BRIM

We’ve been very busy here at Brim in the run up to the holiday season to bring you some early gifts.

Latest Releases

We’ve just released versions 0.20.0 of the Brim app and 0.24.0 of ZQ. As always you can grab Brim from https://www.brimsecurity.com/download

You can read the full details in the release notes. Below are some key highlights:

Z: cut()

Cut through the network noise with cut()

The cut() function is similar to Z’s cut processor, but in function context. This allows the usage of cut() for example in nested functions:

Show the count of HTTP Status codes by Host

_path=http | count() by status_code,host | status_and_counts=collect(cut(status_code,count)) by host

The new cut() function

Z: network_of()

Enumerate IP Networks like a network god

Brim already has native support for IP address data types and CIDR notation, and we’re building on that deep network context by adding a new network_of() function.

The new network_of() function is for mapping IP addresses to CIDR nets, for example:

Show associated IP network classes for queried DNS servers

_path=dns | put classnet=network_of(id.resp_h) | cut classnet | count() by classnet | sort -r

The new network_of() function

Z: Grouping with Absent Fields

One of the challenges of working with mixed records is that not all fields are present in all records. We’ve added an example on how to do “by” grouping with absent fields using fuse.

ZQ: Scripting Enhancements

We’ve also added some neat enhancements for Z scripting. You now have the ability to read Z self-documenting scripts directly from a file. Sharing and exchanging Z scripts has also become much easier.

ZQD: Remote ZQD Log Import

We’re really excited about this, and can’t wait to get this out into people’s hands. While Brim is known as a desktop app, under the hood it’s a distributed data architecture with a client connecting to the zqd service via a REST API. We’ve started adding support to run ZQD remotely, for example on Amazon AWS. To facilitate this, you can now import logs into a remote ZQD.

Check out Phil Rzewski’s excellent Cookbook recipe on how to set this up. https://github.com/brimsec/brim/wiki/Remote-zqd

Latest Brim Learning Resources

We have three great topics for you this month:

1. Hunting Emotet with Brim and Zeek

With the recent resurgence of Emotet malware, it is important that DFIR professionals familiarize themselves with the threat. In this article and video, you can learn what to look for when hunting Emotet, and how to use Brim and Zeek to quickly identify and pinpoint the initial infection, C2 and spread.

Article: https://medium.com/brim-securitys-knowledge-funnel/hunting-emotet-with-brim-and-zeek-1000c2f5c1ff

Video: https://www.youtube.com/watch?v=CW1rNrd7KYU

2. Visualizing IP Traffic with Brim, Zeek and NetworkX

Network Graphs are a way of structuring, analyzing and visualizing data that represents complex networks, with a typical application for threat hunters modelling and analysing of TCP/IP network flows. With the release into open beta of Brim’s Python library, it’s never been simpler to bring the world of Zeek and Network Graphs together, and this article will get you started.

IP Network visualization

Article: https://medium.com/brim-securitys-knowledge-funnel/visualizing-ip-traffic-with-brim-zeek-and-networkx-3844a4c25a2f

3. Remote ZQD Cookbook

Based on many community requests, we’ve released documentation for running ZQD as a remote service. Instead of using the local filesystem for storing imported logs and packet capture data, new features available in Brim starting with v0.20.0 and related zq tools starting with v0.24.0 enable access to data stored remotely as well.

This cookbook describes the available options and current limitations.

https://github.com/brimsec/brim/wiki/Remote-zqd