{"id":1299,"date":"2015-09-06T15:09:00","date_gmt":"2015-09-06T15:09:00","guid":{"rendered":"https:\/\/www.bsk-consulting.de\/?p=1299"},"modified":"2022-10-04T15:27:36","modified_gmt":"2022-10-04T13:27:36","slug":"splunk-threat-intel-ioc-integration-via-lookups","status":"publish","type":"post","link":"https:\/\/www.nextron-systems.com\/2015\/09\/06\/splunk-threat-intel-ioc-integration-via-lookups\/","title":{"rendered":"Splunk Threat Intel IOC Integration via Lookups"},"content":{"rendered":"

[et_pb_section fb_built=”1″ admin_label=”section” _builder_version=”4.16″ global_colors_info=”{}” da_is_popup=”off” da_exit_intent=”off” da_has_close=”on” da_alt_close=”off” da_dark_close=”off” da_not_modal=”on” da_is_singular=”off” da_with_loader=”off” da_has_shadow=”on” da_disable_devices=”off|off|off”][et_pb_row admin_label=”row” _builder_version=”4.16″ background_size=”initial” background_position=”top_left” background_repeat=”repeat” global_colors_info=”{}”][et_pb_column type=”4_4″ _builder_version=”4.16″ custom_padding=”|||” global_colors_info=”{}” custom_padding__hover=”|||”][et_pb_text admin_label=”Text” _builder_version=”4.18.0″ background_size=”initial” background_position=”top_left” background_repeat=”repeat” hover_enabled=”0″ global_colors_info=”{}” sticky_enabled=”0″]Today most security teams have access to a lot of different information sources. On the one hand they collect log data from different sources and try to correlate them in a useful way in so-called SIEM systems. On the other hand they receive threat information from different sources like APT reports, public or private feeds or derive those indicators from their own investigations and during incident response.
\nTherefore one of the main tasks of security monitoring today is to combine these different data sources, which means to apply the threat intel information to the data that is already available in SIEM systems or scan for it on-demand using tools like my free IOC scanner LOKI<\/a> or our APT Scanner THOR<\/a>.
\nIn this article I would like to describe a method to apply threat intel information to log data in Splunk<\/a> using simple lookup definitions.
\nI recently integrated two different threat intel receivers<\/a> in my free IOC scanner LOKI. One of them fetches all IOC (indicator of compromise) elements from AlienVault’s Open Threat Exchange platform OTX<\/a>\u00a0and saves them to a subfolder in the LOKI program folder in order to be initialized during startup.
\nThis weekend I added a new option called “–siem” that instructs the receiver to generate a CSV file with header line and the correct format for a lookup definition in Splunk.<\/p>\n

\"Example

Example – Threat Intel Feed OTX Receiver (LOKI)<\/p><\/div>\n

The resulting file for the hash IOCs looks like this:<\/p>\n

\"Threat

Threat Intel Hash CSV for Splunk Lookup<\/p><\/div>\n

Using the\u00a0“-o” parameter you are able to select an output folder. I chose the folder for the lookup definitions in the search app, which is “$SPLUNK_HOME\/etc\/apps\/search\/lookups”.<\/p>\n

\"Threat

Threat Intel CSV Files in Splunk Search App Lookup Folder<\/p><\/div>\n

After saving the output files to this directory we can select the CSV file in the lookup definition settings dialog (Settings > Lookups > Lookup definitions > Add new). I named the lookup “otxhash”.<\/p>\n

\"Splunk

Threat Intel CSV File Lookup Definition in Splunk<\/p><\/div>\n

Now we can apply this lookup to all log data that contains file hash information like Antivirus logs, THOR and LOKI scan results or in this case the logs of Microsoft Sysmon<\/a>.<\/p>\n

\"Windows

Windows Sysmon Log Data in Splunk<\/p><\/div>\n

Using the free Add-on for Microsoft Sysmon<\/a> all the log fields will be extracted automatically. You will see a field named “Hash” that can be used in our search definitions to allow a direct lookup.<\/p>\n

\"Windows

Windows Sysmon Log Data with Hash Values of Executables<\/p><\/div>\n

The lookup compares the “Hash” field from the Sysmon event message with the “hash” field from the OTX threat intel CSV file and sets a new “threat_description” field with the value of the “description” field from the CSV.<\/p>\n

