Network Security Channel
Bug Bounty Course.pdf
Bug Bounty Training Program (Online)
Hurry up, get enrolled yourself with IGNITE TECHNOLOGIES’ fully exclusive Training Program “Bug Bounty.”
✔️ Table of Content
🚀 Introduction to WAPT & OWASP Top 10
🛠 Pentest Lab Setup
🔍 Information Gathering & Reconnaissance
💻 Netcat for Pentester
⚙️ Configuration Management Testing
🔐 Cryptography
🔑 Authentication
🕒 Session Management
📂 Local File Inclusion
🌐 Remote File Inclusion
📁 Path Traversal
💣 OS Command Injection
🔀 Open Redirect
📤 Unrestricted File Upload
🐚 PHP Web Shells
📝 HTML Injection
🌟 Cross-Site Scripting (XSS)
🔄 Client-Side Request Forgery
🛑 SQL Injection
📜 XXE Injection
🎁 Bonus Section
#infosec #cybersecurity #cybersecuritytips #microsoft #redteam #informationsecurity #CyberSec #microsoft #offensivesecurity #infosecurity #cyberattacks #security #oscp #cybersecurityawareness #bugbounty #bugbountytips
🔹 Share & Support Us 🔹
📱 Channel : @Engineer_Computer
Hurry up, get enrolled yourself with IGNITE TECHNOLOGIES’ fully exclusive Training Program “Bug Bounty.”
✔️ Table of Content
🚀 Introduction to WAPT & OWASP Top 10
🛠 Pentest Lab Setup
🔍 Information Gathering & Reconnaissance
💻 Netcat for Pentester
⚙️ Configuration Management Testing
🔐 Cryptography
🔑 Authentication
🕒 Session Management
📂 Local File Inclusion
🌐 Remote File Inclusion
📁 Path Traversal
💣 OS Command Injection
🔀 Open Redirect
📤 Unrestricted File Upload
🐚 PHP Web Shells
📝 HTML Injection
🌟 Cross-Site Scripting (XSS)
🔄 Client-Side Request Forgery
🛑 SQL Injection
📜 XXE Injection
🎁 Bonus Section
#infosec #cybersecurity #cybersecuritytips #microsoft #redteam #informationsecurity #CyberSec #microsoft #offensivesecurity #infosecurity #cyberattacks #security #oscp #cybersecurityawareness #bugbounty #bugbountytips
🔹 Share & Support Us 🔹
📱 Channel : @Engineer_Computer
❤1
🛡 End-to-End Web Security Architecture: FortiWeb WAF + FortiGate in Reverse Proxy Mode
Recently completed a comprehensive lab implementation and full documentation of a production-grade web security architecture using FortiWeb as a Web Application Firewall behind FortiGate, deployed on PNETLAB with KVM-based VMs.
🔹 Traffic Flow Architecture:
Client → FortiGate (WAN/VIP) → FortiWeb (WAF Inspection) → Apache2 Real Server → Response back to Client
🔹 Key Implementation Highlights:
✅ Linux Web Server hardening with Apache2 and static IP configuration via Netplan
✅ FortiWeb interface setup across three segments (Real Server / Client-LAN / Management)
✅ Complete WAF policy chain: Virtual IP → Server Pool → Virtual Server → Server Policy
✅ FortiGate perimeter configuration with DNAT Virtual IP (100.100.100.50 → 192.168.100.50)
✅ Firewall policy with full session logging for HTTP/HTTPS/PING traffic
✅ CLI-based traffic logging activation on FortiWeb (a step many engineers miss!)
✅ End-to-end verification through Forward Traffic logs on both devices
🔹 Why Reverse Proxy Mode?
It provides deep HTTP/HTTPS inspection, granular WAF policy enforcement, and clean separation between perimeter firewalling (FortiGate) and application-layer protection (FortiWeb) — a layered defense approach aligned with Zero Trust principles.
🔹 Key Lesson Learned:
The order of WAF policy configuration matters → Virtual IP must exist before the Server Pool, which must exist before the Virtual Server, which must exist before the Server Policy. Skipping the sequence breaks the binding chain.
💼 Currently exploring new opportunities in Network & Cybersecurity Engineering — open to on-site, hybrid, or remote roles. I deliver hands-on services in network design, firewall deployment (Fortinet, Cisco), WAF implementation, ICS/OT security (IEC 62443, NIST), and infrastructure hardening.
#CyberSecurity #FortiWeb #FortiGate #WAF #NetworkSecurity #Fortinet #ReverseProxy #InfoSec #OpenToWork #NetworkEngineer #PenetrationTesting #ICS #OTSecurity
🔹 Share & Support Us 🔹
📱 Channel : @Engineer_Computer
Recently completed a comprehensive lab implementation and full documentation of a production-grade web security architecture using FortiWeb as a Web Application Firewall behind FortiGate, deployed on PNETLAB with KVM-based VMs.
🔹 Traffic Flow Architecture:
Client → FortiGate (WAN/VIP) → FortiWeb (WAF Inspection) → Apache2 Real Server → Response back to Client
🔹 Key Implementation Highlights:
✅ Linux Web Server hardening with Apache2 and static IP configuration via Netplan
✅ FortiWeb interface setup across three segments (Real Server / Client-LAN / Management)
✅ Complete WAF policy chain: Virtual IP → Server Pool → Virtual Server → Server Policy
✅ FortiGate perimeter configuration with DNAT Virtual IP (100.100.100.50 → 192.168.100.50)
✅ Firewall policy with full session logging for HTTP/HTTPS/PING traffic
✅ CLI-based traffic logging activation on FortiWeb (a step many engineers miss!)
