Skip to content

Instantly share code, notes, and snippets.

View tvfischer's full-sized avatar
😾
Quis custodiet ipsos custodes?

Thomas V. Fischer tvfischer

😾
Quis custodiet ipsos custodes?
22 followers · 62 following
View GitHub Profile
@tvfischer
tvfischer / AddingBOTSv1DatatoHELK.md
Last active July 26, 2023 04:11
The goal is to document the steps taken to pull the Splunk BOTS endpoint hunting data into a HELK instance. The idea was to be able to add this data for simulation and training purposes.

Adding BOTSv1 Data to HELK

HELK is an interesting platform to carry endpoint threat hunting and is useful both in a production situation as well as for research and training. For research and training purposes a key part is to add sample data to be able to practice hunting queries.

Yes this could probably be done in a better way but the goal here was K.I.S.S. and quick and dirty.

Goal

Splunk provides sample data from it's BOSS of the SOC CTF. Both v1 and v2 has been published as open source, more info here. The v1 data is available on github here unfortunately it is formatted for ingestion into Splunk.

The goal is to import into the HELK platform which is based on an ELK stack (elasticsearch, logstash and kibana). Thankfully, Sébastien Lehuédé has converted the data and done th

@tvfischer
tvfischer / gist:b97f89d6429db12944e7
Created August 15, 2014 11:26
### Keybase proof
I hereby claim:
* I am tvfischer on github.
* I am fvt (https://keybase.io/fvt) on keybase.
* I have a public key whose fingerprint is 7702 1B2B BE88 6CF1 A5CD DA33 27FB A976 46CF 2077
To claim this, I am signing this object: