the dogesec blog

much post. so knowledge. many intel. very subscribe. wow.

• 

  Using Sigma Rules inside Attack Flows as a Structured Way to Describe an Incident

  tutorial developers analyst April 14, 2025

  Many attacks are described using free text. This happens, then this, then this. Whereas detection rules provide a structured way to represent these descriptions with actionable content. Attack Flows are the perfect vehicle to combine the two approaches.
• 

  Beyond the ATT&CK Matrix: How to Build Dynamic Attack Flows with STIX

  tutorial developers analyst March 17, 2025

  MITRE ATT&CK techniques are useful, but they don’t capture the sequence of an attack. Enter Attack Flows.
• 

  An Introduction pySigma: Converting Sigma Rules to Work with Your SIEM

  tutorial developers February 10, 2025

  Learn how to seamlessly convert Sigma Rules into queries for your SIEM. Follow along with real examples.
• 

  Enriching Vulnerabilities to Create an Intelligence Graph

  analysts developers October 14, 2024

  We do a lot of our research into vulnerabilities. To aid this, we enrich CVEs using many remote sources of intelligence. Here is a walk-through showing how we connect CVEs to EPSS scores, CISA KEVs, MITRE ATT&CK, CWEs, and CAPECs.
• 

  Writing Detection Rules to Identify if Products in my Stack are Vulnerable

  developers September 16, 2024

  Developing on last weeks post, I show you how to construct STIX Patterns to automatically flag which products are affected by published CVEs.
• 

  PSA: MITRE ATTCK is More Than Tactics and Techniques

  analysts developers July 15, 2024

  Software, Data Sources, Data Components, Campaigns, and more, make MITRE ATT&CK even more powerful than you might first realise. In this post I uncover the parts of ATT&CK you might not be aware of.
• 

  Fighting Disinformation: Classifying Your Research Using Standardised Disinformation Tactics and Techniques

  developers May 13, 2024

  Our intel team is increasingly using the DISARM framework to classify parts of our research as disinformation campaigns continue increase. In this post I will introduce the DISARM data structure.
• 

  The Problems with Modelling Countries as STIX Objects (and How to Fix Them)

  developers April 15, 2024

  Take the list of recognised countries and regions. Create STIX objects for them. Make them available to everyone so that the CTI world has a single way of representing them.
• 

  CTI Developers: We Built an API for MITRE ATT&CK, CWE, CAPEC, ATLAS... and more!

  analysts developers products February 12, 2024

  Here is a quick-start guide to CTI Butler showing you how much easier it makes working with these frameworks.
• 

  STIX Shifter: Turning STIX Patterns into SIEM Queries

  analysts developers tutorial November 13, 2023

  Learn how to translate STIX detection patterns into SIEM queries using STIX Shifter, and convert detections back into STIX Observed Data for evidence and correlation.
• 

  How to Write STIX Indicator Patterns for Real Detection Rules

  analysts developers tutorial October 16, 2023

  Learn how to turn threat intelligence into actionable detection rules. Learn how to build behavioral detection using STIX Patterns, and link sightings to evidence.
• 

  STIX Storage for Developers: Memory, Files, and Databases

  developers tutorial September 18, 2023

  A practical guide to storing and querying STIX 2.1 data using MemoryStore, FileSystemStore, and ArangoDB — with Python examples.
• 

  STIX Extensions in the Wild: How to Add What the Spec Forgot

  analysts developers tutorial August 14, 2023

  How to design and ship STIX 2.1 extensions — new objects, nested props, and bundles — that your consumers will love.
• 

  Schema Chaos and the Art of STIX Maintenance

  developers tutorial July 10, 2023

  All I wanted was EPSS and CVSS to show up in OpenCTI. Instead, I ended up reverse-engineering half its schema and building new STIX Extensions from scratch. Here’s the mildly painful but oddly satisfying journey.
• 

  Your First STIX Objects: A Developer’s Guide to STIX 2.1 with Python

  developers tutorial June 19, 2023

  The fast, code-first way to generate valid STIX 2.1 threat intelligence in Python. Covers SDOs, SCOs, relationships, versioning, and bundling — everything you need to start building and sharing structured intel like a pro.
• 

  Understanding STIX 2.1 Objects: A Foundation for Structured Threat Intelligence

  analysts developers tutorial May 14, 2023

  Forget the 50-page spec. This guide explains STIX 2.1 objects—SDOs, SCOs, SROs, SMOs, and Bundles—in plain English with real threat intel examples.