Posts

Network Security Automation Lab: Ansible + AWX for Firewall & Infrastructure Automation

Image
  LAB TOPOLOGY This lab consists of four Cisco ASA firewalls deployed within the 192.168.145.0/24 subnet. Each firewall represents a different global region—North America, South America, EMEA, and APAC—allowing me to simulate a distributed enterprise network environment. NA-FW1 – 192.168.145.190 SAM-FW1 – 192.168.145.191 EMEA-FW1 – 192.168.145.192 APAC-FW1 – 192.168.145.193 All Cisco ASA firewalls in this lab are configured with two object-groups— BlackList_Outbound and BlackList_Inbound —which are referenced in the ACLs to block traffic from known malicious IP addresses. As part of this automation, I created a simple workflow that updates these object-groups by automatically adding newly identified malicious IPs. This ensures that all firewalls consistently enforce the latest security blocks without requiring manual configuration on each device. I built an Ubuntu-based host to run and manage my AWX setup. Before applying any configurations using Ansible and AWX,...

My First Real-World Threat Hunting Experience (Personal Home Network)

Image
  Summary On March 19, 2025 , I decided to analyze my PC for unusual or malicious traffic and applications as a way to practice my Incident Response and Threat Hunting skills . After getting hooked on SOC analyst work , I saw this as my first real-world IR and Threat Hunting experience —not tied to an exam or CTF. Even though this was within my personal network , the concepts remained the same : a real environment, real malware, and real-world analysis and as you can see the application was already on my device since May 11, 2022. During my investigation, I discovered a malicious application and decided to document my findings for future reference. This initiative also allowed me to develop my own Threat Hunting methodology . Investigation Summary I started my investigation by examining network connectivity using netstat -anob in the command prompt. Upon reviewing the output, I noticed an unusual port—8080—standing out. Content that showing all of the ESTABLISHED connection ...

Deploying Sysmon on Windows and Integrating with Elasticsearch SIEM

Image
  First, let's install Sysmon on our Windows host by opening this link in a browser and downloading it: Sysmon - Sysinternals | Microsoft Learn . As of this writing, the latest version of Sysmon is 15.5 Once the download is complete, go ahead and unzip the file. Sysmon configurations or rules are available on GitHub, with a well-known repository being SwiftOnSecurity's Sysmon config: 🔗 https://github.com/SwiftOnSecurity/sysmon-config We will download this configuration for our setup. We can place the downloaded configuration file in the same directory as Sysmon, then open PowerShell and follow the steps below. We can use net start to start Sysmon64, and it will list all services that start afterward. To further verify, go to Event Viewer > Applications and Services Logs > Microsoft > Windows > Sysmon > Operational , where you should see the corresponding event IDs. And now let's ingest Sysmon and Windows Defender logs into elasticsearch. Click the Add integ...