Automated, Collection, and Enrichment (ACE)

•

5 likes•2,371 views

Blackhat Arsenal Presentation introducing the Automated, Collection, and Enrichment (ACE) platform which is a suite of tools for threat hunters to collect data from many endpoints in a network and automatically enrich the data.

Technology

Automated Collection &
Enrichment (ACE)
Jared Atkinson & Robby Winchester

Overview
● Concept
● Setup
○ System Requirements
○ Architecture
○ System Management
● Collection
● Automation
● Enrichment
● Data Export
● Future

What is ACE
● An open source solution that enables agentless threat
hunting in an environment
● Allows for scanning of remote Windows and macOS/Linux
systems
○ Only requires Local Admin access
○ macOS requires SSH enabled for a “sudoer” account
● Can perform host scans or be scheduled for routine use in
an enterprise

Why ACE?
● As consultants performing Compromise Assessments, we
rarely have the authority or ability to alter a
customer’s environment to support assessment operations
● No external dependencies or agent to install
● Executes solely in memory with nothing being written to
disk
● JSON formatted output allows for easy ingestion into SIEM
of choice
● It’s free!

Architecture Overview
Scan to Target Systems
Download Script & Return Results
Enriched Data
Target Network
Management
System
Scan Tasking
ACE

ACE Architecture
Enrichments
- Enriches scan data
- Outputs data from ACE
ACE Management
- Hosts users/computers/creds
- Backend management of ACE
Web Server
- Initiates scan activity
- Hosts scanning scripts
- Receives host data
Management
System
- Performs tasking

System Management
● Users - Internal ACE system accounts
○ Create, Enumerate, Remove, Update
● Credentials - Credentials to target systems
○ Add, Enumerate
● Scripts - Scans being run on remote systems
○ Add, Enumerate
● Computers - Computers in target environment
○ AD & Computer List Discovery

System Management
Web Server
Enrichments
ACE Management
Management
System
Add/R
em
ove
AC
E
O
bjects
ACE information
(Users/Credentials/Computers)
Discovery

Automation
● Architecture of ACE allows for easy configuration and use
● Schedule scans
○ Time in future
○ Repeat Scan ‘x’ times at ‘y’ interval
○ Can specify desired scripts/computers per scan
● Take care of collection process behind the scenes
○ Tasking and script execution
○ Upload of completed scan data

Automation
Web Server
Download
Scripts
Scheduling
Results
Enrichments
ACE Management
Management
System
Relay
Tasking
Access ACE Information for Scan

Collection
● Scripts
○ Windows - PowerShell (PS v2 compatible)
○ macOS/Linux - Python (2.7 with no dependencies)
● Downloaded and executed from the Web Server
● Results uploaded to web server via HTTPS POST requests

Collection
Web Server
Download
Scripts
Scan
Taskings
Results
Enrichments
ACE Management
Management
System
Relay
Tasking
Access ACE Information for Scan

Enrichment
● RabbitMQ messaging system used for enrichment
○ Queues and exchanges used to manage the data
○ Uses AMQP 0.9.1 messaging protocol
● Currently supports public API VirusTotal enrichment
● Allows for easy additional custom enrichments
○ Currently all written in C#, however RabbitMQ is supported in Python,
Java, Ruby, PHP, JavaScript, Go, Elixir, Objective-C, Swift, and
Spring AMQP

Enrichment
Web Server
Scan
Results
Enrichments
ACE Management
Management
System
Scan Results for Enrichment
Enriched Data

Pre_Hash
File
SIEM
X
ACE
Exchange
VirusTotal
Hash Match
C
FileWriter
C
SIEM
P
ACE Web
Server
C/P
RabbitMQ Enrichment Process

Data Export
● Enriched data can currently be exported from ACE two ways
○ Pulled from a RabbitMQ Queue straight to a SIEM (such as ELK)
■ Logstash can map to RabbitMQ input
○ Written out to flat files
● All data is formatted as one object per line flat JSON
○ Easily can import into SIEM of choice for analysis

Future Enhancements
● Simplified Deployment - 4 Aug
● Sweep Tracking - ~2 months
● Additional Scanning Scripts - Ongoing
○ Add wider Linux/Unix support
○ Additional Windows scripts
● Additional Protocol Support - Ongoing
● Additional Enrichments - Ongoing
○ IP Reputation
● Web GUI - TBD

What's hot

___________________________________________ Meetup#7 | Session 2 | 21/03/2018 | Taboola _____________________________________________ In this talk, we will present our multi-DC Kafka architecture, and discuss how we tackle sending and handling 10B+ messages per day, with maximum availability and no tolerance for data loss. Our architecture includes technologies such as Cassandra, Spark, HDFS, and Vertica - with Kafka as the backbone that feeds them all.

