My account

Month: October 2017

In the previous article, we have examined simple integration with external web resources using drilldowns. If you missed it, follow the link: Today we will get acquainted with one more interesting variant of drilldowns in Splunk: using depends panels. Depends panels in Splunk: an interesting way to use drilldowns in dashboards   Very often there […]

Security Advisory. Bad Rabbit Ransomware worm.


The research is based on OSINT evidence analysis, local evidence, feedback from attack victims and MITRE ATT&CK methodology used for actor attribution. SOC Prime would like to express gratitude to independent security researchers and specialized security companies who shared the reverse engineering reports and attack analysis on the public sources and their corporate blogs. On […]

Updating IBM QRadar


The efficient SIEM operation directly depends on fixing detected vulnerabilities and issues in its functioning. The primary method for this is updating the system to the latest version. Updates can include fixing security issues, releasing new functionality, improving system performance, patches, and so on. In my recent article, we reviewed how to create backups in […]

ArcSight. Optimizing EPS (Aggregation and Filtration)


Almost all of the ArcSight beginners face a situation when there are a high incoming EPS from the log sources, especially when it is critical to License limits or causes performance issues. To reduce incoming EPS, ArcSight has two native methods for event processing: Event Aggregation and Filtration. In this article, I will try to […]

Enriching events with additional data


In the previous article, we examined Additional Data fields and how to use them. But what if events do not have needed/required/necessary information even in Additional Data fields? You may always face the situation when events in ArcSight don’t contain all needed information for Analysts. E.g., user ID instead of username, host ID instead of […]

Configuration, Events and Content Backup in IBM QRadar


While working with SIEM, eventually you come across a situation where your tool requires to be updated to the latest version, moved to a different data center or migrated to a more productive installation. An integral part of this is the creation of backups and the subsequent transfer of data, configurations or customized content to […]

Simple Virus Total integration with Splunk dashboards


Simple integration helps search for malicious processes   Greetings Everyone! Let’s continue to turn Splunk into a multipurpose tool that can quickly detect any threat. My last article described how to create correlation events using Alerts. Now I’ll tell you how to make a simple integration with Virus Total base. Many of us use Sysmon […]

Good news everyone! It has now been 10 days since Google Security released 7 critical vulnerabilities along with PoC exploit code for popular dnsmasq service and the world is still alive as we know it. How long will this last? If we refer to WannaCry outbreak it takes a while from public exploit being released […]