\nindex=windows_sysmon\n| lookup otxhash hash AS Hash OUTPUT description AS threat_description\n| search threat_description=*\n| table UtcTime,ComputerName,User,Hash,ProcessId,CommandLine,threat_description\n<\/pre>\n
After the lookup I search for all entries that have a “threat_description” field set and display them in a easy-to-read table view. Only entries that had a “Hash” matching on a “hash” from the CSV will have this new field set. In the example below I had a match on an unwanted application called “Pantsoff” that I used in my Lab environment for this POC.<\/p>\n
\"Threat
Threat Intel Lookup in Splunk<\/p><\/div>\n
I would define this search as an “Alert” that runs every 15 minutes and searches in log data of the last 15 minutes in order to get immediately informed if a blacklisted executable had been used. (avoid realtime searches\/alerts in Splunk)
\nFurthermore the threat intel receiver should be scheduled via cron in order to run hourly\/daily.
\nThe two other files create by the threat intel receiver contain information on filenames and C2 server (hostnames, IPs) that can be applied in a similar way. The only small downer is that Lookups can only be used for “equal” matches and don’t allow to search for elements that “contain” certain fields of the CSV file. This is no problem in case of the C2 server definitions but for the filename definitions, which can be e.g. “AppData\\\\evil.exe”.
\nI’ll improve the Threat Intel Receivers in the coming weeks and add the “–siem” option to the MISP<\/a> Receiver as well.
\nI hope you enjoyed the article and found it inspiring even if you don’t use Splunk or the other mentioned tools.
\nBesides: I am working on a RESTful web service with the working title “TRON” that allows to query for threat intel indicators and supports different comparison modes including including the missing “contains” supporting OpenIOC and STIX as input files. It is not ready yet but I’ll inform you as soon as there is something to show.
\nFollow me on Twitter via @Cyb3rOps<\/a>[\/et_pb_text][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>\n","protected":false},"excerpt":{"rendered":"
Today most security teams have access to a lot of different information sources. On the one hand they collect log data from different sources and try to correlate them in a useful way in so-called SIEM systems. On the other hand they receive threat information from different sources like APT reports, public or private feeds or derive those indicators from their own investigations and during incident response. Therefore one of the main tasks of security monitoring today is to combine these different data sources, which means to apply the threat intel information to the data that is already available in SIEM systems or scan for it on-demand using tools like my free IOC scanner LOKI or our APT Scanner THOR. In this article I would like to describe a method to apply threat intel information to log data in Splunk using simple lookup definitions. I recently integrated two different threat intel receivers in my free IOC scanner LOKI. One of them fetches all IOC (indicator of compromise) elements from AlienVault’s Open Threat Exchange platform OTX\u00a0and saves them to a subfolder in the LOKI program folder in order to be initialized during startup. This weekend I added a new option called […]<\/p>\n","protected":false},"author":1,"featured_media":1306,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"on","_et_pb_old_content":"Today most security teams have access to a lot of different information sources. On the one hand they collect log data from different sources and try to correlate them in a useful way in so-called SIEM systems. On the other hand they receive threat information from different sources like APT reports, public or private feeds or derive those indicators from their own investigations and during incident response.\r\nTherefore one of the main tasks of security monitoring today is to combine these different data sources, which means to apply the threat intel information to the data that is already available in SIEM systems or scan for it on-demand using tools like my free IOC scanner LOKI<\/a> or our APT Scanner THOR<\/a>.\r\nIn this article I would like to describe a method to apply threat intel information to log data in Splunk<\/a> using simple lookup definitions.\r\n\r\nI recently integrated two different threat intel receivers<\/a> in my free IOC scanner LOKI. One of them fetches all IOC (indicator of compromise) elements from AlienVault's Open Threat Exchange platform OTX<\/a>\u00a0and saves them to a subfolder in the LOKI program folder in order to be initialized during startup.\r\nThis weekend I added a new option called \"--siem\" that instructs the receiver to generate a CSV file with header line and the correct format for a lookup definition in Splunk.