SANS DFIR Summit 2022Speaker: AJ Van Beest
Threat Hunting
Got a few thousand lines of logs to parse? How about a needle buried in a couple-million-line CSV haystack? What about sorting every single endpoint in your org into buckets by custodial group?
Believe it or not, the easiest, fastest tool for these jobs is probably your text editor.
Let's turn tasks like these from impossibly dull, frustrating hours of mouse jockeying into to a few enjoyable minutes with some text manipulation strategies. The best part? Once you learn these strategies, it's simple to scale them via your SIEM and scripts.
In this presentation, you'll learn to:
• identify ways to hook into data structures;
• employ multiple visual analysis techniques;
• automate repetitive search and replace operations;
• zero in on specific kinds of data;
• easily find differences in two or more lists of data;
•recognize cases when a different approach might be better.
We'll use three real-world examples to illustrate these techniques:
• Parsing a multi-million line CSV file of malware observables and indicators;
• Using depuplication to track a third-party service's effectiveness;
• Building the supersedence chain for a Microsoft patch.
But wait; there's more!
To help you operationalize these techniques when you're back in your bat cave, you'll get:
• Cheat sheets for the techniques above;
• Copy-pasta regex sweetness;
• Your own fresh copies of the example files, so you can learn by doing
View upcoming Summits:
Download the presentation slides (SANS account required) at
Музыка
Фильмы
ТВ Шоу
Категории видео
