunting for malicious BITS jobs

Real-world example: Qbot malware

Others BITS and pieces

Adversary tradecraft 101: Hunting for persistence using Elastic Security (Part 2)

Learn how Elastic Endpoint Security's behavior-based protections prevented a targeted ransomware attack on multiple endpoints.

Preventing malicious process injection

Detecting and preventing unwanted behaviors with EQL

Analysis of adversary tradecraft

Ransomware, interrupted: Sodinokibi and the supply chain

Dorothy is a tool for security teams to test their visibility and detection capabilities for their Okta environment. IAM solutions are frequently targeted by adversaries but poorly monitored. Learn how to get started with Dorothy in this post.

What is Okta SSO?

Meet Dorothy

Executing actions in an Okta environment using Dorothy

whoami?

Discovery

Persistence

Defense Evasion

Detecting suspicious behavior with Elastic Security

Ingesting Okta system logs with Fleet

Detecting suspicious behavior with Elastic Security’s free detection rules

Measure your cloud cover with Dorothy

Testing your Okta visibility and detection with Dorothy and Elastic Security

What is persistence and why do attackers need it?

What is Event Query Language (EQL)?

Persistence via Windows Management Instrumentation (WMI) Event Subscriptions (T1084)

Understanding WMI Event Subscriptions and how they can be abused

Hunting for and detecting malicious WMI Event Subscriptions

Adversary tradecraft 101: Hunting for persistence using Elastic Security (Part 1)

作者

David French

文章

安全运营：使用 Elastic Security 进行云监控和检测

对手的技巧 101：使用 Elastic Security 寻找持久性 (第 2 部分)

勒索软件中断：Sodinokibi 和供应链

使用 Dorothy 和 Elastic Security 测试您的 Okta 可见性和检测

对手的技巧 101：使用 Elastic Security 寻找持久性 (第 1 部分)