Distributed Kafka Architecture Taboola Scale

Apache Kafka TLV

Prometheus casual talk1

wyukawa

API Facade Pattern with Apache Synapse

Hiranya Jayathilaka

This presentation gives an overview of the Prometheus project. It explains Prometheus in terms of it's visualisation, time series processing capabilities and architecture. It also examines it's query language PromQL. Links for further information and connecting http://www.amazon.com/Michael-Frampton/e/B00NIQDOOM/ https://nz.linkedin.com/pub/mike-frampton/20/630/385 https://open-source-systems.blogspot.com/

Prometheus

Mike Frampton

HTTP Analytics for 6M requests per second using ClickHouse

Alexander Bocharov

How fast is it?

Patrick Meenan

Monitoring Kafka w/ Prometheus

kawamuray

Prometheus on AWS

Mitsuhiro Tanda

When your Kafka clusters start growing so is the cost associated with them. As administrators we have to ensure that the service we support is operating in the most reliable way to satisfy the customers. However, for our business it is as important that we ensure the same service is also cost-efficient. There are two ways we can optimize the cost of service – tuning broker machines and tuning the data transfers. Minimizing data transfer is the largest return on investment since that is what accounts for the most spend. With the use of Kafka administrative tools and metrics we can find multiple ways to reduce the data transfers in the clusters. The presentation will cover various techniques administrators of Kafka service can employ to reduce the data transfers and to save the operational costs. Reducing cross-AZ traffic, optimizing batching with use of DumpLogSegment script, utilizing Kafka metrics to shut down unused data streams and more. With an objective of making our Kafka deployment as cost effective as possible, we have gained money saving tricks. And we would love to share them with the community.

Administrative techniques to reduce Kafka costs | Anna Kepler, Viasat

HostedbyConfluent

Apache Kafka : Monitoring vs Alerting

Ratish Ravindran

Building data pipelines is pretty hard! Building a multi-datacenter active-active real time data pipeline for multiple classes of data with different durability, latency and availability guarantees is much harder. Real time infrastructure powers critical pieces of Uber (think Surge) and in this talk we will discuss our architecture, technical challenges, learnings and how a blend of open source infrastructure (Apache Kafka and Samza) and in-house technologies have helped Uber scale.

Hadoop summit - Scaling Uber’s Real-Time Infra for Trillion Events per Day

Ankur Bansal

Speaker: Yupeng Fu, Staff Engineer, Uber High availability and reliability are important requirements to Uber services, and the services shall tolerate datacenter failures in a region and fail over to another region. In this talk, we will present the active-active Apache Kafka® at Uber and how it facilitates disaster discovery across regions for Uber services. In particular, we will highlight the key components including topic replication, topic aggregation, offsets sync and then walk through several use cases of their disaster recovery strategy using active-active Kafka. Lastly, we will present several interesting challenges and the future work planned. Yupeng Fu is a staff engineer in Uber Data Org leading the streaming data platform. Previously, he worked at Alluxio and Palantir, building distributed data analysis and storage platforms. Yupeng holds a B.S. and an M.S. from Tsinghua University and did his Ph.D. research on databases at UCSD.

Disaster Recovery for Multi-Region Apache Kafka Ecosystems at Uber

confluent

Consul

Ariel Moskovich

Last year we (TouK) introduced Flink in one of the biggest polish telcoms in the domain of real time marketing and fraud detection. One of the most significant problems in adoption was lack of programming skills at our client - the users were supposed to be analytics/business people. Therefore, we developed a custom platform - TouK Nussknacker - which allows users to design processes with GUI by drawing diagrams. Our project is going to be open-sourced soon - this will happen before Flink Forward. We believe it can make stream processing with Flink more accessible in many use cases, especially in companies that don't have their own development teams. During the talk I’m going to describe architecture of our platform, why we made certain design decisions and about our future plans. I’ll also describe our experiences - when being able to use GUI is great and when it’s better to develop jobs as normal code. If time permits I’ll also show a quick demo of our solution.

