Security Operation Centers, where the magic of cyber defense happens! Watching the network constantly for cyber threats… if you are here you know how it goes. Aside from all the Blue Team fun, this is about something that most people think is out of scope for cyber defenders; “Scripting”.
But I’m not a programmer, I’m an analyst.. why would I learn scripting? Well because that’s how you get all the donkey work done as one of my managers used to say, and focus on things that matter when it comes to analyzing and responding to threats.
Scripting is gonna save you a whole lot of time in the job and make your life easier. Is this a required skill in the SOC? Absolutely not, but I’m lazy, so should you be… I’m a firm believer that hard work is a thing of the past, as it dulls out creativity and makes more room for error.
Getting back to the topic, why scripting? Again in the process, high level languages make it even easier to get the job done in two lines. One more reason to learn scripting is the take over of SOAR platforms and there you can use scripting to automate most of the L1 tasks. As an example take Cortex XSOAR which allows you to use JS, Python etc. on their playbooks to highly customize automation (Check here).
Speaking out of personal experience, when you move up the ladder you are going to need some knowledge on programming anyway, especially when dealing with those pesky malware and malicious JS codes! So why not start with python? (this is where I took my first steps), I know, I know. I’m little biased towards Python since its my favorite.
So if you need any more inspiration on this, I’ll list down some of the quick and dirty scripts I made to use over time.
LogRhythm Empty Column Remover
If you work in the MSSP environment, you know the pain of manually formatting the logs to attach in email alerts. With just a few lines, you can format out the empty columns in seconds ! Easy as pie :) Check the code here.
from pandas.io.parsers import read_csv filename = input(“Enter the Filename(No extension):”) data = read_csv(filename + ‘.csv’)
Azure Payload Formatted
Do you know those pesky payloads? The kind that make your head hurt just looking at them.. Then my friends, Azure is the one that takes the crown, huge payload separated just by commas. So what should you do? Easy! Remove the comma enter a new line; check this one out for further reference.
while True: log = input(“”” enter syslog “””) string = log.replace(‘,’,’\n’) print(“\n\nLOG\n\n”) print(string)
Start your coding journey today!