Alexandre Dulaunoy · @adulau
1188 followers · 107 posts · Server infosec.exchange
Great news! The @misp and the @hashlookup integration is now merged in @TimesketchProj
Thanks to all who helped to make this happens. (David, Thomas, Alexander, Johan, Joachim)
https://github.com/google/timesketch/pull/2429
More documentation and use-cases will be shown in the next weeks.
#DFIR #opensource #misp #timesketch #hashlookup #threatintel #threathunting
#dfir #opensource #misp #Timesketch #hashlookup #threatintel #threathunting
Wes Lambert · @weslambert
358 followers · 45 posts · Server infosec.exchange
🦖Day 83 of the @velocidex #velociraptor #ArtifactsOfAutumn series
Artifact: Server.Utils.BackupGCS/S3
Link:
https://docs.velociraptor.app/artifact_references/pages/server.utils.backupgcs/
https://docs.velociraptor.app/artifact_references/pages/server.utils.backups3/
----
These artifacts are server monitoring artifacts that will watch for flow completions, then zip and send the results to Google Cloud, or an S3 bucket, using the 'upload_gcs()' and 'upload_s3()' functions.
https://docs.velociraptor.app/vql_reference/plugin/upload_gcs
https://docs.velociraptor.app/vql_reference/plugin/upload_s3
----
Once uploaded, the collections can be left alone and remain archived, or special post-processing can be applied using third-party tools, depending on defenders' needs.
@eric_capuano and @shortxstack (@recon_infosec) did an excellent job presenting about using these artifacts with Timesketch to generate a timeline of events.
If you haven't already, be sure to check out their presentation from @SANS #DFIR Summit 2021!
https://www.sans.org/presentations/breaches-be-crazy/
----
That's it for now! Stay tuned to learn about more artifacts! 🦖
#velociraptor #artifactsofautumn #dfir #forensics #infosec #plaso #threathunting #Timesketch
cygnetix :unverified: · @cygnetix
401 followers · 136 posts · Server infosec.exchange@seanosullivanuk I haven't used it a whole lot, but I've also heard good things about #Timesketch.
Alex · @jaegeral
188 followers · 52 posts · Server infosec.exchangeIf you want a very recent Blog Article, two team mates wrote: https://osdfir.blogspot.com/2022/11/find-needle-faster-with-hashr-data.html
#hashr is a cool new tool and the article is the follow up for: https://osdfir.blogspot.com/2022/08/generate-your-own-hash-sets-with-hashr.html
Where Michal introduces the tool. It can reduce the noise of finding badness in your forensic effort quite a lot. While the Blog is about #Timesketch you can for sure hook it up to any other workflow you have.