Flink Forward Berlin 2017: Maciek Próchniak - TouK Nussknacker - creating Fli...

Flink Forward

Monitoring Kubernetes with Prometheus

Tobias Schmidt

Service Discovery with Consul - Arunvel Arunachalam

Neependra Khare

Integration Of Mulesoft and Apache Active MQ

Gaurav Talwadker

As many startups of the last decade, SoundCloud’s architecture started as a Ruby-on-Rails monolith, which later had to be broken into microservices to cope with the growing size and complexity of the site. The microservices initially ran on an in-house container management and deployment platform. Recently, the company has started to migrate to Kubernetes. With the introduction of microservices, the existing conventional monitoring setup failed both conceptually and in terms of scalability. Thus, starting in 2012, SoundCloud invested heavily into the development of the open-source monitoring system Prometheus, which was designed for large-scale highly dynamic service-oriented architectures. Migrating to Kubernetes, it became apparent that Prometheus and Kubernetes are a match made in open-source heaven. The talk will demonstrate the current Prometheus setup at SoundCloud, monitoring a large-scale Kubernetes cluster.

Monitoring a Kubernetes-backed microservice architecture with Prometheus

Fabian Reinartz

ICANN DNS Symposium (IDS 2019): RDAP CDN Distribution Experience

APNIC

Identifying the right deployment architecture is key when providing smooth operation of a production system. Deployment architecture is important for providing non-functional requirements such as availability, scalability and security for an enterprise software solution. In addition to those, a deployment architecture is key when supporting future business and technical requirements. Deployment patterns are a way to quickly determine best practices from production deployments identified from different industry verticals. After identifying the correct deployment architecture, it’s crucial to determine the size of the deployment by understanding the number of servers/VMs/containers necessary to support the minimum, average and possible maximum load that the system is expected to handle. This capacity planning session will discuss how to take a fact based approach to determine the size of your deployment.

WSO2Con USA 2015: Deployment Patterns and Capacity Planning

WSO2

What's hot (20)

Distributed Kafka Architecture Taboola Scale

Prometheus casual talk1

API Facade Pattern with Apache Synapse

Prometheus

HTTP Analytics for 6M requests per second using ClickHouse

How fast is it?

Monitoring Kafka w/ Prometheus

Prometheus on AWS

Administrative techniques to reduce Kafka costs | Anna Kepler, Viasat

Apache Kafka : Monitoring vs Alerting

Hadoop summit - Scaling Uber’s Real-Time Infra for Trillion Events per Day

Disaster Recovery for Multi-Region Apache Kafka Ecosystems at Uber

Consul

Flink Forward Berlin 2017: Maciek Próchniak - TouK Nussknacker - creating Fli...

Monitoring Kubernetes with Prometheus

Service Discovery with Consul - Arunvel Arunachalam

Integration Of Mulesoft and Apache Active MQ

Monitoring a Kubernetes-backed microservice architecture with Prometheus

ICANN DNS Symposium (IDS 2019): RDAP CDN Distribution Experience

WSO2Con USA 2015: Deployment Patterns and Capacity Planning

Similar to Automated, Collection, and Enrichment (ACE)

Red Hat Forum Tokyo - OpenStack Architecture Design

Dan Radez

Designing for operability and managability

Gaurav Bahrani

Open Audit

ncspa

Scaling 100PB Data Warehouse in Cloud

Changshu Liu

Exploring the Final Frontier of Data Center Orchestration: Network Elements -...

Puppet

Infra / Cont delivery - 3rd party automation

Shay Cohen

2009-08-24 Managing your Red Hat Enterprise Linux Guests with RHN Satellite

Shawn Wells

Bare Metal Provisioning for Big Data - OpenStack最新情報セミナー(2016年12月)

VirtualTech Japan Inc.

It is common for enterprises to give a high priority to security and compliance, as these are critical concerns for businesses of all sizes. One way that enterprises can address these concerns is by leveraging agent-based security and compliance tools. This ppt explains about the solution which helps to centrally deploy agents to all SSM managed workloads that enable a variety of use cases, such as endpoint security, threat intelligence, software asset management, inventory, license management, etc.

