A little while ago I wrote about grouping data by multiple fields in Splunk, which is a very useful function that produces hideous export files. I took some time to write a Python script to fix that and make the data a lot more useful for further analysis.
Splunk is a powerful tool, but with so many available functions and hit-and-miss coverage on forums it can sometimes take some trial and error to get queries right. Here’s what I pieced together to perform a count on a subset of events and group the data by two fields…
The security operations centre (SOC) is the heart of a firm’s cyber defences. Here are the basic elements and processes that a SOC uses to monitor for and respond to security incidents.
A while ago I wrote a post about using Python to parse tcpdump output for domains and URLs. Recently, I started to wonder if I could take that a step further. What if the DNS requests I saw could be checked against a blacklist in real time? And what if the output was presented in a more useful format? Here’s how I got these new features working.
The life of a SOC analyst – as is the case with many other jobs – can involve a lot of repetitive tasks, including the process of writing tens of similar emails each day. But what if this could be automated, saving time and reducing the potential for error?