\r\n[caption id=\"attachment_1314\" align=\"alignnone\" width=\"620\"]\"Example<\/a> Example - Threat Intel Feed OTX Receiver (LOKI)[\/caption]\r\nThe resulting file for the hash IOCs looks like this:\r\n[caption id=\"attachment_1303\" align=\"alignnone\" width=\"620\"]\"Threat<\/a> Threat Intel Hash CSV for Splunk Lookup[\/caption]\r\nUsing the\u00a0\"-o\" parameter you are able to select an output folder. I chose the folder for the lookup definitions in the search app, which is \"$SPLUNK_HOME\/etc\/apps\/search\/lookups\".\r\n[caption id=\"attachment_1301\" align=\"alignnone\" width=\"422\"]\"Threat<\/a> Threat Intel CSV Files in Splunk Search App Lookup Folder[\/caption]\r\nAfter saving the output files to this directory we can select the CSV file in the lookup definition settings dialog (Settings > Lookups > Lookup definitions > Add new). I named the lookup \"otxhash\".\r\n[caption id=\"attachment_1302\" align=\"alignnone\" width=\"552\"]\"Splunk<\/a> Threat Intel CSV File Lookup Definition in Splunk[\/caption]\r\nNow we can apply this lookup to all log data that contains file hash information like Antivirus logs, THOR and LOKI scan results or in this case the logs of Microsoft Sysmon<\/a>.\r\n[caption id=\"attachment_1304\" align=\"alignnone\" width=\"620\"]\"Windows<\/a> Windows Sysmon Log Data in Splunk[\/caption]\r\nUsing the free Add-on for Microsoft Sysmon<\/a> all the log fields will be extracted automatically. You will see a field named \"Hash\" that can be used in our search definitions to allow a direct lookup.\r\n[caption id=\"attachment_1305\" align=\"alignnone\" width=\"620\"]\"Windows<\/a> Windows Sysmon Log Data with Hash Values of Executables[\/caption]\r\nThe lookup compares the \"Hash\" field from the Sysmon event message with the \"hash\" field from the OTX threat intel CSV file and sets a new \"threat_description\" field with the value of the \"description\" field from the CSV.\r\n[cc lang=\"javascript\"]\r\nindex=windows_sysmon\r\n| lookup otxhash hash AS Hash OUTPUT description AS threat_description\r\n| search threat_description=*\r\n| table UtcTime,ComputerName,User,Hash,ProcessId,CommandLine,threat_description\r\n[\/cc]\r\nAfter the lookup I search for all entries that have a \"threat_description\" field set and display them in a easy-to-read table view. Only entries that had a \"Hash\" matching on a \"hash\" from the CSV will have this new field set. In the example below I had a match on an unwanted application called \"Pantsoff\" that I used in my Lab environment for this POC.\r\n[caption id=\"attachment_1306\" align=\"alignnone\" width=\"620\"]\"Threat<\/a> Threat Intel Lookup in Splunk[\/caption]\r\nI would define this search as an \"Alert\" that runs every 15 minutes and searches in log data of the last 15 minutes in order to get immediately informed if a blacklisted executable had been used. (avoid realtime searches\/alerts in Splunk)\r\nFurthermore the threat intel receiver should be scheduled via cron in order to run hourly\/daily.\r\nThe two other files create by the threat intel receiver contain information on filenames and C2 server (hostnames, IPs) that can be applied in a similar way. The only small downer is that Lookups can only be used for \"equal\" matches and don't allow to search for elements that \"contain\" certain fields of the CSV file. This is no problem in case of the C2 server definitions but for the filename definitions, which can be e.g. \"AppData\\evil.exe\".\r\nI'll improve the Threat Intel Receivers in the coming weeks and add the \"--siem\" option to the MISP<\/a> Receiver as well.\r\nI hope you enjoyed the article and found it inspiring even if you don't use Splunk or the other mentioned tools.\r\nBesides: I am working on a RESTful web service with the working title \"TRON\" that allows to query for threat intel indicators and supports different comparison modes including including the missing \"contains\" supporting OpenIOC and STIX as input files. It is not ready yet but I'll inform you as soon as there is something to show.\r\nFollow me on Twitter via @Cyb3rOps<\/a>","_et_gb_content_width":"","footnotes":""},"categories":[255,87,511,269],"tags":[513,6,97,514,245,515,516,61,60,293,5,142],"class_list":["post-1299","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-command-line","category-security-monitoring","category-splunk","category-tutorial","tag-alert","tag-apt","tag-loki","tag-lookup","tag-misp","tag-otx","tag-search","tag-security-monitoring","tag-siem","tag-splunk","tag-thor","tag-threat-intel"],"yoast_head":"\nSplunk Threat Intel IOC Integration via Lookups - Nextron Systems<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.nextron-systems.com\/2015\/09\/06\/splunk-threat-intel-ioc-integration-via-lookups\/\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.nextron-systems.com\/2015\/09\/06\/splunk-threat-intel-ioc-integration-via-lookups\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.nextron-systems.com\/2015\/09\/06\/splunk-threat-intel-ioc-integration-via-lookups\/\"},\"author\":{\"name\":\"Florian