AWS_Community_Day_2023-Chathra Serasinghe.pptx

ChathraSerasinghe2

Creating an open source load balancer for S3

Anders Bruvik

slides (PPT)

webhostingguy

Containers 101 meetup talk recording posted here- https://codefresh.io/blog/containers-101-meetup-docker-accelerates-continuous-development/ Shimon Tolts, General Manager/ CTO of Data Solutions at ironSouce, joined us to talk about how they leverage Docker to simplify their workflow and deliver Big Data solutions to their customers faster. He shared their experience running Docker containers in production and how they took one of their base systems, considered "the backbone of the company," and transformed it using containers.

How Docker Accelerates Continuous Development at ironSource: Containers #101 ...

Brittany Ingram

Silverstripe at scale - design & architecture for silverstripe applications

BrettTasker

Whether you are a traditional enterprise exploring migrating workloads to the cloud or are already “all-in” on AWS, performing common tasks of inventory collection, OS patch management, and image creation at scale is increasingly complicated in hybrid infrastructure environments. Amazon EC2 Systems Manager allows you to perform automated configuration and ongoing management of your hybrid environment systems at scale. This session provides an overview of key EC2 Systems Manager capabilities that help you define and track system configurations, prevent drift, and maintain software compliance of your EC2 and on-premises configurations. We will also discuss common use cases for EC2 Systems Manager and give you a demonstration of a hybrid-cloud management scenario.

ENT401 Deep Dive with Amazon EC2 Systems Manager

Amazon Web Services

Pcp

Reanimation Bk

Server Monitoring from the Cloud

Site24x7

EPM Automate - Automating Enterprise Performance Management Cloud Solutions

Joseph Alaimo Jr

TubeMogul grew from few servers to over two thousands servers and handling over one trillion http requests a month, processed in less than 50ms each. To keep up with the fast growth, the SRE team had to implement an efficient Continuous Delivery infrastructure that allowed to do over 10,000 puppet deployment and 8,500 application deployment in 2014. In this presentation, we will cover the nuts and bolts of the TubeMogul operations engineering team and how they overcome challenges.

USENIX LISA15: How TubeMogul Handles over One Trillion HTTP Requests a Month

Nicolas Brousse

Test rate limits in dry-run mode and monitor NGINX Plus using advanced metrics with NGINX Plus R19. On-Demand Link: https://www.nginx.com/resources/webinars/whats-new-nginx-plus-r19/ Watch this webinar to learn: - How to monitor your NGINX Plus ecosystem with fine-grained insights using advanced metrics - About dynamically blacklisting IP address ranges in the key-value Store - How to apply different bandwidth limits based on attributes of incoming traffic - About testing rate limits in dry-run mode

What's new in NGINX Plus R19

NGINX, Inc.

SCCM 2007 Introduction - PICC 2012

capriguy84

Similar to Automated, Collection, and Enrichment (ACE) (20)

Red Hat Forum Tokyo - OpenStack Architecture Design

Designing for operability and managability

Open Audit

Scaling 100PB Data Warehouse in Cloud

Exploring the Final Frontier of Data Center Orchestration: Network Elements -...

Infra / Cont delivery - 3rd party automation

2009-08-24 Managing your Red Hat Enterprise Linux Guests with RHN Satellite

Bare Metal Provisioning for Big Data - OpenStack最新情報セミナー(2016年12月)

AWS_Community_Day_2023-Chathra Serasinghe.pptx

Creating an open source load balancer for S3

slides (PPT)

How Docker Accelerates Continuous Development at ironSource: Containers #101 ...

Silverstripe at scale - design & architecture for silverstripe applications

ENT401 Deep Dive with Amazon EC2 Systems Manager

Pcp

Server Monitoring from the Cloud

EPM Automate - Automating Enterprise Performance Management Cloud Solutions

USENIX LISA15: How TubeMogul Handles over One Trillion HTTP Requests a Month

What's new in NGINX Plus R19

SCCM 2007 Introduction - PICC 2012

More from Jared Atkinson

Have you heard about Purple Teaming, but you were unsure of exactly what it is? Maybe you've heard it explained as "the red and blue teams working together to improve the organization's security posture." While that may be a good high level description of Purple Teaming as a concept, it lacks a clear direction of how this outcome is achieved. As they say, "The Devil is in the details." At SpecterOps, we believe that a Purple Team exercise is one that leverages an adversarial mindset to evaluate the overall efficacy of security controls, whether they are detective or preventative. Join us for an hour-long webinar where we will dive into the major questions regarding Purple Team including: - Why small changes in adversary tradecraft have a profound effect on detectability. - How to map variations between tools that implement the same technique. - How to construct a representative sample set of test cases.

