![]() ![]() Lastly, it uses techniques that estimate data results for the sake of speed. ![]() And it's even more limited through the search bar in the kibana GUI. The language is incredibly limited, the parsing is confusing, there's no no built in aggregations that make sense, you can only search over one set set of data at a time (no joins). Why are they calling it purple if it's really blue?Īlso, elastic is one of the worst siems you can choose for threat hunting and analysis. Perhaps this was just an oversight, or a spotlight blog post is coming later, but I hope that the history of this gets properly acknowledged, because it's darn clear where this comes from. It's a bit unfortunate that Kali didn't give the props to Seth's project (not even an outbound link). Especially for OT, where we have a lot more unmanaged black boxes and networks that you don't wanna actively scan (factories have been brought down this way), passively watching is a safe and powerful approach. All of this is turnkey available by running Malcom. This is not surprising, because CISA also developed a bunch of custom ICS protocol dissectors that provide visibility (DNP3, Modbus, etc.). Endpoint isn't neglected, but the focus on Zeek, Suricata, Arkime shows the primary visibility drivers. Seth Grover, the main driver behind Malcom, put a lot of effort over the years into creating a turnkey soc-in-a-box distro that works especially well for an network-first approach. Unfortunately the blog posts only provides a non-linked bullet to it. The heavy lifting of this is CISA's Malcom. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |