I am Zach

If you've ever spun up a Windows server with RDP exposed, you already know what the logs look like. Within hours, sometimes minutes, Event ID 4625 starts flooding the Security log. Failed logon. Failed logon. Failed logon. Different usernames, same IP. Same username, different IPs. The internet is constantly knocking. On Linux, tools like fail2ban and crowdsec have solved this problem for years. On Windows? You're mostly on your own. There are third-party agents, EDR add-ons, and cloud-based solutions, but if you want something lightweight, auditable, and dependency-free that you can just drop on a box and run, the options are slim. So I built one: Simple Windows Firewall Bouncer (SWFB) . What It Does SWFB is a PowerShell script that runs in a loop, watches Windows Security Event Logs for failed logon attempts (Event ID 4625), and fires off netsh advfirewall rules to block offending IPs, automatically, with no external software required. It handles three distinct...

In a previous post I released a library of DFIR-IRIS case templates covering common incident types. Those templates give you a pre-built task list, structured note directories, and a report scaffold, but the actual narrative content still needs to be written by a human analyst at the end of a long and usually exhausting investigation. I've been experimenting with a different approach: embedding structured LLM prompts directly inside the case template's summary field, so that when the investigation is complete, an AI can draft the report narrative from the case data automatically. This post describes the concept, shows how the prompts are structured, and discusses where it works well and where it still needs a human. Experimental status: These are experimental templates. They are not a replacement for analyst judgment and should not be used to generate reports that go to stakeholders without review. The intent is to reduce the time cost of first-draft report writ...

Every incident starts the same way: a blank case. No structure, no task list, no note framework, just an empty canvas at the moment when you have the least time to think about documentation. Over time I got tired of rebuilding the same scaffolding from scratch, so I built a library of DFIR-IRIS case templates covering the most common incident types we handle in security operations. The templates are free, open-source, and available on GitHub. This post walks through what's included, how they're structured, and how to get started. What's Included The library currently covers 13 incident types: Template File What it covers 💼 Business Email Compromise BEC.json Account takeover, inbox rules, financial fraud, payroll diversion ☁️ Cloud Data Breach CloudDataBreach.json Cloud tenant/storage exposure, IAM investigation, provider coordination 🗃️ Data Breach DataBreach.json Unauthorized access/disclosure, GDPR/HIPAA/PCI-DSS/CCPA obligat...