Red + Blue, How Purple Are You

Jared Atkinson

In this presentation, Jared Atkinson and Jonathan Johnson discuss the problem that many security professionals are facing today. How exactly do I know if my detection will actually detect the thing I want to detect? We discuss the importance of testing telemetry coverage and using abstraction to build a representative sample set of Atomic tests to validate detection coverage. Scripts used in presentation can be found below: Process Access: https://gist.github.com/jaredcatkinson/9c7a1af2261a752432230a4148ecfe02 Process Read: https://github.com/redcanaryco/AtomicTestHarnesses/blob/master/Windows/TestHarnesses/T1003.001_DumpLSASS/DumpLSASS.ps1

Mapping Detection Coverage

Jared Atkinson

A Process is No One - Jared Atkinson and Robby Winchester Does your organization want to start Threat Hunting, but you're not sure how to begin? Most people start with collecting ALL THE DATA, but data means nothing if you're not able to analyze it properly. This talk begins with the often overlooked first step of hunt hypothesis generation which can help guide targeted collection and analysis of forensic artifacts. We will demonstrate how to use the MITRE ATTACK Framework and our five-phase Hypothesis Generation Process to develop actionable hunt processes, narrowing the scope of your Hunt operation and avoiding "analysis paralysis." We will then walk through a detailed case study of detecting access token impersonation/manipulation from concept to technical execution by way of the Hypothesis Generation Process. Along the way, we will detail some of the most common access token manipulations in use and detail the defensive detection implications for each of these cases. This comprehensive case study will better arm both attackers and defenders with how to better utilize their toolset to detect or avoid detection of token theft and manipulation.

Paranoia 2018: A Process is No One

Jared Atkinson

Does your organization want to start Threat Hunting, but you’re not sure how to begin? Most people start with collecting ALL THE DATA, but data means nothing if you’re not able to analyze it properly. This talk focuses on the often overlooked first step of hunt hypothesis generation which can help guide targeted collection and analysis of forensic artifacts. We will demonstrate how to use the MITRE ATTACK Framework and our five-phase Hypothesis Generation Process to develop actionable hunt processes, narrowing the scope of your Hunt operation and avoiding “analysis paralysis.” We will then walk through a case study of Golden Ticket detection from concept to technical execution by way of the Hypothesis Generation Process. Along the way, we will detail some of the most common Golden Ticket indicators and will release a new PowerShell script for extracting Kerberos ticket information without any dependencies on external binaries.

Purpose Driven Hunt (DerbyCon 2017)

Jared Atkinson

BSidesDC - **** it, Do It Live (PowerShell Digital Forensics)

Jared Atkinson

44CON London 2015: Old Dog, New Tricks: Forensics with PowerShell

Jared Atkinson

44CON London 2015: NTFS Analysis with PowerForensics

Jared Atkinson

More from Jared Atkinson (7)

Red + Blue, How Purple Are You

Mapping Detection Coverage

Paranoia 2018: A Process is No One

Purpose Driven Hunt (DerbyCon 2017)

BSidesDC - **** it, Do It Live (PowerShell Digital Forensics)

44CON London 2015: Old Dog, New Tricks: Forensics with PowerShell

44CON London 2015: NTFS Analysis with PowerForensics

Recently uploaded

[BuildWithAI] Introduction to Gemini.pdf

Sandro Moreira

Exploring Multimodal Embeddings with Milvus

Zilliz

Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows. We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases. This video focuses on the deployment of external web forms using Jotform for Bonterra Impact Management. This solution can be customized to your organization’s needs and deployed to support the common use cases below: - Intake and consent - Assessments - Surveys - Applications - Program registration Interested in deploying web form automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...