Roth\",\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/person\/4fd503007d60aabaf1ae747502f36919\"},\"headline\":\"Splunk Threat Intel IOC Integration via Lookups\",\"datePublished\":\"2015-09-06T15:09:00+00:00\",\"dateModified\":\"2022-10-04T13:27:36+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.nextron-systems.com\/2015\/09\/06\/splunk-threat-intel-ioc-integration-via-lookups\/\"},\"wordCount\":954,\"publisher\":{\"@id\":\"https:\/\/www.nextron-systems.com\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.nextron-systems.com\/2015\/09\/06\/splunk-threat-intel-ioc-integration-via-lookups\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2015\/09\/ishot-150905-205557.png\",\"keywords\":[\"alert\",\"apt\",\"loki\",\"lookup\",\"MISP\",\"otx\",\"search\",\"Security Monitoring\",\"SIEM\",\"splunk\",\"thor\",\"threat intel\"],\"articleSection\":[\"Command Line\",\"Security Monitoring\",\"Splunk\",\"Tutorial\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.nextron-systems.com\/2015\/09\/06\/splunk-threat-intel-ioc-integration-via-lookups\/\",\"url\":\"https:\/\/www.nextron-systems.com\/2015\/09\/06\/splunk-threat-intel-ioc-integration-via-lookups\/\",\"name\":\"Splunk Threat Intel IOC Integration via Lookups - Nextron Systems\",\"isPartOf\":{\"@id\":\"https:\/\/www.nextron-systems.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.nextron-systems.com\/2015\/09\/06\/splunk-threat-intel-ioc-integration-via-lookups\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.nextron-systems.com\/2015\/09\/06\/splunk-threat-intel-ioc-integration-via-lookups\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2015\/09\/ishot-150905-205557.png\",\"datePublished\":\"2015-09-06T15:09:00+00:00\",\"dateModified\":\"2022-10-04T13:27:36+00:00\",\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.nextron-systems.com\/2015\/09\/06\/splunk-threat-intel-ioc-integration-via-lookups\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.nextron-systems.com\/2015\/09\/06\/splunk-threat-intel-ioc-integration-via-lookups\/#primaryimage\",\"url\":\"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2015\/09\/ishot-150905-205557.png\",\"contentUrl\":\"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2015\/09\/ishot-150905-205557.png\",\"width\":1002,\"height\":284,\"caption\":\"Threat Intel Lookup in Splunk\"},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.nextron-systems.com\/#website\",\"url\":\"https:\/\/www.nextron-systems.com\/\",\"name\":\"Nextron Systems\",\"description\":\"We Detect Hackers\",\"publisher\":{\"@id\":\"https:\/\/www.nextron-systems.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.nextron-systems.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.nextron-systems.com\/#organization\",\"name\":\"Nextron Systems GmbH\",\"url\":\"https:\/\/www.nextron-systems.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2017\/11\/Nextron_0.2s_inv_symbol_only.png\",\"contentUrl\":\"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2017\/11\/Nextron_0.2s_inv_symbol_only.png\",\"width\":260,\"height\":260,\"caption\":\"Nextron Systems GmbH\"},\"image\":{\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/person\/4fd503007d60aabaf1ae747502f36919\",\"name\":\"Florian Roth\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/0dfaa838ce5d82e2e7bfa75ed3f43ae5?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/0dfaa838ce5d82e2e7bfa75ed3f43ae5?s=96&d=mm&r=g\",\"caption\":\"Florian Roth\"},\"description\":\"Florian Roth serves as the Head of Research and Development at Nextron Systems. With a background in IT security since 2000, he has delved deep into nation-state cyber attacks since 2012. Florian has developed the THOR Scanner and actively engages with the community via his Twitter handle @cyb3rops. He has contributed to open-source projects, including 'Sigma', a generic SIEM rule format, and 'LOKI', an open-source scanner. Additionally, he has shared valuable resources like a mapping of APT groups and operations and an Antivirus Event Analysis Cheat Sheet.