SIEM
Honeypot Diaries: SSH Authorized Keys
Analyzing threat actor activity and malware observed in geographically dispersed honeypots.
Migrating Splunk Storage to S3 SmartStore
A short guide on how I transitioned an existing Splunk deployment to S3 SmartStore to decouple and scale storage.
Ingesting PCAP Files with Zeek and Splunk
How to safely ingest and analyze pcap files at scale using Zeek and Splunk.
Blue Team Tactics: Honey Tokens Pt. III
The final installment of the honey tokens series, covering multiple methods to centralize Windows Event ID 4663 audit logs including PowerShell, WEF, Splunk Universal Forwarders, and Splunk search queries.
DIY IP Threat Feed
This post describes building a DIY IP threat feed by aggregating honeypot SSH login data in Splunk, enriching it with geo and reputation context, and exporting it as a regularly updated CSV blacklist.
Deploying Splunk Universal Forwarders via GPO
A guide to deploying the Splunk Universal Forwarder across Windows endpoints using a Group Policy Object and an Orca-generated MST transform file containing the deployment server and credentials.
Tracking SSH Brute-force Logins with Splunk
This post demonstrates using Splunk field extraction and search queries to track SSH brute-force login attempts, identifying the top attacking usernames and source IP addresses via dashboards.