✅ End-to-end verification through Forward Traffic logs on both devices
🔹 Why Reverse Proxy Mode?
It provides deep HTTP/HTTPS inspection, granular WAF policy enforcement, and clean separation between perimeter firewalling (FortiGate) and application-layer protection (FortiWeb) — a layered defense approach aligned with Zero Trust principles.
🔹 Key Lesson Learned:
The order of WAF policy configuration matters → Virtual IP must exist before the Server Pool, which must exist before the Virtual Server, which must exist before the Server Policy. Skipping the sequence breaks the binding chain.
💼 Currently exploring new opportunities in Network & Cybersecurity Engineering — open to on-site, hybrid, or remote roles. I deliver hands-on services in network design, firewall deployment (Fortinet, Cisco), WAF implementation, ICS/OT security (IEC 62443, NIST), and infrastructure hardening.
#CyberSecurity #FortiWeb #FortiGate #WAF #NetworkSecurity #Fortinet #ReverseProxy #InfoSec #OpenToWork #NetworkEngineer #PenetrationTesting #ICS #OTSecurity
🔹 Share & Support Us 🔹
📱 Channel : @Engineer_Computer
❤2
Network Security Channel
Practice Security+ without friction.pdf
🎯 Built a Free CompTIA Security+ (SY0-701) Practice Exam Simulator — No Friction, No Sign-up
As part of giving back to the cybersecurity community, I've put together a free, browser-based practice exam simulator for anyone preparing for the CompTIA Security+ SY0-701 certification. Whether you're starting your InfoSec journey or sharpening your fundamentals, this tool is built to mirror the real exam experience.
🔹 What's Inside:
✅ 300 original practice questions covering all 5 official SY0-701 domains
✅ Practice Mode — instant feedback and detailed explanations after every answer, so you learn as you go
✅ Exam Mode — fully timed simulation with no feedback until submission, matching real test conditions
✅ Flexible session sizing — choose 10, 20, 50, or 90 questions per run
✅ Domain targeting — practice all five domains or focus on weak areas
✅ Performance analytics — domain-by-domain score breakdown and incorrect-answer review
✅ Browser session persistence — refresh-safe progress, no account required
🔹 Domain Coverage (Weighted to Match the Real Exam):
📘 1.0 General Security Concepts — 12%
📘 2.0 Threats, Vulnerabilities, and Mitigations — 22%
📘 3.0 Security Architecture — 18%
📘 4.0 Security Operations — 28%
📘 5.0 Security Program Management and Oversight — 20%
🔹 Why This Matters:
Most quality exam prep tools sit behind paywalls or require lengthy sign-ups. I wanted something that respects the learner's time — open the page, pick a domain, start practicing. That's it.
🔹 Key Lesson From Building It:
The hardest part of certification prep isn't memorizing acronyms (SLA vs. ISA, TPM vs. HSM, CASB vs. SWG…) — it's training your reasoning under timed pressure. A timer + explanations + domain breakdown is what bridges that gap.
💼 Currently exploring new opportunities in Network & Cybersecurity Engineering — open to on-site, hybrid, or remote roles. I deliver hands-on services in network design, firewall deployment (Fortinet, Cisco), WAF implementation, ICS/OT security (IEC 62443, NIST), and infrastructure hardening.
#CyberSecurity #SecurityPlus #CompTIA #SY0701 #InfoSec #CertificationPrep #NetworkSecurity #OpenToWork #NetworkEngineer #CyberCareer #ContinuousLearning
🔹 Share & Support Us 🔹
📱 Channel : @Engineer_Computer
As part of giving back to the cybersecurity community, I've put together a free, browser-based practice exam simulator for anyone preparing for the CompTIA Security+ SY0-701 certification. Whether you're starting your InfoSec journey or sharpening your fundamentals, this tool is built to mirror the real exam experience.
🔹 What's Inside:
✅ 300 original practice questions covering all 5 official SY0-701 domains
✅ Practice Mode — instant feedback and detailed explanations after every answer, so you learn as you go
✅ Exam Mode — fully timed simulation with no feedback until submission, matching real test conditions
✅ Flexible session sizing — choose 10, 20, 50, or 90 questions per run
✅ Domain targeting — practice all five domains or focus on weak areas
✅ Performance analytics — domain-by-domain score breakdown and incorrect-answer review
✅ Browser session persistence — refresh-safe progress, no account required
🔹 Domain Coverage (Weighted to Match the Real Exam):
📘 1.0 General Security Concepts — 12%
📘 2.0 Threats, Vulnerabilities, and Mitigations — 22%
📘 3.0 Security Architecture — 18%
📘 4.0 Security Operations — 28%
📘 5.0 Security Program Management and Oversight — 20%
🔹 Why This Matters:
Most quality exam prep tools sit behind paywalls or require lengthy sign-ups. I wanted something that respects the learner's time — open the page, pick a domain, start practicing. That's it.
🔹 Key Lesson From Building It:
The hardest part of certification prep isn't memorizing acronyms (SLA vs. ISA, TPM vs. HSM, CASB vs. SWG…) — it's training your reasoning under timed pressure. A timer + explanations + domain breakdown is what bridges that gap.
💼 Currently exploring new opportunities in Network & Cybersecurity Engineering — open to on-site, hybrid, or remote roles. I deliver hands-on services in network design, firewall deployment (Fortinet, Cisco), WAF implementation, ICS/OT security (IEC 62443, NIST), and infrastructure hardening.
