Defenders observe increasing numbers of cyber-attacks linked to China-backed APT groups, primarily focused on intelligence gathering. In September 2024, a China-affiliated APT group tracked as Earth Baxia set its sights on a state agency in Taiwan and possibly other nations within the APAC region. A recently uncovered cyber-espionage campaign has been targeting high-profile organizations in […]

The post New Cyber-Espionage Campaign Detection: Suspected China-Backed Actors Target High-Profile Organizations in Southeast Asia appeared first on SOC Prime.

Elasticsearch, a powerful distributed search and analytics engine, requires careful index structure design for optimal performance with large datasets, avoiding performance degradation, increased storage costs, and reduced query efficiency. Understand Your Data and Use Case Before creating an index structure, analyze: Data Volume: How much data will be ingested daily? Data Retention: How long will […]

The post Designing Index Structure for Large Volumes of Data in Elasticsearch appeared first on SOC Prime.

In this guide, I will tell you how to prevent BufferOverflowError when you get logs from Kafka/in_tail, and your output can’t connect to OpenSearch/ElasticSearch. If you use input from Kafka/in_tail and sometimes you have issues with connection to OpenSearch/ElasticSearch, you can customize your Fluentd buffer in the output to stop getting logs from the input […]

The post How to prevent BufferOverflowError appeared first on SOC Prime.

Adaptive replica selection is a mechanism designed to improve query response times and alleviate strain on overloaded OpenSearch nodes. It ensures that nodes experiencing delays due to issues like hardware, network, or configuration problems do not slow down the overall query process. How It Works Consider a scenario where one node in the cluster is […]

The post Adaptive Replica Selection in OpenSearch appeared first on SOC Prime.

AWS WAF allows you to log traffic of your web ACLs, providing detailed insights such as the request details, matched rules, and timestamps. Here’s a concise guide to enable and manage logging using Amazon CloudWatch Logs. 1. Configuring Logging To log web ACL traffic: Navigate to the AWS WAF console. Select the desired web ACL. Click Logging […]

The post How to Enable and Manage AWS WAF Logging with CloudWatch Logs appeared first on SOC Prime.

The master node is responsible for lightweight cluster-wide actions such as creating or deleting an index, tracking which nodes are part of the cluster, and deciding which shards to allocate to which nodes. It is important for cluster health to have a stable master node. This guide provides best practices for optimizing the master node […]

The post Optimizing Elasticsearch Master Node for Cluster Stability appeared first on SOC Prime.

This standard template for configuring Logstash pipelines, commonly referred to as a “gold template,” ensures consistent metadata enrichment for events processed through Logstash, making it particularly useful in environments where data comes from diverse sources. Configuration Template Below is the template with an explanation of its key components: Key Features Ruby Block for Metadata Enrichment […]

The post Standard Logstash Template for Event Processing (Gold Template) appeared first on SOC Prime.

When running an Elasticsearch or OpenSearch cluster, efficient disk space management is essential for ensuring stability and performance. These platforms provide configurable settings to manage how shards are allocated based on available disk space. Here, we discuss three key settings related to disk allocation thresholds: 1. cluster.routing.allocation.disk.threshold_enabledThis setting enables or disables disk-based shard allocation. When set […]

The post Configuring Disk Allocation Thresholds in Elasticsearch and OpenSearch appeared first on SOC Prime.

Sometimes, you can get the associated error Limit of total fields [1000] has been exceeded I will explain what it is and how to fix it.You can find that error in OpenSaerch/ElasticSearch logs /var/log/opensearch or /var/log/elasticsearchFor example, in the screenshot, you can see that error: In OpenSearch and Elasticsearch, the number of fields in an index […]

The post Understanding index.mapping.total_fields.limit in OpenSearch/ElasticSearch appeared first on SOC Prime.

Since russia launched its full-scale invasion of Ukraine, defense organizations have been heavily targeted by multiple hacking groups via the phishing attack vector. CERT-UA researchers recently shed light on the latest attacks by UAC-0185 (aka UNC4221) targeting Ukrainian organizations within the defense-industrial sector. The new CERT-UA alert covers cyber attacks using email spoofing and masquerading […]

The post UAC-0185 aka UNC4221 Attack Detection: Hackers Target the Ukrainian Defense Forces and Military-Industrial Complex appeared first on SOC Prime.