Sometimes when working with new log sources or unfamiliar event records being shipped to Splunk, you’ll encounter logs with important details that could be more useful if you had them captured in a field. The entirety of the text in an event can be found in the _raw field but specific details found in the […]
Elastic has many “Field Types”. Flattened is a type that allows you to search subfields. Typically for cyber security analysts subfields appear in cloud logs, especially requests and responses, where the person who built the parser needed it to be future-proofed against the ever changing cloud. For instance, if we had the following JSON in […]
1) Add to transforms.conf stanza: 2) Create field_from_sourcetype.csv file with wildcards and put it to lookups folder: As result – field_name will be populated based on list with wildcards:
Often, especially when providing context to analysts who are responsible for triaging alerts, it is useful to provide all of the context that a cloud provider nests in a big json blob as just a single field. You can use the splunk operation “spath” to accomplish this goal. Note: if you have trouble manipulating the […]
Make the Most of Advanced Threat Detection at No Extra Cost In today’s rapidly evolving cybersecurity landscape, where both rogue actors and well-funded state-sponsored entities continuously devise sophisticated attacks, maintaining relevant and up-to-date detection capabilities is more critical than ever. In Q1 2024, APT groups from various global regions, such as China, North Korea, Iran, […]
In January 2023, SOC Prime launched The Prime Hunt, an open-source browser add-on acting as a single platform-agnostic UI for threat hunters, regardless of a security solution in use. For over one year since The Prime Hunt launch, we have been working on the tool enhancements, broadening the supported technology stack and adding handy features […]
Managed Detection and Response (MDR) providers operate in a realm where maintaining the integrity of client security is paramount despite the constantly evolving threat landscape and 24/7 attack risk. Always fighting on the frontline, the majority of MDR providers are seeking innovative ways to address ever-growing technical debt, overcome the risks of client SLA breach, […]
This guide describes how to deploy Content Packs for QRadar based on the recommended example of the “SOC Prime – Sigma Custom Event Properties” content item available on the SOC Prime Platform. This recommended Content Pack contains extended Custom Event Properties used in Sigma translations. Note:SOC Prime recommends installing the Sigma Custom Event Properties Content […]
In February 2023, SOC Prime launched its Discord server community connecting aspiring cybersecurity enthusiasts and seasoned experts in a single place. The community serves as the world’s largest open-source hub for Threat Hunters, CTI and SOC Analysts, and Detection Engineers — anyone having a genuine passion for cybersecurity. Currently, our Discord server hosts over 1,500 […]
Threat detection engineering (DE) is more complex than it might seem initially. It goes far beyond the detection of events or abnormal activities. The DE process includes detecting states and conditions, which is often more applicable to incident response or digital forensics. As Florian Roth mentions in his blog, the definition of detection engineering “should […]