Jeffrey Haguewood

Quantum Leap in Next-Generation Computing

WSO2

Tracing the root cause of a performance issue requires a lot of patience, experience, and focus. It’s so hard that we sometimes attempt to guess by trying out tentative fixes, but that usually results in frustration, messy code, and a considerable waste of time and money. This talk explains how to correctly zoom in on a performance bottleneck using three levels of profiling: distributed tracing, metrics, and method profiling. After we learn to read the JVM profiler output as a flame graph, we explore a series of bottlenecks typical for backend systems, like connection/thread pool starvation, invisible aspects, blocking code, hot CPU methods, lock contention, and Virtual Thread pinning, and we learn to trace them even if they occur in library code you are not familiar with. Attend this talk and prepare for the performance issues that will eventually hit any successful system. About authorWith two decades of experience, Victor is a Java Champion working as a trainer for top companies in Europe. Five thousands developers in 120 companies attended his workshops, so he gets to debate every week the challenges that various projects struggle with. In return, Victor summarizes key points from these workshops in conference talks and online meetups for the European Software Crafters, the world’s largest developer community around architecture, refactoring, and testing. Discover how Victor can help you on victorrentea.ro : company training catalog, consultancy and YouTube playlists.

Finding Java's Hidden Performance Traps @ DevoxxUK 2024

Victor Rentea

AWS Community Day CPH - Three problems of Terraform

Andrey Devyatkin

Six Myths about Ontologies: The Basics of Formal Ontology

johnbeverley2021

In this session, we will discuss the journey of API governance from its initial, ungoverned state to the development of sophisticated models that tackle contemporary challenges. We'll explore how APIs have become essential in the intersection of business and technology, adapting to advancements and evolving needs. We'll focus on how organizations have moved from launching to monetizing APIs, using models like pay-per-use and subscriptions, and finding the right balance between technical implementation and business strategy. We'll also highlight the impact of governance on monetization strategies, especially how data security, compliance, and service quality influence pricing. Real-world examples will demonstrate the effective integration of governance with monetization, including AI's role in dynamic pricing. Looking ahead, we'll share insights into future trends in API governance and monetization, emphasizing the importance of adaptability, continuous learning, and innovation.

API Governance and Monetization - The evolution of API governance

WSO2

Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood

Juan lago vázquez

The microservices honeymoon is over. When starting a new project or revamping a legacy monolith, teams started looking for alternatives to microservices. The Modular Monolith, or 'Modulith', is an architecture that reaps the benefits of (vertical) functional decoupling without the high costs associated with separate deployments. This talk will delve into the advantages and challenges of this progressive architecture, beginning with exploring the concept of a 'module', its internal structure, public API, and inter-module communication patterns. Supported by spring-modulith, the talk provides practical guidance on addressing the main challenges of a Modultith Architecture: finding and guarding module boundaries, data decoupling, and integration module-testing. You should not miss this talk if you are a software architect or tech lead seeking practical, scalable solutions. About the author With two decades of experience, Victor is a Java Champion working as a trainer for top companies in Europe. Five thousands developers in 120 companies attended his workshops, so he gets to debate every week the challenges that various projects struggle with. In return, Victor summarizes key points from these workshops in conference talks and online meetups for the European Software Crafters, the world’s largest developer community around architecture, refactoring, and testing. Discover how Victor can help you on victorrentea.ro : company training catalog, consultancy and YouTube playlists.

Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024

Victor Rentea

Webinar Recording: https://www.panagenda.com/webinars/why-teams-call-analytics-is-critical-to-your-entire-business Nothing is as frustrating and noticeable as being in an important call and being unable to see or hear the other person. Not surprising then, that issues with Teams calls are among the most common problems users call their helpdesk for. Having in depth insight into everything relevant going on at the user’s device, local network, ISP and Microsoft itself during the call is crucial for good Microsoft Teams Call quality support. To ensure a quick and adequate solution and to ensure your users get the most out of their Microsoft 365. But did you know that ‘bad calls’ are also an excellent indicator of other problems arising? Precisely because it is so noticeable!? Like the canary in the mine, bad calls can be early indicators of problems. Problems that might otherwise not have been noticed for a while but can have a big impact on productivity and satisfaction. Join this session by Christoph Adler to learn how true Microsoft Teams call quality analytics helped other organizations troubleshoot bad calls and identify and fix problems that impacted Teams calls or the use of Microsoft365 in general. See what it can do to keep your users happy and productive! In this session we will cover - Why CQD data alone is not enough to troubleshoot call problems - The importance of attributing call problems to the right call participant - What call quality analytics can do to help you quickly find, fix-, and prevent problems - Why having retrospective detailed insights matters - Real life examples of how others have used Microsoft Teams call quality monitoring to problem shoot problems with their ISP, network, device health and more.

