RegEx for Incident Response
Daniel Nutting
Bryan Turner
BSides Tampa 2019
Abstract: In any cyber security investigation, a bulk of the work involves wading through volumes of logs looking for that needle in the haystack. Using sophisticated SIEMS or scripting or even Notepad++, these logs can be quickly mined for insight using Perl Compatible Regular Expressions. Shucking the typical trope of "minimize false positives," this presentation teaches a methodology to efficiently develop easy to understand, good enough regular expressions that are tailor written for the investigation and the data set. Worry less, just get the data. RegEx makes it possible to filter your logs with searches like: SQL_Injection=*
Bio: Bryan and Dan work in the Publix Super Markets Security Operations Center. In the past several years, they have developed a rhythm for conducting investigations efficiently. Dan has several SANS certifications, including GCIH, GCFE, GCFA, as well as other industry certifications. He was previously an Information Systems Security Officer for the US Coast Guard. Currently, Dan also teaches as an adjunct for Cyber Security at Florida Southern College.
If you would like to republish one of the articles from this site on your webpage or print journal please contact IronGeek.
Copyright 2020, IronGeek