#CyberSecurity #SecurityPlus #CompTIA #SY0701 #InfoSec #CertificationPrep #NetworkSecurity #OpenToWork #NetworkEngineer #CyberCareer #ContinuousLearning
🔹 Share & Support Us 🔹
📱 Channel : @Engineer_Computer
Network Security Channel
1777790686123.pdf
🔍 Active Directory Enumeration Walkthrough: Mapping a Domain with pywerview
Just published a hands-on lab write-up demonstrating how an authenticated attacker with low-privileged credentials can enumerate a full Active Directory environment using pywerview — the Python port of the legendary PowerView module — and uncover real privilege escalation paths from a single foothold.
🔹 Lab Scenario:
Starting credentials: raj / Password@1 against the ignite.local domain. From this minimal access, mapping out users, groups, computers, delegation settings, ACLs, GPOs, and trust relationships — entirely over LDAP.
🔹 Key Findings Uncovered Through Enumeration:
✅ Domain Admin discovery — identified the aaru account via --admin-count filter (adminCount=1, member of Domain Admins)
✅ Kerberoastable SPN — the kavish account exposed via --spn, configured with TRUSTED_TO_AUTH_FOR_DELEGATION against a SQL server (constrained delegation w/ protocol transition)
✅ Unconstrained Delegation hosts — flagged via --unconstrained (a classic path to DC compromise)
✅ Backup Operators abuse path — user shivam enumerated as a member, opening NTDS.dit dump potential
✅ Trust enumeration — bidirectional forest trust to pentest.local discovered via get-netdomaintrust
✅ Domain policy extraction — password length, complexity, lockout thresholds, and Kerberos ticket lifetimes all readable from SYSVOL
🔹 pywerview Modules Demonstrated:
get-netdomain, get-netuser, get-netgroup, get-netgroupmember, get-netcomputer, get-netshare, get-netsession, get-netloggedon, get-netou, get-netsite, get-netsubnet, get-netgpo, get-domainpolicy, invoke-userhunter, invoke-processhunter, invoke-checklocaladminaccess, get-objectacl, get-netdomaintrust
🔹 Why This Matters for Defenders:
Every red-team finding above is a blue-team checklist item. Misconfigured delegation, stale adminCount=1 flags, over-privileged Backup Operators, and SPN sprawl on user accounts are the silent killers of AD environments. You can't harden what you can't see.
🔹 Key Lesson From the Lab:
A single low-privileged user is enough to map your entire domain, identify Tier 0 assets, and build a full attack graph — without ever touching a tool that triggers EDR. LDAP queries are noisy only if you're watching for them.
💼 Currently exploring new opportunities in Network & Cybersecurity Engineering — open to on-site, hybrid, or remote roles. I deliver hands-on services in network design, firewall deployment (Fortinet, Cisco), Active Directory hardening, ICS/OT security (IEC 62443, NIST), penetration testing, and infrastructure hardening.
#CyberSecurity #ActiveDirectory #RedTeam #PenetrationTesting #pywerview #PowerView #ADSecurity #LDAP #Kerberoasting #PrivilegeEscalation #InfoSec #BlueTeam #OpenToWork #NetworkSecurity #OffensiveSecurity
🔹 Share & Support Us 🔹
📱 Channel : @Engineer_Computer
Just published a hands-on lab write-up demonstrating how an authenticated attacker with low-privileged credentials can enumerate a full Active Directory environment using pywerview — the Python port of the legendary PowerView module — and uncover real privilege escalation paths from a single foothold.
🔹 Lab Scenario:
Starting credentials: raj / Password@1 against the ignite.local domain. From this minimal access, mapping out users, groups, computers, delegation settings, ACLs, GPOs, and trust relationships — entirely over LDAP.
🔹 Key Findings Uncovered Through Enumeration:
✅ Domain Admin discovery — identified the aaru account via --admin-count filter (adminCount=1, member of Domain Admins)
✅ Kerberoastable SPN — the kavish account exposed via --spn, configured with TRUSTED_TO_AUTH_FOR_DELEGATION against a SQL server (constrained delegation w/ protocol transition)
✅ Unconstrained Delegation hosts — flagged via --unconstrained (a classic path to DC compromise)
✅ Backup Operators abuse path — user shivam enumerated as a member, opening NTDS.dit dump potential
✅ Trust enumeration — bidirectional forest trust to pentest.local discovered via get-netdomaintrust
✅ Domain policy extraction — password length, complexity, lockout thresholds, and Kerberos ticket lifetimes all readable from SYSVOL
🔹 pywerview Modules Demonstrated:
get-netdomain, get-netuser, get-netgroup, get-netgroupmember, get-netcomputer, get-netshare, get-netsession, get-netloggedon, get-netou, get-netsite, get-netsubnet, get-netgpo, get-domainpolicy, invoke-userhunter, invoke-processhunter, invoke-checklocaladminaccess, get-objectacl, get-netdomaintrust
🔹 Why This Matters for Defenders:
Every red-team finding above is a blue-team checklist item. Misconfigured delegation, stale adminCount=1 flags, over-privileged Backup Operators, and SPN sprawl on user accounts are the silent killers of AD environments. You can't harden what you can't see.
🔹 Key Lesson From the Lab:
A single low-privileged user is enough to map your entire domain, identify Tier 0 assets, and build a full attack graph — without ever touching a tool that triggers EDR. LDAP queries are noisy only if you're watching for them.
💼 Currently exploring new opportunities in Network & Cybersecurity Engineering — open to on-site, hybrid, or remote roles. I deliver hands-on services in network design, firewall deployment (Fortinet, Cisco), Active Directory hardening, ICS/OT security (IEC 62443, NIST), penetration testing, and infrastructure hardening.
#CyberSecurity #ActiveDirectory #RedTeam #PenetrationTesting #pywerview #PowerView #ADSecurity #LDAP #Kerberoasting #PrivilegeEscalation #InfoSec #BlueTeam #OpenToWork #NetworkSecurity #OffensiveSecurity
🔹 Share & Support Us 🔹
📱 Channel : @Engineer_Computer
🔐 Fortinet Firewall Topology – Secure. Segment. Protect.
A well-designed network is the backbone of strong cybersecurity. This topology using Fortinet demonstrates how to build a secure and scalable infrastructure with proper segmentation and control.
✅ Key Highlights:
• Segmented zones: LAN (Trust), DMZ, and Management Network
• Secure remote connectivity via IPsec VPN
• Dual WAN setup for high availability and backup internet
• Controlled access policies between network zones
• Advanced security features like IPS, Web Filtering, SSL Inspection, and Application Control
🚀 Benefits:
• Enhanced security through network segmentation
• Reliable remote access for branch offices
• Centralized management and monitoring
• Improved resilience with failover internet
Strong network architecture isn’t just about connectivity—it’s about protection, performance, and control.
#CyberSecurity #Networking #Fortinet #Firewall #ITInfrastructure #NetworkSecurity #VPN #ITSupport
🔹 Share 🔹
📱 Channel : @Engineer_Computer
A well-designed network is the backbone of strong cybersecurity. This topology using Fortinet demonstrates how to build a secure and scalable infrastructure with proper segmentation and control.
✅ Key Highlights:
• Segmented zones: LAN (Trust), DMZ, and Management Network
• Secure remote connectivity via IPsec VPN
• Dual WAN setup for high availability and backup internet
• Controlled access policies between network zones
• Advanced security features like IPS, Web Filtering, SSL Inspection, and Application Control
🚀 Benefits:
• Enhanced security through network segmentation
• Reliable remote access for branch offices
• Centralized management and monitoring
• Improved resilience with failover internet
Strong network architecture isn’t just about connectivity—it’s about protection, performance, and control.
#CyberSecurity #Networking #Fortinet #Firewall #ITInfrastructure #NetworkSecurity #VPN #ITSupport
🔹 Share 🔹
📱 Channel : @Engineer_Computer
🛡 Wazuh Mastery Pack · 01 of 15 — Installation & Setup
The single most repeated question from juniors picking up Wazuh:
"Where do I even start?"
This first cheat sheet gets a Wazuh stack from zero to producing alerts in under 30 minutes — Manager, Indexer, Dashboard, Agents, all the ports you must open, and the verification one-liners I run before walking away from any new install.
A few non-obvious things people miss on day one:
- The all-in-one assistant script (wazuh-install.sh -a) is a lab/PoC tool — don't ship it to prod
- /var/ossec/wazuh-install-files.tar contains your initial creds. Move it to a vault. Lose it = full reinstall.
- Prefer TCP/1514 over UDP for event ingest — UDP silently drops events under load
- Always run /var/ossec/bin/wazuh-control configtest before restarting the manager
If you're starting your Wazuh journey this week, this one is for you.
#Wazuh #SIEM #SOC #CyberSecurity #BlueTeam #InfoSec #OpenToWork
🔹 Share & Support Us 🔹
📱 Channel : @Engineer_Computer
The single most repeated question from juniors picking up Wazuh:
"Where do I even start?"
This first cheat sheet gets a Wazuh stack from zero to producing alerts in under 30 minutes — Manager, Indexer, Dashboard, Agents, all the ports you must open, and the verification one-liners I run before walking away from any new install.
A few non-obvious things people miss on day one:
- The all-in-one assistant script (wazuh-install.sh -a) is a lab/PoC tool — don't ship it to prod
- /var/ossec/wazuh-install-files.tar contains your initial creds. Move it to a vault. Lose it = full reinstall.
- Prefer TCP/1514 over UDP for event ingest — UDP silently drops events under load
- Always run /var/ossec/bin/wazuh-control configtest before restarting the manager
If you're starting your Wazuh journey this week, this one is for you.
#Wazuh #SIEM #SOC #CyberSecurity #BlueTeam #InfoSec #OpenToWork
🔹 Share & Support Us 🔹
📱 Channel : @Engineer_Computer
❤1
🛡 Wazuh Mastery Pack · 02 of 15 — CLI Commands
The Wazuh GUI is great. The CLI is where you actually solve problems at 2am.
This cheat sheet is the muscle memory I wish I'd had on day one — service control, agent management, live log testing with wazuh-logtest, cluster operations, and the file paths you'll touch a thousand times.
Three commands every Wazuh operator should burn into memory:
🔹 /var/ossec/bin/wazuh-control configtest
→ validates ossec.conf BEFORE you restart in production. Has saved me from at least three outages.
🔹 /var/ossec/bin/wazuh-logtest
→ paste a raw log line, see exactly which decoder and which rule fires (or doesn't). Single best tool for tuning custom rules.
🔹 /var/ossec/bin/agent_control -l
→ shows every agent and its connection status. Faster than the dashboard when you just need a quick health check.
If you operate Wazuh and aren't using these, you're doing it the hard way.
#Wazuh #SIEM #SOC #BlueTeam #DevSecOps #CLI #InfoSec
📱 Channel : @Engineer_Computer
The Wazuh GUI is great. The CLI is where you actually solve problems at 2am.
