SOCLabs

In terms of detection rule engineering: have you accounted for evasion techniques? I wrote something about this 👇 soc-labs.top/blog/en/how-to…

🚨 New Challenge Live! #140 Threat Detection Engineer Attackers are using the most stealthy techniques to bypass your SIEM… Can you catch it using real logs and multi-language rules (Sigma / SPL / KQL / EQL)? SOCLabs’ latest detection challenge is now live! Real environment + complete attack chain, built for those who want to become top-tier Threat Detection Engineers. 🔥 Test your detection logic right now 👉 soc-labs.top/en/detections/… Master this challenge and truly earn your Detection Engineer title! 🔥 #Cybersecurity #DetectionEngineering #BlueTeam #InfoSec

Just open-sourced: Detection Rule Bypass Analyzer (SKILL) 🔥 A specialized AI-powered tool for Detection Engineers and SOC Analysts. It helps you: • Identify blind spots in detection rules for system command execution • Assess bypass risks • Generate realistic bypass test cases • Suggest stronger rule logic to reduce false negatives Stop guessing if your rules can be evaded. Repo: github.com/DetectEng-SOCL… Stars, feedback, and contributions welcome! #DetectionEngineering #SIEM #Splunk #CyberSecurity #BlueTeam

@elasticseclabs @dez_ 👍👍👍

One of our researchers built an AI powered supply chain monitoring tool on a Friday afternoon. The following Monday night it caught the Axios npm compromise before most people knew it existed. Elastic Security Labs is open sourcing the tool. Full story by @dez_ here: go.es.io/4bOfsuq

@Dalvinglobal @nacss_uniosun @tryhackme @malik_cybersec @uniosune Come on!

We've just launched the new macOS Challenges section on SOCLabs! A lot of macOS credential theft attacks rely on simple social engineering. Attackers use osascript to display fake authentication dialogs that look identical to real system prompts. Once the user enters their password, the attacker unlocks the Keychain and dumps saved browser passwords, cookies, and more. If you're practicing detection rules, this Medium difficulty challenge gives you real logs to work with. Give it a try! Link in comments 👇 #DetectionEngineering #macOS #BlueTeam #Infostealer

This read highlights a practical shift in SecOps: combining LLM-driven natural language queries with deterministic MCP toolchains to automate MITRE coverage checks across fragmented rule formats. detecteng.com/detection-work…

The Self-Improving Agent and TIP: How ThreatClawer Builds Detections and Ships Features While I… by Hatim (threadlinqs-cmd) detecteng.com/the-self-impro…

@Denise_Sophy_ Awesome! Keep it up!

Day 50 of #100DaysOfCybersecurity Wrapped Log Analysis with SIEM foundations SIEM basics, analyst value, log sources, Windows & Linux logs, plus web app logs. Hit a 30-day streak. Logs tell the story attackers try to hide. Next: deeper detection thinking. #SIEM #BlueTeam #SOC

Nearly 65% of orgs are experimenting with AI agents, but fewer than 25% have deployed them in production. 2026 is the year that changes, especially in security operations. Here's what an Agentic AI SOC actually does differently 🧵 ↳ It doesn't just alert you — it correlates signals into full attack chains ↳ It doesn't just detect — it contains, with closed-loop automated response ↳ It doesn't just act — it explains every decision with a traceable reasoning trail The shift: from managing alerts → neutralizing attacks. Copilot = passenger. Agent = driver. Read the full breakdown below.

Security Detections MCP 3.0 is LIVE What started as a detection search MCP is now an autonomous detection engineering pipeline. Agents now run a full workflow: CTI → coverage analysis → detection generation → SIEM validation → PR staging Pipeline example: • CTI Analyst → extracts MITRE techniques from threat intel • Coverage Analyzer → checks 7k+ detections across Sigma / Splunk / KQL / Elastic • Detection Engineer → generates missing detections • Atomic Executor + SIEM Validator → tests detections • PR Stager → prepares them for review Multi-SIEM support: Splunk • Sentinel • Elastic • Sigma Open source 👇 Repo github.com/MHaggis/Securi… npm npmjs.com/package/securi… Pulse MCP listing pulsemcp.com/servers/mhaggi… Watch the full demo: youtu.be/03ZmD5cdfHI

@SpecterSignal Every alert tells a story. Even the ones that look like noise.

