-
Book Overview & Buying
-
Table Of Contents
Purple Team Strategies
By :
This section will be dedicated to query languages, which will be used to build step-by-step practical examples of EDR/XDR threat hunting use cases and SIEM queries for threat detections based on statistical anomalies.
Splunk allows us to directly transform available events but also chain multiple transformations using the pipe (|) sign, allowing the analyst to perform chained treatments of data (for example, getting the required data, then converting it into lowercase, then enriching with the day of the week, then adding a statistics treatment to detect anomalies and so on, all in the same SPL query). We couldn't write this book without showing how powerful and interesting this language could be in terms of detection engineering. To illustrate the possibilities, we chose the following use cases:
When we...