Jupyter Notebooks and Pre-recorded Datasets for Threat Hunting - SANS THIR Summit 2019

Описание: How many times have you thought about a more efficient, intuitive, or creative way to analyze the security events your organization collects, but feel limited to the capabilities of a one language-dependent search bar with basic Boolean search capabilities? In addition, how much time do you usually spend preparing for the simulation of specific adversarial techniques? What if you could expedite the process to validate the detection of those techniques in a more efficient and affordable way? In this talk, we will introduce the concept of utilizing Jupyter Notebooks for a more dynamic, flexible, and language-agnostic way to analyze security events, and at the same time help your team document, standardize, and share detection playbooks.

We will go over the architecture, deployment, and capabilities of Jupyter Notebooks and present a few use cases covering multiple techniques to analyze data while performing research. In addition, we will show how to use pre-recorded datasets from a new open-source project named Mordor to expedite simulation of adversarial techniques and validation of data analytics. The final part of the presentation will cover a methodology used to collect and consume prerecorded security events in a controlled lab environment with specific security log auditing configurations that can also be used to identify gaps and provide recommendations for data
collection strategies in production environments.

Roberto Rodriguez @Cyb3rWard0g, Security Researcher
Jose Luis Rodriguez @Cyb3rPandaH, Security Researcher