Map DNS logs and HTTP logs together to find a threat actor

Implementing Cisco Cybersecurity Operations (210-255)

Map DNS, HTTP, and threat intelligence data together

Implementing Cisco Cybersecurity Operations (210-255)

Understanding logs from DNS servers and HTTP servers is important. Analyzing data from the logs can help with determining security incidents. Both types of logs include IP address information. Using this field as a key one can map the logs together and establish a chain of information.

Threat intelligence data, such as reputation data from Talos, provides a broader view of what a certain IP or domain has been seen doing worldwide. This can help prioritize data being analyzed from DNS and HTTP logs. Intelligence data can be fed into SEIM and other systems using TAXII or STIX feeds.

Tools like ELSA, Splunk, or QRadar help with mapping logs through automated correlation and normalization of the logs.