Within the “Advanced Options” of the “About Rule” section of Elastic hides a useful feature that gets little attention. This feature makes the rule generate alerts that are ‘hidden’ from the alerts view. This can be powerful. Here are some ideas to get you started! JOIN FOR FREE Threshold Rules Create some rules that look […]

The post Making Use of Building Block Rules in Elastic appeared first on SOC Prime.

When possible, use datamodels, they are generally your best bet for speed. However, not everything in your Splunk will be in a datamodel, and you may require a good-old-fashioned index based search. JOIN FOR FREE This may come as a surprise, as it is counter intuitive but often using a token in an index based […]

The post Fields Aren’t Always Faster, Keyword Searches to Speed Up Splunk appeared first on SOC Prime.

Within splunk we use “stats” and “tstats” a bunch as threat hunters. However, these useful operations can cause interesting events to be dropped unexpectedly. JOIN FOR FREE For instance: index=windows sourcetype=*winevent* AND EventCode=4688 AND NewProcessName=*Evil.exe| stats count by ComputerName, ParentProcessName, NewProcessName, CommandLine CommandLine is a field in 4688 events that needs to be enabled via […]

The post Making Use of Fillnull and Values() to Increase Rule Resiliency in Splunk appeared first on SOC Prime.

When you find yourself constantly reusing certain strings of Splunk commands, it can be a lot easier to represent those commands as a single line of code that can accept positional arguments and serve the same functions as a set of commands you find yourself using often. JOIN FOR FREE This is the purpose of […]

The post Creating Macros for Code Reuse in Splunk appeared first on SOC Prime.

Sometimes when working with new log sources or unfamiliar event records being shipped to Splunk, you’ll encounter logs with important details that could be more useful if you had them captured in a field. The entirety of the text in an event can be found in the _raw field but specific details found in the […]

The post Extracting fields in SPL appeared first on SOC Prime.

Elastic has many “Field Types”. Flattened is a type that allows you to search subfields. Typically for cyber security analysts subfields appear in cloud logs, especially requests and responses, where the person who built the parser needed it to be future-proofed against the ever changing cloud. JOIN FOR FREE For instance, if we had the […]

The post Elastic Flattened Fields Explained appeared first on SOC Prime.

1) Add to transforms.conf stanza: [field_from_sourcetype] batch_index_query = 0 case_sensitive_match = 0 filename = field_from_sourcetype.csv match_type = WILDCARD(Sourcetype) JOIN FOR FREE 2) Create field_from_sourcetype.csv file with wilcards and put it to lookups folder: Sourcetype,field_name *apache*,http_method *access_combined*,http_method *cloudtrail*,eventName *ms:aad*,Category *nginx*,http_method *ms:o365*,Workload *office365*,Workload *o365*,Workload *powershell*,EventCode *windows.ps*,EventCode *slack*,action *sysmon*,EventCode *zscaler*,http_method *system.security*,EventCode *winlog*,EventCode *wineventlog*,EventCode *windows.security*, EventCode As result – […]

The post Splunk: How to Make Lookup Based on Wildcards appeared first on SOC Prime.

Often, especially when providing context to analysts who are responsible for triaging alerts, it is useful to provide all of the context that a cloud provider nests in a big json blob as just a single field. You can use the splunk operation “spath” to accomplish this goal. JOIN FOR FREE Note: if you have […]

The post Splunk: How to Output Nested json as One Field appeared first on SOC Prime.

Emerging last year as the successor to Royal ransomware, BlackSuit has quickly evolved into a highly sophisticated malicious spinoff, aggressively targeting organizations worldwide. Security researchers have recently observed a significant surge in activity by the Ignoble Scorpius group, the operator behind BlackSuit, with over 90 organizations falling victim to their relentless intrusions. Detect BlackSuit Ransomware […]

The post BlackSuit Ransomware Detection: Ignoble Scorpius Escalates Attacks, Targets 90+ Organizations Worldwide appeared first on SOC Prime.

Following a wave of cyber attacks by the Iran-linked hacking collective tracked as Pioneer Kitten, the FBI, CISA, and authoring partners issue a new alert notifying defenders of a growing threat posed by BianLian Ransomware Group, which primarily targets critical infrastructure organizations in the U.S. and Australia. Detect BianLian Ransomware According to the State of […]

The post BianLian Ransomware Detection: AA23-136A Joint Cybersecurity Advisory Details on TTPs Leveraged by BianLian Operators in the Ongoing Malicious Campaigns appeared first on SOC Prime.