Author: kanishka10

Hello, aspiring ethical hackers. In our previous blogpost on Blue Teaming, you learnt the imporatnce of network monitoring. In this article, you will learn about Security Onion, an operating system built for network monitoring. When beginners start learning cybersecurity, much of the focus is on individual tools—scanners, firewalls or endpoint software. However, in real-world environments, security teams rely heavily on network visibility to detect threats. This is where this platform plays a major role.

Security Onion is a network security monitoring and intrusion detection platform designed to help defenders detect, investigate and respond to suspicious activity across a network. For beginners, it provides an excellent introduction to how blue teams monitor traffic and identify threats at scale.

What Is Security Onion?

Security Onion is a free and open-source platform that combines multiple security tools into a single solution for network monitoring, intrusion detection and threat hunting. It is commonly deployed by security operations centers (SOCs), incident responders and blue teams.

Developed by Security Onion Solutions, it integrates tools such as network intrusion detection systems, log analysis components and dashboards into one cohesive platform. Simply put, it helps answer the question:
“What is happening on my network right now, and does any of it look suspicious?”

Core Components of Security Onion

Security Onion is not a single tool. It is a collection of tools working together. Beginners do not need to master all of them immediately but understanding their roles is important. Let’s learn about some of the core companents of this this platform.

1. Network Sensors:

These monitor network traffic and look for suspicious patterns, such as scanning, exploitation attempts or command-and-control communication.

2. Alerts:

When suspicious activity is detected, alerts are generated for analysts to review.

3. Logs and Event storage:

Security Onion stores alerts and related metadata so analysts can search and investigate past events.

4. Dashboards and Interfaces:

Visual dashboards help analysts see what is happening on the network and prioritize alerts.

What Security Onion Is Used For?

Security Onion is primarily used for network-based detection and investigation, that includes:

• Detecting intrusion attempts and suspicious traffic
• Monitoring east–west and north–south network traffic
• Investigating alerts generated by network sensors
• Performing threat hunting using network data
• Supporting incident response investigations

It is especially useful when malware or attackers try to hide on endpoints but still need to communicate over the network.

How Security Onion Fits into a SOC Workflow?

It usually sits early in the detection pipeline. A simplified SOC workflow looks like this:

1. Network traffic flows through sensors
2. Security Onion analyzes the traffic
3. Alerts are generated for suspicious activity
4. Analysts review and investigate alerts
5. Findings are escalated or documented

For beginners, this workflow shows how detection happens before deeper forensic analysis or incident response actions.

Security Onion vs Other Security Tools

Beginners sometimes confuse Security Onion with other security platforms. Let’s explain the differences.

• Firewalls control traffic but do not deeply analyze it
• SIEMs aggregate logs from many sources
• EDR tools focus on endpoint activity
• It focuses on network visibility and intrusion detection

Security Onion does not replace these tools. It complements them by providing deep insight into network behavior.

Why Learning Security Onion Is Valuable for Beginners?

Beginners often learn about attacks in isolation: one exploit, one malware sample, one compromised system. This shifts that perspective to the network level, where defenders look for patterns and anomalies across many systems at once. Learning Security Onion helps beginners understand:

• How network traffic reveals attacker behavior
• How alerts are generated and investigated
• How multiple security tools work together
• How SOC analysts monitor environments continuously

It teaches defensive thinking rather than exploitation. Security Onion is widely used in:

• Incident response investigations
• SOC environments
• Blue team training labs
• Network defense programs

For beginners, learning about this builds strong foundations in:

• Network security concepts
• Intrusion detection
• Alert investigation
• Defensive cybersecurity thinking

These skills remain valuable regardless of which tools you use later.

Simple Beginner Learning Workflow

Beginners using Security Onion should focus on understanding alerts rather than tuning complex rules. A simple learning approach is:

1. Observe generated alerts
2. Learn what “normal” traffic looks like
3. Investigate why an alert was triggered
4. Correlate alerts with timestamps and IP addresses
5. Document findings and conclusions

This approach builds analytical skills instead of tool dependency.

Common Challenges Beginners Face

Security Onion can feel overwhelming at first. Common beginner challenges include:

• Large numbers of alerts
• Difficulty distinguishing real threats from noise
• Understanding network protocols and traffic patterns
• Interpreting alert context correctly

These challenges are normal. With practice, beginners learn to filter noise and focus on meaningful signals.