Why Teams call analytics are critical to your entire business

panagenda

In this keynote, Asanka Abeysinghe, CTO,WSO2 will explore the shift towards platformless technology ecosystems and their importance in driving digital adaptability and innovation. We will discuss strategies for leveraging decentralized architectures and integrating diverse technologies, with a focus on building resilient, flexible, and future-ready IT infrastructures. We will also highlight WSO2's roadmap, emphasizing our commitment to supporting this transformative journey with our evolving product suite.

Platformless Horizons for Digital Adaptability

WSO2

Architecting Cloud Native Applications

WSO2

💥 You’re lucky! We’ve found two different (lead) developers that are willing to share their valuable lessons learned about using UiPath Document Understanding! Based on recent implementations in appealing use cases at Partou and SPIE. Don’t expect fancy videos or slide decks, but real and practical experiences that will help you with your own implementations. 📕 Topics that will be addressed: • Training the ML-model by humans: do or don't? • Rule-based versus AI extractors • Tips for finding use cases • How to start 👨‍🏫👨‍💻 Speakers: o Dion Morskieft, RPA Product Owner @Partou o Jack Klein-Schiphorst, Automation Developer @Tacstone Technology

DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam

UiPathCommunity

Retrieval augmented generation (RAG) is the most popular style of large language model application to emerge from 2023. The most basic style of RAG works by vectorizing your data and injecting it into a vector database like Milvus for retrieval to augment the text output generated by an LLM. This is just the beginning. One of the ways that we can extend RAG, and extend AI, is through multilingual use cases. Typical RAG is done in English using embedding models that are trained in English. In this talk, we’ll explore how RAG could work in languages other than English. We’ll explore French, Chinese, and Polish.

Introduction to Multilingual Retrieval Augmented Generation (RAG)

Zilliz

The integration landscape is changing rapidly with the introduction of technologies like GraphQL, gRPC, stream processing, iPaaS, and platformless. However, not all existing applications and industries can keep up with these new technologies. Certain industries, like manufacturing, logistics, and finance, still rely on well-established EDI-based message formats. Some applications use XML or CSV with file-based communications, while others have strict on premises deployment requirements. This talk focuses on how Ballerina's built-in integration capabilities can bridge the gap between "old" and "new" technologies, modernizing enterprise applications without disrupting business operations.

Modernizing Legacy Systems Using Ballerina

WSO2

Dubai, often portrayed as a shimmering oasis in the desert, faces its own set of challenges, including the occasional threat of flooding. Despite its reputation for opulence and modernity, the emirate is not immune to the forces of nature. In recent years, Dubai has experienced sporadic but significant floods, testing the resilience of its infrastructure and communities. Among the critical lifelines in this bustling metropolis is the Dubai International Airport, a bustling hub that connects the city to the world. This article explores the intersection of Dubai flood events and the resilience demonstrated by the Dubai International Airport in the face of such challenges.

Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...

Orbitshub

Strategies for Landing an Oracle DBA Job as a Fresher

Remote DBA Services

Decarbonising Commercial Real Estate: The Role of Operational Performance

IES VE

CNIC Information System with Pakdata Cf In Pakistan

danishmna97

Recently uploaded (20)

[BuildWithAI] Introduction to Gemini.pdf

Exploring Multimodal Embeddings with Milvus

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...

Quantum Leap in Next-Generation Computing

Finding Java's Hidden Performance Traps @ DevoxxUK 2024

AWS Community Day CPH - Three problems of Terraform

Six Myths about Ontologies: The Basics of Formal Ontology

API Governance and Monetization - The evolution of API governance

Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood

Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024

Why Teams call analytics are critical to your entire business

Platformless Horizons for Digital Adaptability

Architecting Cloud Native Applications

DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam

Introduction to Multilingual Retrieval Augmented Generation (RAG)

Modernizing Legacy Systems Using Ballerina

Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...

