Nathan Burns
@n-burns.bsky.social
Senior Detection Engineer and Threat Hunter @ Autodesk
https://medium.com/@nburns9922
Opinions are my own (of course)
https://medium.com/@nburns9922
Opinions are my own (of course)
You could also detect this via /var/log/shell.log and/or /var/log/auth.log but you'd be detecting the command line execution and not the underlying procedure of interacting with the ESXi API.
There's numerous ways to achieve an objective, focus on coverage!
There's numerous ways to achieve an objective, focus on coverage!
December 4, 2024 at 11:28 PM
You could also detect this via /var/log/shell.log and/or /var/log/auth.log but you'd be detecting the command line execution and not the underlying procedure of interacting with the ESXi API.
There's numerous ways to achieve an objective, focus on coverage!
There's numerous ways to achieve an objective, focus on coverage!
Getting a sense of the source for each detection would be good. Did these spawn from past incidents, internal research, fancy CTI reports or other?
Figuring out what native alerting mechanism exists would help to remove potential duplicative alerts and let engineers focus on what matters, gaps.
Figuring out what native alerting mechanism exists would help to remove potential duplicative alerts and let engineers focus on what matters, gaps.
November 25, 2024 at 5:11 AM
Getting a sense of the source for each detection would be good. Did these spawn from past incidents, internal research, fancy CTI reports or other?
Figuring out what native alerting mechanism exists would help to remove potential duplicative alerts and let engineers focus on what matters, gaps.
Figuring out what native alerting mechanism exists would help to remove potential duplicative alerts and let engineers focus on what matters, gaps.