Conclusion

Security Onion teaches beginners one of the most important lessons in cybersecurity: defense starts with visibility. By monitoring network traffic and understanding alerts, defenders can detect attacks early—often before serious damage occurs.

For beginners, Security Onion is less about mastering every feature and more about learning how networks behave, how attacks stand out and how SOC analysts investigate threats. As a result, it is an excellent entry point into modern blue-team and network security operations.

Hello, aspiring ethical hackers. In our previous blogposts, you learnt about Threat Hunting, Digital Forensics and Incident Response. In this article, you will learn about a tool that plays an important role in all the above. When beginners start learning cybersecurity, system visibility often feels overwhelming. Logs are scattered, endpoints behave differently and it’s hard to answer simple questions like “What processes are running right now?” or “Which machines have this software installed?” This is exactly the problem osquery was designed to solve.

osquery allows security teams and system administrators to query operating systems the same way they query a database. For beginners, it offers a simple and powerful way to understand what is happening on systems, without needing complex scripts or intrusive tools.

What Is osquery?

osquery is an open-source endpoint instrumentation framework that exposes operating system data as SQL-like tables. Instead of writing custom scripts, users can ask structured questions such as:

• What processes are running?
• Which users exist on this system?
• What network connections are active?
• Which startup items are configured?

osquery was originally developed at Facebook (now Meta) and is widely used by security teams, SOCs and system administrators for visibility, monitoring and threat detection. In simple terms, osquery turns your operating system into a queryable data source.

How osquery works?

osquery collects information from the operating system and organizes it into tables, similar to a relational database. Examples include:

• processes – running processes
• users – local user accounts
• listening_ports – services listening on the network
• startup_items – programs that run at boot

You use SQL-style queries to retrieve information from these tables. For example, you might query which processes are running or which users have logged in recently. Importantly, osquery does not exploit systems or inject code. It simply observes and reports the state of the system.

Typical Workflow with osquery

A simple osquery learning workflow looks like this.

1. Decide what question you want answer to
2. Identify the relevant osquery table
3. Run a basic query
4. Review and interpret results
5. Refine the query if needed
6. Document findings

This mirrors how professional threat hunters work, iteratively and methodically.

osquery in Security Operations

osquery is commonly used in cybersecurity for:

• Threat hunting: Searching for suspicious processes or configurations
• Incident response: Quickly gathering system information
• Compliance monitoring: Checking security settings across systems
• Asset visibility: Understanding what software and services exist

For beginners, this shows how security teams move from guesswork to evidence-based investigations.

Common Use Cases

Some beginner-friendly osquery use cases include:

• Listing all running processes
• Finding unusual network connections
• Checking which users have administrator privileges
• Identifying startup programs
• Verifying security configurations

These tasks help beginners understand both normal behavior and anomalies.

osquery vs Traditional Logging

It helps to understand the difference between working of osquery and traditional logs.

Traditional Logs:

• Record events after they happen
• Often noisy and inconsistent
• Hard to ask follow-up questions

osquery:

• Provides current system state
• Structured and queryable
• Easy to pivot and refine questions

osquery doesn’t replace logs. It complements them by answering questions logs cannot.

Why osquery Is Valuable for Beginners?

Beginners often struggle with where to look during investigations. osquery simplifies this by offering:

• A consistent way to inspect systems
• A familiar SQL-style query language
• Read-only access by default (safer learning)
• Cross-platform support (Windows, Linux, macOS)

Instead of memorizing commands for each operating system, beginners can focus on just asking the right questions. osquery is widely used in:

• SOC environments
• Threat hunting teams
• Incident response operations
• Endpoint monitoring platforms

Learning osquery builds foundational skills in:

• Endpoint visibility
• Analytical thinking
• Query-based investigations
• Defensive security mindset

These skills are transferable to many other security tools.

Challenges Beginners May Face

Like any tool, osquery has a learning curve. Beginners may encounter:

• SQL syntax mistakes
• Large amounts of returned data
• Difficulty interpreting results
• Uncertainty about what “normal” looks like

These challenges improve with practice. The key is learning to ask smaller but focused questions.

Best Practices for Beginners

If you’re new to osquery,

• Use it in labs or test environments
• Start with read-only queries
• Focus on understanding results, not speed
• Document what each query tells you
• Combine osquery data with logs and alerts

osquery is most powerful when used thoughtfully.

