In Elasticsearch pipelines, you might encounter scenarios where fields contain hexadecimal-encoded text. To decode this text into its original readable format, Logstash offers the ability to use Ruby code within the pipeline configuration. This article demonstrates how to achieve this transformation. Why Use Ruby for HEX Decoding?Hexadecimal-encoded text often represents binary data or strings in […]

The post Using Ruby Code in Logstash for Translating Text from HEX appeared first on SOC Prime.

@label is a feature that defines multiple processing pipelines within a single instance. Labels allow you to route log data through different pipelines, applying different configurations or processing steps to different kinds of logs. How @label Works @label is used to route logs to specific pipelines. For instance, you might want to route logs from […]

The post Fluentd: Work With Multiple Log Sources Within a Single Instance by Using @label appeared first on SOC Prime.

Researchers have uncovered a new malicious campaign using voice phishing (vishing) to spread the DarkGate malware. In this attack, adversaries masqueraded themselves as the known client on a Microsoft Teams call, tricking the victims into downloading AnyDesk for remote access and further deploying malware.  Detect DarkGate Malware Attacks  In the early summer of 2024, the […]

The post DarkGate Malware Attack Detection: Voice Phishing via Microsoft Teams Leads to Malware Distribution appeared first on SOC Prime.

Tracking the growth or reduction in index sizes is crucial for effective cluster management in Elasticsearch. It helps administrators optimize resources, predict scaling needs, and identify anomalies. This guide outlines how to monitor index size trends, focusing on daily and monthly statistics.Steps to Monitor Index Size Trends1. Enable Index Size MonitoringElasticsearch provides index-level statistics through APIs. […]

The post Monitoring Index Size Trends in Elasticsearch: Monthly and Daily Statistics appeared first on SOC Prime.

OpenSearch Dashboards is a powerful tool for visualizing and interacting with your OpenSearch data. However, to make the most of it, you need to understand its configuration settings related to logging. Below, we dive into some key options and what they mean for your deployment.   1. Logging Queries with opensearch.logQueriesThis setting enables the logging of […]

The post Understanding Key OpenSearch Dashboard Logging Settings appeared first on SOC Prime.

Problem Description: The JvmGcMonitorService overhead warnings indicate that the Java Virtual Machine (JVM) is performing Old Generation Garbage Collection (GC). During this process, the JVM pauses all other activities to reclaim memory, leading to potential disruptions such as: Unresponsiveness of Elasticsearch nodes to client or cluster requests. Node disconnections, which can cause cluster instability. This behavior is often triggered […]

The post JVM GC Monitor Service Overhead: Root Cause and Recommendations appeared first on SOC Prime.

The UAC-0099 hacking collective, which has been launching targeted cyber-espionage attacks against Ukraine since the second half of 2022, resurfaces in the cyber threat arena. The CERT-UA team has observed a spike in the group’s malicious activity throughout November-December 2024 against Ukrainian government entities using the phishing attack vector and spreading LONEPAGE malware. Detect UAC-0099 […]

The post UAC-0099 Attack Detection: Cyber-Espionage Activity Against Ukrainian State Agencies Using WinRAR Exploit and LONEPAGE Malware appeared first on SOC Prime.

If you’ve worked with OpenSearch or Elasticsearch and encountered “No ‘Basic Authorization’ header, send 401 and ‘WWW-Authenticate Basic'” warning in your logs, you’re not alone. This message typically appears when a client makes a request to the cluster but does not include the required Authorization header. As a result, the server responds with a 401 Unauthorized status and […]

The post How to Deal with the Warning: “No ‘Basic Authorization’ header, send 401 and ‘WWW-Authenticate Basic’” appeared first on SOC Prime.

When a log record has keys like test.test, you can use two methods record_transformer and explode plugin, to process these keys and create a nested structure. For example, Input Log Record: Method: record_transformer Method: explode Using those methods, you will get one result. Output Log: But when using record_transformer, you have to follow many steps […]

The post Fluentd: How to Make Nested Hash from Dot-Separated Keys appeared first on SOC Prime.