Some SOC alerts are so precise that a very specific set of response actions is warranted. For example, if a malicious email is detected, check if the user clicked on it. EDR events or forensic artifacts from the filesystem can be used to answer that question. However, when you have more ambiguous "detections" such as … Continue reading “Find Evil” in 5 easy steps!! (Part 1)
Category: Triage
LogParser EVTX Adventures
I've been doing IR for a long time and I can't believe I have only now discovered the power of LogParser. Perhaps I was too spoiled by Splunk to actually be forced to learn this awesome tool. But now that I have gotten familiar with it, I see why it is so beloved. It's powerful … Continue reading LogParser EVTX Adventures
Using Mac OSXCollector with Splunk
I admit, the first time I had the opportunity to switch my work PC to a Mac, I jumped at it. However, I quickly regretted it. I was in a management job that was largely a race against the clock to handle emails, create powerpoints and massage spreadsheets. The learning curve wasn't fitting into my … Continue reading Using Mac OSXCollector with Splunk
dfirtnt.wordpress.com 