Strategies for Landing an Oracle DBA Job as a Fresher

Decarbonising Commercial Real Estate: The Role of Operational Performance

CNIC Information System with Pakdata Cf In Pakistan

Automated, Collection, and Enrichment (ACE)

1. Automated Collection & Enrichment (ACE) Jared Atkinson & Robby Winchester

2. Overview ● Concept ● Setup ○ System Requirements ○ Architecture ○ System Management ● Collection ● Automation ● Enrichment ● Data Export ● Future

3. What is ACE ● An open source solution that enables agentless threat hunting in an environment ● Allows for scanning of remote Windows and macOS/Linux systems ○ Only requires Local Admin access ○ macOS requires SSH enabled for a “sudoer” account ● Can perform host scans or be scheduled for routine use in an enterprise

4. Why ACE? ● As consultants performing Compromise Assessments, we rarely have the authority or ability to alter a customer’s environment to support assessment operations ● No external dependencies or agent to install ● Executes solely in memory with nothing being written to disk ● JSON formatted output allows for easy ingestion into SIEM of choice ● It’s free!

5. Architecture Overview Scan to Target Systems Download Script & Return Results Enriched Data Target Network Management System Scan Tasking ACE

6. ACE Architecture Enrichments - Enriches scan data - Outputs data from ACE ACE Management - Hosts users/computers/creds - Backend management of ACE Web Server - Initiates scan activity - Hosts scanning scripts - Receives host data Management System - Performs tasking

7. System Management ● Users - Internal ACE system accounts ○ Create, Enumerate, Remove, Update ● Credentials - Credentials to target systems ○ Add, Enumerate ● Scripts - Scans being run on remote systems ○ Add, Enumerate ● Computers - Computers in target environment ○ AD & Computer List Discovery

8. System Management Web Server Enrichments ACE Management Management System Add/R em ove AC E O bjects ACE information (Users/Credentials/Computers) Discovery

9. Automation ● Architecture of ACE allows for easy configuration and use ● Schedule scans ○ Time in future ○ Repeat Scan ‘x’ times at ‘y’ interval ○ Can specify desired scripts/computers per scan ● Take care of collection process behind the scenes ○ Tasking and script execution ○ Upload of completed scan data

10. Automation Web Server Download Scripts Scheduling Results Enrichments ACE Management Management System Relay Tasking Access ACE Information for Scan

11. Collection ● Scripts ○ Windows - PowerShell (PS v2 compatible) ○ macOS/Linux - Python (2.7 with no dependencies) ● Downloaded and executed from the Web Server ● Results uploaded to web server via HTTPS POST requests

12. Collection Web Server Download Scripts Scan Taskings Results Enrichments ACE Management Management System Relay Tasking Access ACE Information for Scan

13. Enrichment ● RabbitMQ messaging system used for enrichment ○ Queues and exchanges used to manage the data ○ Uses AMQP 0.9.1 messaging protocol ● Currently supports public API VirusTotal enrichment ● Allows for easy additional custom enrichments ○ Currently all written in C#, however RabbitMQ is supported in Python, Java, Ruby, PHP, JavaScript, Go, Elixir, Objective-C, Swift, and Spring AMQP

14. Enrichment Web Server Scan Results Enrichments ACE Management Management System Scan Results for Enrichment Enriched Data

15. Pre_Hash File SIEM X ACE Exchange VirusTotal Hash Match C FileWriter C SIEM P ACE Web Server C/P RabbitMQ Enrichment Process

16. Data Export ● Enriched data can currently be exported from ACE two ways ○ Pulled from a RabbitMQ Queue straight to a SIEM (such as ELK) ■ Logstash can map to RabbitMQ input ○ Written out to flat files ● All data is formatted as one object per line flat JSON ○ Easily can import into SIEM of choice for analysis

17. Future Enhancements ● Simplified Deployment - 4 Aug ● Sweep Tracking - ~2 months ● Additional Scanning Scripts - Ongoing ○ Add wider Linux/Unix support ○ Additional Windows scripts ● Additional Protocol Support - Ongoing ● Additional Enrichments - Ongoing ○ IP Reputation ● Web GUI - TBD

Automated, Collection, and Enrichment (ACE)

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Automated, Collection, and Enrichment (ACE)

Similar to Automated, Collection, and Enrichment (ACE) (20)

More from Jared Atkinson

More from Jared Atkinson (7)

Recently uploaded

Recently uploaded (20)

Automated, Collection, and Enrichment (ACE)