https://github.com/schwartz1375/aws
Threat hunting – Making the jump from alert-based investigation to threat hunting
When thinking about threat hunting, we needs to create a threat hunting strategy for the environment they will be operating in. In this case, AWS, executing at scale with efficiency, is critical. Capabilities to hunt are also tied to the teams maturity.
Threat Hunting Lab
Set up Zeek. Corelight has an appliance. Needs a lot of log storage space (duh).
Use a scoring system. Assign points to indicators, rule the lowest scores safe and set a threshold for high scores to investigate.
Parse Zeek conn.log for longest connection:
cat conn.log | bro-cut id_orig.h id.resp_h duration | sort | grep -v '-' | datamash -g 1,2 sum 3 | sort -k 3 -rn | head -10