This cheat sheet is the muscle memory I wish I'd had on day one — service control, agent management, live log testing with wazuh-logtest, cluster operations, and the file paths you'll touch a thousand times.
Three commands every Wazuh operator should burn into memory:
🔹 /var/ossec/bin/wazuh-control configtest
→ validates ossec.conf BEFORE you restart in production. Has saved me from at least three outages.
🔹 /var/ossec/bin/wazuh-logtest
→ paste a raw log line, see exactly which decoder and which rule fires (or doesn't). Single best tool for tuning custom rules.
🔹 /var/ossec/bin/agent_control -l
→ shows every agent and its connection status. Faster than the dashboard when you just need a quick health check.
If you operate Wazuh and aren't using these, you're doing it the hard way.
#Wazuh #SIEM #SOC #BlueTeam #DevSecOps #CLI #InfoSec
📱 Channel : @Engineer_Computer
❤2
🛡 Wazuh Mastery Pack · 03 of 15 — Configuration Files
Wazuh's power lives in three XML files:
🔹 /var/ossec/etc/ossec.conf — manager's brain
🔹 /var/ossec/etc/shared/default/agent.conf — central agent policy
🔹 /var/ossec/etc/rules/local_rules.xml — your custom detections
This cheat sheet ships ready-to-paste blocks for all three — the global section, the <remote> block agents connect through, central agent policy that pushes to every endpoint, and a working custom rule template.
The single biggest mistake I see in custom rules:
👉 Using rule IDs below 100000.
The 1–9999 range is owned by Wazuh's built-in ruleset. Collide with it and your rule will silently lose to the built-in. Always use 100000 and above for your custom detections.
If you're tuning Wazuh this week, save this one.
#Wazuh #SIEM #SOC #DetectionEngineering #InfoSec #BlueTeam
🔹 Share & Support Us 🔹
📱 Channel : @Engineer_Computer
Wazuh's power lives in three XML files:
🔹 /var/ossec/etc/ossec.conf — manager's brain
🔹 /var/ossec/etc/shared/default/agent.conf — central agent policy
🔹 /var/ossec/etc/rules/local_rules.xml — your custom detections
This cheat sheet ships ready-to-paste blocks for all three — the global section, the <remote> block agents connect through, central agent policy that pushes to every endpoint, and a working custom rule template.
The single biggest mistake I see in custom rules:
👉 Using rule IDs below 100000.
The 1–9999 range is owned by Wazuh's built-in ruleset. Collide with it and your rule will silently lose to the built-in. Always use 100000 and above for your custom detections.
If you're tuning Wazuh this week, save this one.
#Wazuh #SIEM #SOC #DetectionEngineering #InfoSec #BlueTeam
🔹 Share & Support Us 🔹
📱 Channel : @Engineer_Computer
❤2
🛡 Wazuh Mastery Pack · 04 of 15 — Rules & Decoders
Detection engineering with Wazuh comes down to two artifacts:
📜 Decoders — pull structure out of unstructured logs
🚨 Rules — turn structured fields into alerts
This cheat sheet is the anatomy of both: alert levels 0–16 and what they actually mean, the rule ID ranges that keep you from colliding with built-ins, the chained-rule pattern (if_matched_sid + frequency + timeframe) that detects brute-force behavior, and a working decoder for a custom application log.
A practice that separates senior detection engineers from juniors:
👉 Every rule should map to a MITRE ATT&CK technique.
<mitre><id>T1110</id></mitre>
It costs nothing, takes seconds, and makes your alerts speak the same language as every threat report on the planet.
#Wazuh #DetectionEngineering #SIEM #MITREATTACK #SOC #ThreatHunting #InfoSec
🔹 Share & Support Us 🔹
📱 Channel : @Engineer_Computer
Detection engineering with Wazuh comes down to two artifacts:
📜 Decoders — pull structure out of unstructured logs
🚨 Rules — turn structured fields into alerts
This cheat sheet is the anatomy of both: alert levels 0–16 and what they actually mean, the rule ID ranges that keep you from colliding with built-ins, the chained-rule pattern (if_matched_sid + frequency + timeframe) that detects brute-force behavior, and a working decoder for a custom application log.
A practice that separates senior detection engineers from juniors:
👉 Every rule should map to a MITRE ATT&CK technique.
<mitre><id>T1110</id></mitre>
It costs nothing, takes seconds, and makes your alerts speak the same language as every threat report on the planet.
#Wazuh #DetectionEngineering #SIEM #MITREATTACK #SOC #ThreatHunting #InfoSec
🔹 Share & Support Us 🔹
📱 Channel : @Engineer_Computer
❤1
🛡 Wazuh Mastery Pack · 05 of 15 — Wazuh API Anything you can do in the Wazuh dashboard, you can automate via the REST API on port 55000. This cheat sheet is the muscle: token auth, the endpoints I hit weekly, filtering and pagination, and curl one-liners you can drop into a Bash script today. Three workflows the API unlocks:
🔹 Mass-restart agents after a rule change → PUT /agents/restart (no more clicking through 200 hosts)
🔹 Auto-decommission stale agents → GET /agents?lastKeepAlive&status=disconnected → DELETE the list
🔹 Pipe rule and SCA data into your own dashboards → no need to touch OpenSearch directly Tokens expire in 15 minutes by default. Re-auth in your script, don't hardcode them.