\",\"url\":\"https:\/\/www.nextron-systems.com\/author\/florian\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Splunk Threat Intel IOC Integration via Lookups - Nextron Systems","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.nextron-systems.com\/2015\/09\/06\/splunk-threat-intel-ioc-integration-via-lookups\/","schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.nextron-systems.com\/2015\/09\/06\/splunk-threat-intel-ioc-integration-via-lookups\/#article","isPartOf":{"@id":"https:\/\/www.nextron-systems.com\/2015\/09\/06\/splunk-threat-intel-ioc-integration-via-lookups\/"},"author":{"name":"Florian Roth","@id":"https:\/\/www.nextron-systems.com\/#\/schema\/person\/4fd503007d60aabaf1ae747502f36919"},"headline":"Splunk Threat Intel IOC Integration via Lookups","datePublished":"2015-09-06T15:09:00+00:00","dateModified":"2022-10-04T13:27:36+00:00","mainEntityOfPage":{"@id":"https:\/\/www.nextron-systems.com\/2015\/09\/06\/splunk-threat-intel-ioc-integration-via-lookups\/"},"wordCount":954,"publisher":{"@id":"https:\/\/www.nextron-systems.com\/#organization"},"image":{"@id":"https:\/\/www.nextron-systems.com\/2015\/09\/06\/splunk-threat-intel-ioc-integration-via-lookups\/#primaryimage"},"thumbnailUrl":"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2015\/09\/ishot-150905-205557.png","keywords":["alert","apt","loki","lookup","MISP","otx","search","Security Monitoring","SIEM","splunk","thor","threat intel"],"articleSection":["Command Line","Security Monitoring","Splunk","Tutorial"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.nextron-systems.com\/2015\/09\/06\/splunk-threat-intel-ioc-integration-via-lookups\/","url":"https:\/\/www.nextron-systems.com\/2015\/09\/06\/splunk-threat-intel-ioc-integration-via-lookups\/","name":"Splunk Threat Intel IOC Integration via Lookups - Nextron Systems","isPartOf":{"@id":"https:\/\/www.nextron-systems.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.nextron-systems.com\/2015\/09\/06\/splunk-threat-intel-ioc-integration-via-lookups\/#primaryimage"},"image":{"@id":"https:\/\/www.nextron-systems.com\/2015\/09\/06\/splunk-threat-intel-ioc-integration-via-lookups\/#primaryimage"},"thumbnailUrl":"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2015\/09\/ishot-150905-205557.png","datePublished":"2015-09-06T15:09:00+00:00","dateModified":"2022-10-04T13:27:36+00:00","inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.nextron-systems.com\/2015\/09\/06\/splunk-threat-intel-ioc-integration-via-lookups\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.nextron-systems.com\/2015\/09\/06\/splunk-threat-intel-ioc-integration-via-lookups\/#primaryimage","url":"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2015\/09\/ishot-150905-205557.png","contentUrl":"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2015\/09\/ishot-150905-205557.png","width":1002,"height":284,"caption":"Threat Intel Lookup in Splunk"},{"@type":"WebSite","@id":"https:\/\/www.nextron-systems.com\/#website","url":"https:\/\/www.nextron-systems.com\/","name":"Nextron Systems","description":"We Detect Hackers","publisher":{"@id":"https:\/\/www.nextron-systems.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.nextron-systems.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.nextron-systems.com\/#organization","name":"Nextron Systems GmbH","url":"https:\/\/www.nextron-systems.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.nextron-systems.com\/#\/schema\/logo\/image\/","url":"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2017\/11\/Nextron_0.2s_inv_symbol_only.png","contentUrl":"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2017\/11\/Nextron_0.2s_inv_symbol_only.png","width":260,"height":260,"caption":"Nextron Systems GmbH"},"image":{"@id":"https:\/\/www.nextron-systems.com\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.nextron-systems.com\/#\/schema\/person\/4fd503007d60aabaf1ae747502f36919","name":"Florian Roth","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.nextron-systems.com\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/0dfaa838ce5d82e2e7bfa75ed3f43ae5?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/0dfaa838ce5d82e2e7bfa75ed3f43ae5?s=96&d=mm&r=g","caption":"Florian Roth"},"description":"Florian Roth serves as the Head of Research and Development at Nextron Systems. With a background in IT security since 2000, he has delved deep into nation-state cyber attacks since 2012. Florian has developed the THOR Scanner and actively engages with the community via his Twitter handle @cyb3rops. He has contributed to open-source projects, including 'Sigma', a generic SIEM rule format, and 'LOKI', an open-source scanner. Additionally, he has shared valuable resources like a mapping of APT groups and operations and an Antivirus Event Analysis Cheat Sheet.","url":"https:\/\/www.nextron-systems.com\/author\/florian\/"}]}},"_links":{"self":[{"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/posts\/1299","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/comments?post=1299"}],"version-history":[{"count":5,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/posts\/1299\/revisions"}],"predecessor-version":[{"id":14653,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/posts\/1299\/revisions\/14653"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/media\/1306"}],"wp:attachment":[{"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/media?parent=1299"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/categories?post=1299"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/tags?post=1299"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}