Good analysts look at alerts. Great analysts look at behaviour chains. Parent, Child, grandparent, Network, Lateral movement. Think patterns, not popups. #ThreatHunting #SpecterSignal #BlueTeam #CyberSecurity #SOC #DetectionEngineering

Headline: Can you detect silent execution via cmd.exe? 🕵️‍♂️Attackers love using /b and /min flags to hide their tracks. But as a Detection Engineer, you should know exactly where these traces live in the logs. 🚀 New Challenge: CMD Hidden Window Execution 🛠️ Tech: Sysmon | T1564 🔗 Take the challenge: soc-labs.top/en/detections/… #DetectionEngineering #BlueTeam #CyberSecurity #SOCLabs #SigmaRules

@Wietze Spot on! #HijackLibs is a lifesaver for these scenarios. 👏 We just launched Challenge #136 to help folks practice detecting this specific Notepad++ backdoor logic in a real-world lab. ➡️ Try it out: soc-labs.top/en/detections/…

Reminder to use #HijackLibs for detecting DLL Hijacking - it would have caught this Notepad++ supply chain compromise from the start. e.g.: * log.dll in unexpected folder * log.dll loaded by unexpected exe * BitDefender signed exe in unexpected folder 💥 hijacklibs.net/entries/3rd_pa…

NEW CHALLENGE: Chrysalis Backdoor Detection! 🚨 Rapid7 just unveiled a sophisticated Chrysalis Backdoor, leveraging Notepad++ supply chain, custom obfuscation (Warbird!), and advanced DLL sideloading. Reading about it is one thing. Detecting it is another. We've recreated the attack in a real-world environment and built a hands-on lab to test your SIEM rules against this APT. Can you craft the logic to unmask this stealthy threat? 👉 Challenge #136 is LIVE. Prove your skills: soc-labs.top/en/detections/… #DetectionEngineering #ThreatHunting #MalwareAnalysis #APT #ChrysalisBackdoor #BlueTeam #SIEM

Huge thanks to @Rapid7 for this critical deep dive into the #ChrysalisBackdoor 👏Their research is invaluable. For those ready to move from reading to real-world detection practice, we've built a hands-on challenge based on these exact techniques.👉 Test your SIEM rules against this APT: soc-labs.top/en/detections/… #DetectionEngineering #ThreatIntelligence #BlueTeam #CyberSecurity"

Outstanding technical breakdown by the MDR team! 👏 We were so inspired by the depth of the Chrysalis analysis that we've already built a hands-on detection challenge for it on SOCLabs. For anyone wanting to practice writing rules for this specific Lotus Blossom toolkit, check it out here: soc-labs.top/en/detections/…

🔎 Rapid7 Labs, alongside our MDR team, has uncovered a sophisticated campaign attributed to the Chinese APT group #LotusBlossom. Find a deep technical analysis of the custom backdoor 'Chrysalis', Notepad++, Warbird, and more in our latest blog: r-7.co/4kaerPA

@cyb3rops good job ! Thanks.

For convenience: I wrote a small collector that pulls all SHA-256, SHA-1 and MD5 hashes from Notepad++ releases and compiles them into big CSV + JSON files Use it to check if any Notepad++ installs in your org match known-good release hashes - and spot weird/malicious outliers github.com/Neo23x0/notepa…

Detection Engineering Is Production Engineering — Why CI/CD Is No Longer Optional by Surya Teja detecteng.com/detection-engi… #DetectionEngineering