From the course: Complete Guide to Open Source Security
Join today to access over 24,500 courses taught by industry experts.
Deep diving with Malcolm's Arkime
From the course: Complete Guide to Open Source Security
Deep diving with Malcolm's Arkime
- [Instructor] From our Malcolm dashboards, we've been able to collect fairly convincing evidence that we've been under attack. We'll now switch to ArchiMate and deep dive some of this activity. To start with, we'll select the SPIGraph view. This by default shows protocol use and destination. And at the right-hand side, we can open the map view. We can see the complete logs at the top, and then each protocol with its logs in bands below that. We can see from the top that there's been activity to and from Russia. And if we scroll down, we can see from the shading that this occurs for TCP, HTTP, SSL, TLS, ICMP, and SMB interactions, we can select different SPIGraph views. If we click on Protocols and select instead, User Agent original, we now have an analysis by user agent, and if we scroll down, we'll find that the Python user agent was used for interactions with Russia. Let's now look at the Connections view. This just shows a couple of IP addresses. However, at the top left, we can…
Download courses and learn on the go
Watch courses on your mobile device without an internet connection. Download courses using your iOS or Android LinkedIn Learning app.