https://xn--e-br-noa.de/ 2026-06-10T21:34:28+00:00 https://xn--e-br-noa.de/ https://xn--e-br-noa.de/lib/exe/fetch.php?media=wiki:dokuwiki.svg text/html 2026-06-10T07:47:03+00:00 Anonymous (anonymous@undisclosed.example.com) https://xn--e-br-noa.de/doku.php?id=soc:tools:ewf&rev=1781077623&do=diff EWF text/html 2026-06-10T10:57:51+00:00 Anonymous (anonymous@undisclosed.example.com) https://xn--e-br-noa.de/doku.php?id=soc:tools:kibana&rev=1781089071&do=diff Kibana Query Basics @timestamp >= “2023-01-01” Timestamp (X AND Y) OR Z Lucene * Turn off KQL to use the Lucene query syntax Fuzzy fu~~y fuzzy operator “server error”~4 “slop value” -> server and error up to 4 positions apart text/html 2026-06-10T13:04:07+00:00 Anonymous (anonymous@undisclosed.example.com) https://xn--e-br-noa.de/doku.php?id=soc:tools:splunk&rev=1781096647&do=diff Splunk # list all indexes, cmdline: splunk list index | eventcount summarize=false index=* | dedup index | fields index sourcetype=access_combined error | top 5 uri [+|-]<integer><unit>@<snap_time_ unit> "error earliest=-1d@d latest=h@h" #subsearch sourcetype=syslog [ search login error | return 1 user ] source="/var/log/myapp/access.log" status=404 host="myblog" source="/var/log/syslog" Fatal index=* OR index=_* sourcetype=generic_logs | search Cybersecurity | head 10000 #ipv4 | rege… text/html 2026-06-10T13:04:31+00:00 Anonymous (anonymous@undisclosed.example.com) https://xn--e-br-noa.de/doku.php?id=soc:tools:start&rev=1781096671&do=diff Tools SIEM * Kibana * Splunk Network * Wireshark IR * velociraptor * remote artefact collection and administration * iris * Collaborative Incident Response Platform * x_ways * axiom * f_Response * arsenal_image_mounter * magnet_ram_capture * exiftool * sqlite_database_browser * ost_pst_viewer * registry_viewer * regripper * ghidra Commandline * evtwalk * Parse Windows Event Logs text/html 2026-06-10T08:58:08+00:00 Anonymous (anonymous@undisclosed.example.com) https://xn--e-br-noa.de/doku.php?id=soc:tools:volatility&rev=1781081888&do=diff Volatility pipx install volatility3 pipx ensurepath pipx completions * Install symbols tables from github <https://github.com/volatilityfoundation/volatility3> Windows Basics <https://volatility3.readthedocs.io/en/latest/volatility3.plugins.windows.html> vol -f <image> windows.info vol -f <image> windows.pstree windows.psscan windows.pslist vol.py -f “/path/to/file” -o “/path/to/dir” windows.dumpfiles ‑‑pid <PID> vol.py -f “/path/to/file” -o “/path/to/dir” windows.memmap ‑‑dump ‑‑pid … text/html 2026-06-09T08:21:26+00:00 Anonymous (anonymous@undisclosed.example.com) https://xn--e-br-noa.de/doku.php?id=soc:tools:wireshark&rev=1780993286&do=diff Wireshark Display Filters Network ip.src == #ip ip.dst == #ip ip.addr src or dst (careful with negation!)tcp.srcport == #port tcp.dstport == #port eth.addr[0:3]==00:06:5B Filter for manufacturer (example: Dell) DNS dns.qry.name ==