Conclusion

osquery teaches a critical cybersecurity lesson: good security starts with good questions. Instead of guessing what might be wrong, you ask the system directly and get structured answers. For beginners, osquery is an excellent gateway into endpoint visibility, threat hunting and modern blue-team workflows. By learning how to query systems safely and intelligently, you build skills that remain valuable across nearly every area of cybersecurity.

Hello, aspiring ethical hackers. In our previous blogpost, you learnt in detail about Threat Intelligence. In this article, you will learn about Malware Information Sharing Platform (MISP), which plays an important role in Threat Intelligence. When beginners start learning cybersecurity, most of the focus is on tools that detect or analyze threats. These tools may be SIEMs, scanners or forensic utilities. However, modern security teams also rely heavily on threat intelligence which gives information about attackers, threat indicators and campaigns that helps them prepare before an incident happens.

This is where MISP comes in. It helps organizations collect, organize, share and use threat intelligence in a structured and collaborative way. For beginners, it provides a practical introduction to how intelligence-driven security actually works.

What Is MISP?

MISP (Malware Information Sharing Platform) is an open-source threat intelligence platform designed to store, share and correlate indicators of compromise (IOCs) and related contextual information. It is developed and maintained by the MISP Project and is widely used by:

• Security operations centers (SOCs)
• Incident response teams
• CERTs and CSIRTs
• Threat intelligence teams

In simple terms, MISP answers this question:
“What do we know about threats, and how can we share that knowledge safely?”

Core Concepts of MISP

If you understand a few key concepts, it will make MISP much easier to grasp. These concepts help beginners understand how intelligence is structured, not just collected.

1. Events:

An event represents a security incident, campaign or investigation. It acts as a container for related information.

2. Attributes:

Attributes are individual pieces of intelligence, such as:

• IP addresses
• Domains
• File hashes
• URLs
• Email addresses

Each attribute includes context, such as type, category and confidence.

3. Objects:

Objects group related attributes together. For example, a “file” object may include a filename, hash and size.

4. Tags:

Tags help classify events and attributes into:

• Malware families
• Threat actor names
• Confidence levels
• Traffic light protocol (TLP) markings

MISP in a SOC Workflow

A simplified SOC workflow involving MISP looks like this:

1. An incident or suspicious activity is detected
2. Indicators are identified during investigation
3. Indicators are added to MISP as an event
4. Other teams or organizations can reuse that intelligence
5. Detection systems are updated using shared indicators

This workflow highlights an important lesson: intelligence becomes more valuable when it is shared responsibly.

MISP vs Other Security Tools

Beginners sometimes confuse MISP with SIEMs or detection platforms. But this is wrong. Here are the key differencces.

• SIEMs focus on log collection and correlation
• IDS/IPS tools detect suspicious network activity
• EDR tools focus on endpoint behavior
• Whereas MISP focuses on organizing and sharing threat intelligence

MISP does not replace these tools. It enhances them by providing context and collective knowledge.

Common Use Cases of MISP

MISP is not a detection tool by itself. Instead, it supports many security workflows including:

• Threat intelligence sharing between trusted organizations
• Enriching alerts from SIEMs or IDS systems
• Incident response investigations, adding context to indicators
• Threat hunting, using known IOCs to search environments
• Research and analysis, tracking campaigns over time

For beginners, this shows how intelligence feeds into real operational security. Common Use Cases of this are,

• Storing IOCs from lab investigations
• Tracking phishing indicators
• Sharing indicators between blue-team exercises
• Learning how threat campaigns evolve
• Understanding confidence and data quality in intelligence

Challenges Beginners May Face

MISP introduces new concepts that can be challenging to beginners at first. These concepts are,

• Understanding data quality and false positives
• Learning when not to share sensitive information
• Managing large numbers of indicators
• Interpreting confidence and context correctly

These challenges are normal. Beginners should focus on quality over quantity.

Why Learning MISP is valuable?

MISP is widely used in:

• SOC and blue-team environments
• Threat intelligence sharing communities
• CERT and national cyber defense teams
• Research and analysis roles

For beginners, learning learning about this builds skills in:

• Threat intelligence fundamentals
• Collaboration and information sharing
• Context-driven security decisions
• Strategic thinking beyond alerts

Conclusion

Beginners often see security as a purely technical activity that involves running tools and responding to alerts. MISP introduces a broader perspective by showing that information sharing and context are just as important. Mastering Learning it helps beginners understand:

• What threat intelligence really is (and what it is not)
• How indicators are collected and enriched
• How teams collaborate across organizations
• How intelligence supports detection and response

Instead of working in isolation, MISP encourages a community-driven defense mindset. It teaches beginners a critical cybersecurity lesson: defense improves when knowledge is shared. Instead of reacting to threats alone, teams work together using structured intelligence to detect and prevent attacks earlier.