#Wazuh #API #SIEM #Automation #SOC #DevSecOps #InfoSec
🔹 Share & Support Us 🔹
📱 Channel : @Engineer_Computer
🔹 Mass-restart agents after a rule change → PUT /agents/restart (no more clicking through 200 hosts)
🔹 Auto-decommission stale agents → GET /agents?lastKeepAlive&status=disconnected → DELETE the list
🔹 Pipe rule and SCA data into your own dashboards → no need to touch OpenSearch directly Tokens expire in 15 minutes by default. Re-auth in your script, don't hardcode them.
#Wazuh #API #SIEM #Automation #SOC #DevSecOps #InfoSec
🔹 Share & Support Us 🔹
📱 Channel : @Engineer_Computer
❤1
🛡 Wazuh Mastery Pack · 06 of 15 — Wazuh Query Language (WQL)
Triage speed = how fast you can write the right query.
This cheat sheet is the field-level reference for filtering alert data inside the Wazuh Dashboard — exact-match, ranges, boolean logic (AND / OR / NOT), wildcards, and the fields you'll reach for every shift.
The three queries every SOC analyst should know by heart:
🔹 rule.level >= 12
→ only critical alerts. Cuts the noise instantly during triage.
🔹 rule.groups: "authentication_failed" AND NOT data.srcuser: "backup"
→ real failed-auth events, minus your noisy service accounts.
🔹 rule.mitre.id: "T1110"
→ every brute-force alert across your fleet, in one click.
Save these as Saved Searches in the Dashboard. Triage time drops by half.
#Wazuh #SOC #ThreatHunting #SIEM #BlueTeam #SecurityAnalyst #InfoSec
🔹 Share & Support Us 🔹
📱 Channel : @Engineer_Computer
Triage speed = how fast you can write the right query.
This cheat sheet is the field-level reference for filtering alert data inside the Wazuh Dashboard — exact-match, ranges, boolean logic (AND / OR / NOT), wildcards, and the fields you'll reach for every shift.
The three queries every SOC analyst should know by heart:
🔹 rule.level >= 12
→ only critical alerts. Cuts the noise instantly during triage.
🔹 rule.groups: "authentication_failed" AND NOT data.srcuser: "backup"
→ real failed-auth events, minus your noisy service accounts.
🔹 rule.mitre.id: "T1110"
→ every brute-force alert across your fleet, in one click.
Save these as Saved Searches in the Dashboard. Triage time drops by half.
#Wazuh #SOC #ThreatHunting #SIEM #BlueTeam #SecurityAnalyst #InfoSec
🔹 Share & Support Us 🔹
📱 Channel : @Engineer_Computer
❤1
🛡 Wazuh Mastery Pack · 07 of 15 — MITRE ATT&CK Mapping
Detections without ATT&CK tags are detections that nobody else can interpret.
This cheat sheet shows how to add a single <mitre> block to your custom rules, the techniques you should cover first (T1110, T1078, T1059, T1486, T1003 — these alone catch a huge chunk of real-world attacks), and the queries to slice your alerts by technique.
Why this matters:
👉 Threat reports speak ATT&CK.
👉 Tabletop exercises speak ATT&CK.
👉 Threat-intel feeds tag IOCs with ATT&CK.
The moment your Wazuh rules speak it too, the whole stack — detection → triage → reporting → red team feedback — starts working as one system.
Bonus tip: load your rule.mitre.id data into the MITRE ATT&CK Navigator to see your detection coverage as a heatmap. Find the gaps. Close them.
#Wazuh #MITREATTACK #DetectionEngineering #ThreatIntel #SOC #BlueTeam #InfoSec
🔹 Share & Support Us 🔹
📱 Channel : @Engineer_Computer
Detections without ATT&CK tags are detections that nobody else can interpret.
This cheat sheet shows how to add a single <mitre> block to your custom rules, the techniques you should cover first (T1110, T1078, T1059, T1486, T1003 — these alone catch a huge chunk of real-world attacks), and the queries to slice your alerts by technique.
Why this matters:
👉 Threat reports speak ATT&CK.
👉 Tabletop exercises speak ATT&CK.
👉 Threat-intel feeds tag IOCs with ATT&CK.
The moment your Wazuh rules speak it too, the whole stack — detection → triage → reporting → red team feedback — starts working as one system.
Bonus tip: load your rule.mitre.id data into the MITRE ATT&CK Navigator to see your detection coverage as a heatmap. Find the gaps. Close them.
#Wazuh #MITREATTACK #DetectionEngineering #ThreatIntel #SOC #BlueTeam #InfoSec
🔹 Share & Support Us 🔹
📱 Channel : @Engineer_Computer
❤1
🛡 Wazuh Mastery Pack · 08 of 15 — File Integrity Monitoring
FIM is the most underrated detection control in any SIEM.
This cheat sheet is the working syscheck config — Linux paths, Windows registry Run keys, realtime vs whodata vs scheduled, report_changes for actual diffs, and the ignore patterns that keep alert volume sane.
Where FIM earns its keep:
✓ /etc on every Linux server (configs, sudoers, cron)
✓ /var/www on web hosts (catches web shells the moment they land)
✓ HKLM\Software\Microsoft\Windows\CurrentVersion\Run on Windows (boot persistence)
✓ C:\Windows\System32\drivers\etc (hosts-file tampering)
Real-time FIM on /etc and Windows registry Run keys = the highest-ROI detection you can deploy in under 10 minutes.
#Wazuh #FIM #FileIntegrityMonitoring #SIEM #SOC #BlueTeam #InfoSec
🔹 Share & Support Us 🔹
📱 Channel : @Engineer_Computer
FIM is the most underrated detection control in any SIEM.
