You are testing out a new IP based network threat feed. Determine all of the threat categories listed in the feed. Which threat category is the most prevalent in this feed?
You are provided with two IP based network threat feeds. Determine the overlap (if any) between the two feeds.
You have a sample network log and a sample threat feed list. The entries in each file have already been labeled with an ingress/egress flag depending on the flow direction of the network connection of threat. Using IP address and direction, determine how many alerts you would have in this small network data sample.
Exercise 3 Sample Network Data
You have been provided with a sample list of threat feed alerts which have triggered in your environment. The sample list is composed of target ip address and a description of the threat. Use the provided passive DNS sample file to figure out how many domains have been seen for each IP address in your alerts.
The linux comm command can be used to compare similar lines between two files. Here is an example of how to use the command
comm -12 file1.txt file2.txtYou can use awk to print a single column from a CSV. The following example shows how:
awk -F',' '{print $1}' file.csvYou can stream the results of a linux sub command though stdin to make it act as if your data is a file. Here is an example:
cat <(echo "how now brown cow")