Life beyond the SIEM – Take control of your SOC with Jupyter

OVERVIEW

The SIEM is the center-point for most SOC activity: providing tools for handling threat detection, incident investigation, threat hunting, and more. Even the best SIEM though, is only as capable as the features it includes. Analysts often have to develop processes and scripts to fit alongside it. What if it didn’t need to be this way? What if there was a tech stack that allowed you to take control?

Jupyter is the solution that allows analysts to investigate threats, conduct hunts, and manage processes in a flexible, agile manner. Use visualizations, analysis techniques, data sources and workflows that your SIEM doesn’t possess.

In this talk, we will look at the Jupyter ecosystem and how it can empower SOC analysts (from tier 1 to specialized hunters) in a wide range of tasks: from creating custom visualizations to automating triage and enrichment tasks.

We’ll cover some Jupyter basics then dive deeper on how to use standard Python libraries and techniques to customize your analysis flow. Then look at using MSTICPy (Python InfoSec library) and how its data, enrichment and visualization features can speed up your workflow with generate elegant, low-code notebooks.

We will also show how you can deploy notebooks in your organization in a consistent, secure and reliable manner using tools like Docker and Git.

Finally, we will demonstrate how to use Jupyter to automate investigation and hunting, to drive great efficiency and consistency benefits for the SOC.