This cheat sheet is the working syscheck config — Linux paths, Windows registry Run keys, realtime vs whodata vs scheduled, report_changes for actual diffs, and the ignore patterns that keep alert volume sane.
Where FIM earns its keep:
✓ /etc on every Linux server (configs, sudoers, cron)
✓ /var/www on web hosts (catches web shells the moment they land)
✓ HKLM\Software\Microsoft\Windows\CurrentVersion\Run on Windows (boot persistence)
✓ C:\Windows\System32\drivers\etc (hosts-file tampering)
Real-time FIM on /etc and Windows registry Run keys = the highest-ROI detection you can deploy in under 10 minutes.
#Wazuh #FIM #FileIntegrityMonitoring #SIEM #SOC #BlueTeam #InfoSec
🔹 Share & Support Us 🔹
📱 Channel : @Engineer_Computer
❤1
🛡 Wazuh Mastery Pack · 09 of 15 — VirusTotal & TI Integrations
A Wazuh alert that says "new file in /var/www" is OK.
A Wazuh alert that says "new file in /var/www, hash matched 47 VT vendors" is a different conversation.
This cheat sheet is the <integration> block pattern — VirusTotal for hash lookups, Slack for alerting, PagerDuty for on-call wake-ups, Shuffle for SOAR playbooks, and custom webhook for the rest.
Pro tip on VirusTotal:
👉 Free tier = 4 requests/min. Pair the integration with a tight rule_id (e.g. only FIM events under /var/www and /home), or you'll burn the quota in the first 10 minutes of any attack.
The ROI: every analyst-hour spent on triage drops, because the enrichment is already in the alert.
#Wazuh #ThreatIntel #VirusTotal #SOAR #SOC #BlueTeam #InfoSec
🔹 Share & Support Us 🔹
📱 Channel : @Engineer_Computer
A Wazuh alert that says "new file in /var/www" is OK.
A Wazuh alert that says "new file in /var/www, hash matched 47 VT vendors" is a different conversation.
This cheat sheet is the <integration> block pattern — VirusTotal for hash lookups, Slack for alerting, PagerDuty for on-call wake-ups, Shuffle for SOAR playbooks, and custom webhook for the rest.
Pro tip on VirusTotal:
👉 Free tier = 4 requests/min. Pair the integration with a tight rule_id (e.g. only FIM events under /var/www and /home), or you'll burn the quota in the first 10 minutes of any attack.
The ROI: every analyst-hour spent on triage drops, because the enrichment is already in the alert.
#Wazuh #ThreatIntel #VirusTotal #SOAR #SOC #BlueTeam #InfoSec
🔹 Share & Support Us 🔹
📱 Channel : @Engineer_Computer
❤1
🛡 Wazuh Mastery Pack · 10 of 15 — Active Response
Detection without response is just expensive logging.
This cheat sheet is Wazuh's killer feature: built-in response scripts (firewall-drop, disable-account, host-deny), the <command> + <active-response> wiring in ossec.conf, and a Bash skeleton for writing your own AR script.
What you can automate today:
🔹 Block an IP for 10 minutes after 5 failed SSH attempts
🔹 Disable a Windows account that fired a credential-dumping detection
🔹 Kill a malicious process the moment FIM sees it write to a sensitive path
🔹 Null-route an IP across every Wazuh agent simultaneously
Two warnings I learned the hard way:
⚠️ Test ARs in lab. A misfire on rule 5715 (failed SSH from your own admin IP) can lock you out of your own server.
⚠️ Use timeouts. Permanent firewall rules age into accidental black holes within weeks.
#Wazuh #ActiveResponse #SOAR #IncidentResponse #SOC #BlueTeam #InfoSec
🔹 Share & Support Us 🔹
📱 Channel : @Engineer_Computer
Detection without response is just expensive logging.
This cheat sheet is Wazuh's killer feature: built-in response scripts (firewall-drop, disable-account, host-deny), the <command> + <active-response> wiring in ossec.conf, and a Bash skeleton for writing your own AR script.
What you can automate today:
🔹 Block an IP for 10 minutes after 5 failed SSH attempts
🔹 Disable a Windows account that fired a credential-dumping detection
🔹 Kill a malicious process the moment FIM sees it write to a sensitive path
🔹 Null-route an IP across every Wazuh agent simultaneously
Two warnings I learned the hard way:
⚠️ Test ARs in lab. A misfire on rule 5715 (failed SSH from your own admin IP) can lock you out of your own server.
⚠️ Use timeouts. Permanent firewall rules age into accidental black holes within weeks.
#Wazuh #ActiveResponse #SOAR #IncidentResponse #SOC #BlueTeam #InfoSec
🔹 Share & Support Us 🔹
📱 Channel : @Engineer_Computer
❤1
The 2026 SOC Playbook.pdf
1.8 MB
🔹 Share & Support Us 🔹
📱 Channel : @Engineer_Computer
📱 Channel : @Engineer_Computer
Network Security Channel
The 2026 SOC Playbook.pdf
🛡 Book Review: "The 2026 SOC Playbook — Analysing Incidents Through Attacker Thinking" by Izzmier Izzuddin
Just finished one of the most practical SOC references I've come across this year. 193 pages, 10 end-to-end playbooks built around real 2026 attack patterns — no marketing fluff, just operational gold.
🔹 What makes this different:
Most SOC material stops at the first alert. This one assumes the attacker is successful at every stage and forces the analyst to reconstruct the entire chain, ask the right questions, validate evidence, and complete containment, eradication and recovery. That mindset shift alone is worth the read.
