F5 SL ASM iRule Parser for Hosted Deployments

Continue Reading →

Groundspeed Violation/Improbable Access

Oftentimes we are required to determine impossible or improbably access events. Typically, this is a relatively simple thing to do in a modern SIEM, however Splunk, without ESS, does not have a “great” way to handle this type of temporal correlation aside from appends or joins back to the original data. I constructed the following […]

Continue Reading →

Investigate by MAC, IP all VPN authentications through CISCO_ISE

Helps to investigate authentications through CISCO_ISE device. This identifies who logs in, the MAC address and IP for any use cases

Continue Reading →

Investigate an IP through Palo Alto Logs

Continue Reading →

Search All Traffic by src / action – Creates Table

This is a magical query for tracking down all internal resources connecting to or from external IPs and Countries

Continue Reading →