When a degradation occurs within a complex system, understanding the root cause can be extremely challenging. If the issue happens sporadically, the difficulty increases even more. This is because modern systems involve numerous components that interact in complex ways. For example, if your application’s Web UI becomes slow, the underlying cause could be anywhere in…
Read MoreIntroduction Kerberoasting remains one of the most popular techniques for attackers attempting to escalate privileges inside a Windows domain. By requesting service tickets (TGS – Ticket Granting Service) encrypted with weak algorithms, an attacker can extract hashes and crack them offline to recover service account passwords. It should be mentioned that a Kerberos ticket request…
Read MoreWhile working with Kibana, we recently encountered a puzzling situation: queries involving the field event.original returned unexpected results. Let’s break down what happened, why it occurs, and how to identify other fields with similar behavior. The observed “strange behavior“ In fact, everything seems normal here: Now let’s assume you just want to see the documents…
Read MoreWith the upgrade to NetEye 4.44, we’ve added a lot of new features (https://www.neteye-blog.com/2025/10/neteye-4-44-release-notes/) and, from my point of view, one of the most relevant is the introduction of Elastic Stack 9. This Elasticsearch major release (https://www.elastic.co/guide/en/elastic-stack/9.0/elastic-stack-release-notes.html) includes some new functionalities such as: ESQL Lookup Joins , LogsDB Index Mode Optimizations, etc. During various migrations…
Read MoreWhen organizations think about cybersecurity, the conversation often starts with compliance. ISO 27001, PCI-DSS, HIPAA, GDPR, NIS2… frameworks and regulations designed to protect sensitive data and establish minimum standards for risk management. Achieving compliance is often seen as the ultimate milestone: once the certificate is obtained or the audit is passed, the company is considered…
Read MoreAround this time last year, I wrote a blog post about improving cybersecurity with Elastic Defend. Now, one year later, we’ve gained a lot of practical experience with it, which I’d like to share. Elastic Defend is an EDR (Endpoint Detection and Response). Unlike a traditional antivirus solution that relies on signature patterns that need…
Read MoreIntroduction In modern SOC environments, detection rules are the cornerstone of identifying malicious activity. However, the effectiveness of a rule depends not only on what it looks for but also on how precisely it defines suspicious behavior. Many analysts have experienced the pain of rules that are “noisy” – generating countless false positives (FPs) that…
Read MoreManaging a large fleet of Elastic Agents efficiently requires careful planning and proactive strategies to ensure stability, scalability, and security. As a technical consultant, I’d like to present some key considerations to help organizations avoid common pitfalls and streamline their operations. 1. Avoid Trust Issues One of the most critical aspects of managing an extensive…
Read MoreIntroduction Windows environments rely heavily on authentication protocols like NTLM and Kerberos. While these protocols serve critical security purposes, they are also commonly abused during malicious activities. This article explains how to detect suspicious behaviors related to Domain Account Discovery and Credential Access, specifically focusing on Enumeration, Brute Force, and Password Spraying attempts via NTLM…
Read MoreUpdating Elastic Agents is usually straightforward – unless you’re working in a secure, air-gapped environment where machines can’t access the internet (and thus, the Elastic Artifact Repository). And yet this was exactly the challenge we faced. We needed a way to keep the Elastic Agents across a fleet of systems up to date, without exposing…
Read MoreAs traffic to applications deployed on OpenShift grows, it’s essential to gain visibility into the flow of data entering your cluster. Monitoring this incoming traffic helps administrators maintain optimal performance, reduce security risks, and quickly resolve any emerging issues. Enabling Logging All traffic directed to an OpenShift Route is routed through a designated set of…
Read MoreThis article gives an overview and offers a practical tips to detecting some suspicious activities in Microsoft SQL Server, from configuring audit policies to leveraging Elastic for effective monitoring and threat detection. Introduction Microsoft SQL Server is one of the most widely used relational databases in the enterprise landscape, managing critical data and supporting essential…
Read MoreWhen designing an Elasticsearch architecture, choosing the right storage is crucial. While NFS might seem like a convenient and flexible option, it comes with several pitfalls when used for hosting live Elasticsearch data (hot, warm, cold, and frozen nodes). However, NFS proves to be an excellent choice for storing snapshots and searchable snapshots. Here’s why….
Read MoreElastic Agents are flexible and powerful tools used within the Elastic Stack for collecting and shipping logs, metrics, and other data to Elasticsearch. However, the headers they use can vary depending on whether they are running in “normal” mode or acting as a Fleet Server. Let’s explore these differences. Note that a fleet server is…
Read MoreIn a previous blog post by one of my colleagues, we shared how we developed a powerful semantic search engine for our NetEye User Guide. This solution uses Elasticsearch in combination with machine learning models like ELSER to index and query our documentation. While the proof of concept (POC) worked great, there was a challenge…
Read More