Monitoring Elasticsearch is crucial for maintaining its performance and ensuring cluster health. Metricbeat, a lightweight shipper by Elastic, simplifies this process by collecting and sending metrics from your Elasticsearch nodes to a monitoring system like Kibana or Elasticsearch itself. How to Monitor Elasticsearch with Metricbeat 1. Install MetricbeatDownload and install Metricbeat on your Elasticsearch nodes. […]

The post Monitoring Elasticsearch Cluster With Metricbeat appeared first on SOC Prime.

The indices.query.bool.max_clause_count setting in OpenSearch specifies the maximum number of clauses allowed in a bool query. A clause in this context is a condition in the query, such as a must, should, or must_not statement. If your query exceeds this limit, you’ll encounter an error, often indicating that the query is too large or complex. By default, the value of indices.query.bool.max_clause_count is set to 1024, […]

The post Understanding indices.query.bool.max_clause_count in OpenSearch appeared first on SOC Prime.

By default, the PROCTITLE field contains the command used to start a process, encoded in HEX. Learn how to decode it using a Ruby script within Logstash. Problem Overview When processing auditd events, the PROCTITLE field is encoded in HEX format. This makes it unreadable in its raw form. To make this information human-readable, we can use a […]

The post Decoding the PROCTITLE Field in Auditd Event Streams with Logstash appeared first on SOC Prime.

The russian state-sponsored threat actor BlueAlpha (aka Gamaredon, Hive0051, Shuckworm, UAC-0010, or Armageddon) has been orchestrating cyber-espionage campaigns against Ukraine since 2014. Following Russia’s full-scale invasion of Ukraine on February 24, 2022, these operations have intensified, showcasing evolving TTPs that are often tested in Ukraine before being deployed against a wider array of targets.  Recently, […]

The post BlueAlpha Attack Detection: russia-affiliated Hacking Collective Abuses Cloudflare Tunnels to Distribute GammaDrop Malware appeared first on SOC Prime.

One interesting feature of the specification of the URL schema parsing is that literal IP addresses can be accepted as decimal numbers. You can try this by: I was able to find this decimal number by pinging google and using the IP address in the linked calculator site. Another interesting feature of the schema and […]

The post Interesting URL Schema Abuse Patterns (Merry Phishmas) appeared first on SOC Prime.

If you need to migrate visualizations or dashboards from one OpenSearch instance to another, you can do the following steps: Export Saved Objects Go to Management > Saved Objects > Export. Select the objects to export (e.g., dashboards or visualizations). Correct the .ndjson file It is important to note that if you have already created a new […]

The post Migrating Dashboards Between OpenSearch Instances appeared first on SOC Prime.

AWS WAF allows you to insert custom headers into HTTP requests for non-blocking actions. This feature enables tailored downstream processing or request flagging for analysis without modifying or replacing the original request content. Use Cases and Applicable Actions Custom headers are used to signal downstream applications or flag requests for further analysis. They can be […]

The post Enhancing Request Handling with Custom Headers in AWS WAF appeared first on SOC Prime.

This guide is aimed at beginners and provides a step-by-step walkthrough for connecting Elasticsearch to external certificates issued by a Certificate Authority (CA). All instructions and steps are based on the official Elasticsearch documentation to ensure accuracy and compatibility. Generate a CSR for Each Node Step 1: Create a CSR Configuration FileFor each node in […]

The post Generating a CSR and Using an External Certificate with Elasticsearch appeared first on SOC Prime.

Sometimes, you can encounter an error shown at the bottom right when you try to create a detector or click on security analytics or any other links within the analytics.For example, in the screenshot below: To fix that:Option 1: An example is in the screenshot below:  Now you can see lists of Log types. If you […]

The post OpenSearch: How to Fix Security Analytics Error When You Try to Create a New Detector appeared first on SOC Prime.

New day, a new menace for cyber defenders. Recently, security researchers from ThreatLabz have uncovered two novel malicious strains adding to the 100 million count of those already identified in 2024. As per reports, the newly revealed RevC2 and Venom Loader have been making the rounds since the summer of 2024, leveraging Venom Spider’s Malware-as-a-Service […]

The post RevC2 and Venom Loader Detection: New Malware Strains Massively Deployed via MaaS in a Sophisticated Campaign appeared first on SOC Prime.