For beginners, MISP is less about mastering every feature and more about understanding how intelligence is collected, contextualized and responsibly shared. These skills form a strong foundation for careers in SOC operations, threat intelligence and incident response.

Hello, aspiring ethical hackers. In our previous blogpost, you learnt about Blue Teaming. In this article, you will learn about Splunk, a platform that plays a vital role in Blue Teaming. When you start learning cybersecurity, one of the first things you hear is: “Check the logs.” But what logs? Where are they stored? And how do you make sense of millions of events generated every day? This is where this platform comes in.

Splunk is a powerful platform that helps organizations collect, search, analyze and visualize machine data. For beginners, it serves as an excellent introduction to how real security teams monitor systems, investigate incidents and find suspicious activity.

What Is Splunk?

Splunk is a data analytics platform that specializes in machine-generated data, such as logs from servers, applications, firewalls, endpoints and cloud services. It is widely used by Security Operations Centers (SOCs), IT teams and incident responders.

It is commonly used for:

• Log management
• Security monitoring
• Incident investigation
• Operational troubleshooting

In simple terms, Splunk helps answer the question:
“What is happening across my systems right now and what happened in the past?”

How Splunk Works?

At a high level, it works in three main steps. They are,

1. Data Ingestion:

Splunk collects data from many sources, such as:

• Operating system logs
• Application logs
• Network devices
• Cloud services

This data is indexed so it can be searched quickly.

2. Searching and Analysis:

Once data is indexed, users can search it using the Splunk Search Processing Language (SPL). Beginners don’t need to master SPL immediately. Basic searches are often enough to get started.

3. Visualization and Alerts:

It also allows users to create:

• Dashboards
• Charts and graphs
• Alerts based on conditions

These features help teams spot issues quickly and track trends over time.

Common Security Use Cases of Splunk

It is widely used in cybersecurity for tasks such as:

• Log analysis – Reviewing authentication attempts, errors and access logs
• Threat detection – Identifying suspicious behavior or anomalies
• Incident investigation – Reconstructing timelines during security incidents
• Compliance monitoring – Tracking access and configuration changes
• SOC dashboards – Providing real-time visibility into security events

Many SOC analysts spend a large part of their day inside Splunk.

Splunk in a SOC Workflow

This platform is usually part of a larger security ecosystem. A simplified SOC workflow looks like this:

1. Systems and applications generate logs
2. Logs are sent to Splunk
3. Alerts are created based on suspicious patterns
4. Analysts investigate events in Splunk
5. Findings are escalated or documented

It helps connect alerts to actual evidence, instead of treating them as isolated warnings.

Splunk Vs SIEM

Beginners often hear Splunk described as a SIEM (Security Information and Event Management) tool. While it can really act as a SIEM, its core strength is data analysis.

• Traditional SIEMs often focus on predefined security rules
• Splunk focuses on flexible searching and analysis

Why Splunk Matters for Beginners?

Beginners often focus on individual tools or attacks, but real-world security work is about visibility and context. Splunk teaches beginners how to:

• Work with large volumes of log data
• Identify patterns and anomalies
• Investigate alerts using evidence
• Think like a SOC analyst

Learning this early helps bridge the gap between theory and real operational security. Moreover, Splunk skills are in high demand across:

• Cloud security teams
• SOC teams
• Incident response roles
• Blue team operations

Even basic knowledge of this helps beginners understand how organizations monitor and investigate their environments. The skills you learn: log analysis, correlation and investigation transfer easily to other tools.

What Beginners Should Focus On First?

Splunk can feel overwhelming at first. To make learning simple, beginners should focus on a few fundamentals:

• Understanding what logs are and why they matter
• Learning basic search queries
• Reading timestamps and event fields
• Building simple dashboards
• Following investigation workflows

You do not need to learn advanced SPL or automation on day one.

Challenges Beginners May Face

It’s normal to face some challenges when learning Splunk, such as:

• Large volumes of data
• Complex search syntax
• Too many dashboards and features
• Difficulty knowing what is “normal” behavior

These challenges improve with practice and exposure. Labs and sample datasets are especially helpful for beginners.

