About ScottieJ

ScottieJ · 03-04-2025

Turns out that the Grok Pattern "GREEDYDATA" not that all that greedy...hopefully this will save someone some time. I needed to write a parser extension for a multi line Windows event formatted in XML. I not so quickly discovered that Grok patterns m...

ScottieJ · 07-02-2024

Many MSV deployments include multiple on-premise actors and one or two Mandiant cloud hosted actors. Many use cases like data extraction or malicious file transfers (MFT) will require that the on-premise actors can communicate with the cloud hosted a...

ScottieJ · 07-01-2024

The MSV Report Builder is a powerful analytics tool. It is easy to get carried away with all the widgets available after running a campaign of attack simulations and emulations when crafting an Executive Debrief Report . A Debrief should be "brief" b...

ScottieJ · 06-27-2024

Just like pilots, who have to complete a rigorous set of safety checks before every departure, security teams should also routinely evaluate security controls to help keep their organization safe. The Advanced Environmental Drift Analysis feature in ...

ScottieJ · 06-24-2024

Many of the MSV Integrations especially in the SIEM category utilize field mappings to associate data to variables used by MSV to attribute log or alert events to Actions. Typical mappings include: source IP, destination IP, host name, user, source P...

ScottieJ · 03-19-2025

Hi, any updates on publishing a document that categories our Parsers? Gold, default, custom, etc?

ScottieJ · 02-25-2025

Within the Google SecOps IDE, utilizing Python scripts for job automation necessitates robust output persistence and detailed logging. For storing job outputs for inter-job dependencies and analysis, leverage Google Cloud Storage (GCS) with structure...

ScottieJ · 01-07-2025

You may have a couple of options (disclaimer, I have not tested this and would welcome comments) Possible Option 1: Create a log sink that exports the specific logs you need to a Pub/Sub topic. Configure SecOps SIEM to ingest logs from that Pub/Sub t...

ScottieJ · 10-16-2024

tameri, Thanks for the article! this can be useful Can you correct the URL for VT, it also includes your text and the link is broken, plus the sigma rules don't seem to provide any data in VT anymore when you click on the ID. The example ID link for ...

ScottieJ · 09-16-2024

Vishnu Google Security Operations SIEM does not provide a default parser for these log types. You can ingest them with the API or a Forwarder (raw events); however, you will have to create a custom parser to normalize these logs (UDM format). These l...

My Stats

Clement_pgx's Bio

Badges ScottieJ Earned

Recent Activity

Multi-line Event Parsing Using Grok

MSV Onboarding - Crafty way to establish the Cloud Hosted Actor Allow List

Using Report Builder to Debrief Executives - Keep it Simple

Mandiant Security Validation - AEDA as your pre-flight checklist

MSV Direct Integrations - Simplify Field Mappings

Re: What is GOLD and Silver parser in Chronicle? Can someone share details?

Re: SecOps IDE: Output for Downstream Use

Re: Forwarder audit logs

Re: How to use MSV and Virustotal to assess against Data exfiltration using curl

Re: Bring Audit logs to Chronicle