We’ve been very busy here at Brim in the run up to the holiday season to bring you some early gifts.
- Latest Releases
- Latest Brim Learning Resources
We’ve just released versions 0.20.0 of the Brim app and 0.24.0 of ZQ. As always you can grab Brim from https://www.brimsecurity.com/download
You can read the full details in the release notes. Below are some key highlights:
Cut through the network noise with cut()
The cut() function is similar to Z’s cut processor, but in function context. This allows the usage of cut() for example in nested functions:
Show the count of HTTP Status codes by Host
_path=http | count() by status_code,host | status_and_counts=collect(cut(status_code,count)) by host
Enumerate IP Networks like a network god
Brim already has native support for IP address data types and CIDR notation, and we’re building on that deep network context by adding a new network_of() function.
The new network_of() function is for mapping IP addresses to CIDR nets, for example:
Show associated IP network classes for queried DNS servers
_path=dns | put classnet=network_of(id.resp_h) | cut classnet | count() by classnet | sort -r
Z: Grouping with Absent Fields
One of the challenges of working with mixed records is that not all fields are present in all records. We’ve added an example on how to do “by” grouping with absent fields using fuse.
ZQ: Scripting Enhancements
We’ve also added some neat enhancements for Z scripting. You now have the ability to read Z self-documenting scripts directly from a file. Sharing and exchanging Z scripts has also become much easier.
- Comments are now supported in Z code
- Multi-line Z code support has also been added
- A ‘-z’ flag is now available for zq to read Z scripts from files.
ZQD: Remote ZQD Log Import
We’re really excited about this, and can’t wait to get this out into people’s hands. While Brim is known as a desktop app, under the hood it’s a distributed data architecture with a client connecting to the zqd service via a REST API. We’ve started adding support to run ZQD remotely, for example on Amazon AWS. To facilitate this, you can now import logs into a remote ZQD.
Check out Phil Rzewski’s excellent Cookbook recipe on how to set this up. https://github.com/brimsec/brim/wiki/Remote-zqd
Latest Brim Learning Resources
We have three great topics for you this month:
1. Hunting Emotet with Brim and Zeek
With the recent resurgence of Emotet malware, it is important that DFIR professionals familiarize themselves with the threat. In this article and video, you can learn what to look for when hunting Emotet, and how to use Brim and Zeek to quickly identify and pinpoint the initial infection, C2 and spread.
2. Visualizing IP Traffic with Brim, Zeek and NetworkX
Network Graphs are a way of structuring, analyzing and visualizing data that represents complex networks, with a typical application for threat hunters modelling and analysing of TCP/IP network flows. With the release into open beta of Brim’s Python library, it’s never been simpler to bring the world of Zeek and Network Graphs together, and this article will get you started.
3. Remote ZQD Cookbook
Based on many community requests, we’ve released documentation for running ZQD as a remote service. Instead of using the local filesystem for storing imported logs and packet capture data, new features available in Brim starting with v0.20.0 and related zq tools starting with v0.24.0 enable access to data stored remotely as well.
This cookbook describes the available options and current limitations.