Conclusion

Splunk is not just a tool. It’s a way of thinking about data and security. For beginners, it provides a practical window into how real-world security teams detect problems, investigate incidents and make decisions based on evidence.

By learning this early, beginners gain confidence working with logs, understanding alerts and seeing the bigger picture of cybersecurity operations. As you progress, this tool becomes not just a platform you use, but a skill that supports almost every area of modern security work.

Hello, aspiring ethical hackers. In our previous blogpost, you have learnt about Blue Teaming. In this article, you will learn about TheHive, a platform that helps manage security incidents the smart way. When learning cybersecurity, many beginners focus on tools that detect threats—alerts, logs and suspicious activity. But detection is only the beginning. Once an alert fires, security teams still need to track, investigate, collaborate and document what happens next. This is where TheHive becomes important.

TheHive is a security incident response platform designed to help teams manage investigations in an organized, repeatable and collaborative way. For beginners, it provides a structured introduction to how real-world security operations centers (SOCs) handle incidents.

What Is TheHive?

TheHive is an open-source Security Incident Response Platform (SIRP) used by SOCs and DFIR teams to manage security alerts and incidents. Instead of relying on spreadsheets, emails or chat messages, teams use TheHive to centralize investigations in one place.

TheHive was developed by TheHive Project and is widely adopted by blue teams because it focuses on workflow, collaboration and documentation, not just tools.

In simple terms, TheHive answers the question:
“How do we handle security incidents in an organized and consistent way?”

Core Concepts of TheHive

If you want to learn about TheHive, you should begin with understanding a few key concepts which make it much easier to learn.

Alerts:

Alerts are raw security signals coming from other tools, such as SIEMs, EDR platforms or scripts. Alerts may indicate suspicious activity, but they are not yet confirmed incidents.

Cases:

A case is created when an alert is worth investigating. A case represents an incident under investigation and contains all related information, tasks and evidence.

Tasks:

Tasks break an investigation into actionable steps, such as:

• Review logs
• Analyzing an IP address
• Collect endpoint data
• Write a summary

Observables:

Observables are pieces of data related to an incident, such as:

• IP addresses
• Domains
• File hashes
• Email addresses

How TheHive Fits into a SOC Workflow

TheHive is not a detection tool. It sits after detection in the security workflow. A simplified SOC workflow looks like this:

1. A security tool generates an alert
2. The alert is sent to TheHive
3. An analyst reviews the alert
4. A case is created if investigation is needed
5. Tasks are assigned and completed
6. Findings are documented and closed

For beginners, this provides a clear picture of how alerts turn into real investigations.

Collaboration and Case Management

One of TheHive’s biggest strengths is its collaboration. Using TheHive, multiple analysts can:

• Work on the same case
• Add notes and evidence
• Assign tasks to each other
• Track progress in real time

This reflects how real SOCs operate.

TheHive Compared to Other Security Tools

Beginners sometimes confuse TheHive with tools like SIEMs or forensic frameworks. However, there is lot of difference between them.

• SIEMs focus on collecting and correlating logs
• EDR tools focus on endpoint detection and response
• Forensic tools focus on deep technical analysis
• Whereas TheHive focuses on managing the investigation process

TheHive does not replace all the above other tools but it connects them together through workflow.

Why Beginners Should Learn TheHive?

Beginners often learn tools like scanners, SIEMs or forensic utilities, but struggle to understand how investigations are actually managed. TheHive fills this gap by teaching:

• How alerts become investigations
• How tasks are assigned and tracked
• How evidence and notes are documented
• How multiple people collaborate on the same incident

Learning TheHive helps beginners think like SOC analysts, not just tool operators.

Challenges Beginners May Face

Like any platform, TheHive has a learning curve. Beginners may find:

• Case workflows unfamiliar at first
• The number of features overwhelming
• Integration concepts confusing

These challenges are normal. Beginners should focus on basic case creation, tasks and documentation before exploring automation or integrations.

Conclusion

TheHive teaches one of the most important cybersecurity lessons: handling incidents is as important as detecting them. For beginners, it provides a realistic view of how SOCs and DFIR teams organize investigations, collaborate and learn from incidents.

By learning TheHive early, beginners build strong foundations in incident response thinking—skills that remain valuable regardless of which tools or technologies they use in the future.