🔹 The 10 playbooks cover what's actually landing in SOC queues right now:
✅ OAuth Consent Abuse & Payment Fraud
✅ AiTM Phishing, Token Replay & Ransomware Staging
✅ Cloud API Token Compromise & SaaS Exfiltration
✅ API Credential Stuffing & Business Logic Abuse
✅ RMM Tool Abuse & Ransomware Deployment Prep
✅ Business Email Compromise & Vendor Payment Manipulation
✅ Teams/OneDrive Phishing, Fileless PowerShell, HTTPS C2
✅ DNS Tunnelling & Covert Exfiltration
✅ Kerberos Abuse & Domain Escalation
✅ Insider Threat & Personal Cloud Exfiltration
Each playbook ships with: attacker thinking, MITRE ATT&CK mapping, simulated evidence, the right investigative questions, log sources, detection logic, and full response workflow.
🔹 Three lessons I'm taking back to my own work:
1️⃣ MFA success ≠ benign activity. The book hammers this — exactly the assumption that lets AiTM and consent-abuse attacks succeed.
2️⃣ Build the chain, not the alert. A single signal is one frame of a longer movie. SOC maturity = stitching frames together fast.
3️⃣ Backup tampering is the new ransomware tell. If your stack ignores backup-system telemetry, you're blind to the deadliest 5 minutes of an incident.
#SOC #BlueTeam #IncidentResponse #ThreatHunting #MITREATTACK #CyberSecurity #InfoSec #DetectionEngineering #DFIR #SIEM #OpenToWork
🔹 Share & Support Us 🔹
📱 Channel : @Engineer_Computer
Just finished one of the most practical SOC references I've come across this year. 193 pages, 10 end-to-end playbooks built around real 2026 attack patterns — no marketing fluff, just operational gold.
🔹 What makes this different:
Most SOC material stops at the first alert. This one assumes the attacker is successful at every stage and forces the analyst to reconstruct the entire chain, ask the right questions, validate evidence, and complete containment, eradication and recovery. That mindset shift alone is worth the read.
🔹 The 10 playbooks cover what's actually landing in SOC queues right now:
✅ OAuth Consent Abuse & Payment Fraud
✅ AiTM Phishing, Token Replay & Ransomware Staging
✅ Cloud API Token Compromise & SaaS Exfiltration
✅ API Credential Stuffing & Business Logic Abuse
✅ RMM Tool Abuse & Ransomware Deployment Prep
✅ Business Email Compromise & Vendor Payment Manipulation
✅ Teams/OneDrive Phishing, Fileless PowerShell, HTTPS C2
✅ DNS Tunnelling & Covert Exfiltration
✅ Kerberos Abuse & Domain Escalation
✅ Insider Threat & Personal Cloud Exfiltration
Each playbook ships with: attacker thinking, MITRE ATT&CK mapping, simulated evidence, the right investigative questions, log sources, detection logic, and full response workflow.
🔹 Three lessons I'm taking back to my own work:
1️⃣ MFA success ≠ benign activity. The book hammers this — exactly the assumption that lets AiTM and consent-abuse attacks succeed.
2️⃣ Build the chain, not the alert. A single signal is one frame of a longer movie. SOC maturity = stitching frames together fast.
3️⃣ Backup tampering is the new ransomware tell. If your stack ignores backup-system telemetry, you're blind to the deadliest 5 minutes of an incident.
#SOC #BlueTeam #IncidentResponse #ThreatHunting #MITREATTACK #CyberSecurity #InfoSec #DetectionEngineering #DFIR #SIEM #OpenToWork
🔹 Share & Support Us 🔹
📱 Channel : @Engineer_Computer
🛡 Wazuh Mastery Pack · 11 of 15 — Compliance & Audit
The fastest way to justify a SIEM budget: hand your auditor a clean Wazuh compliance report.
This cheat sheet is the mapping layer — PCI DSS, HIPAA, GDPR, NIST 800-53, SOC 2/TSC, GPG13, all built into Wazuh. Tag your custom rules with the relevant control IDs and the dashboards generate evidence reports automatically.
The real time-saver here: the SCA module (Security Configuration Assessment).
👉 Run CIS Benchmark scans on every agent
👉 12-hour interval is enough — don't pound the endpoint
👉 Auditors get instant, exportable evidence per host
👉 Ops gets a prioritized hardening backlog
Compliance shouldn't take three weeks of spreadsheet engineering. With SCA + tagged rules, it takes a single dashboard view.
#Wazuh #Compliance #PCIDSS #HIPAA #GDPR #NIST #SOC2 #InfoSec #Audit
🔹 Share & Support Us 🔹
📱 Channel : @Engineer_Computer
The fastest way to justify a SIEM budget: hand your auditor a clean Wazuh compliance report.
This cheat sheet is the mapping layer — PCI DSS, HIPAA, GDPR, NIST 800-53, SOC 2/TSC, GPG13, all built into Wazuh. Tag your custom rules with the relevant control IDs and the dashboards generate evidence reports automatically.
The real time-saver here: the SCA module (Security Configuration Assessment).
👉 Run CIS Benchmark scans on every agent
👉 12-hour interval is enough — don't pound the endpoint
👉 Auditors get instant, exportable evidence per host
👉 Ops gets a prioritized hardening backlog
Compliance shouldn't take three weeks of spreadsheet engineering. With SCA + tagged rules, it takes a single dashboard view.
#Wazuh #Compliance #PCIDSS #HIPAA #GDPR #NIST #SOC2 #InfoSec #Audit
🔹 Share & Support Us 🔹
📱 Channel : @Engineer_Computer
❤1