A Walk Through Logs Hell - Xavier Mertens

you Oh enjoy thank you for the quick introduction welcome back I know you had a great lunch I hope that nobody will start to do some a quick nap rapidly and we'll enjoy my slide so a little story regarding the slides I was already a speaker last year at besides Luxembourg I gave a workshop and when I saw the call for pepper opened this year I say Matt yeah I will submit a game and what I did as many speaker do I just submitted my ID and then I was accepted and say oops no I have to write some slides and confine the rest in content I had also all the ideas in my mind as

usual but I had to put everything on paper on slides and finally I had some nice findings and I hope that you will enjoy it so again a quick introduction about myself but you already did it so my name my Nick I'm very active on Twitter for the one who do not follow me sometimes I'm critical a lot especially doing conference like hackidu and so on I tweet a lot of stuff sometimes interesting sometimes it's really junk I'm sorry about this I'm freelance very important for me I'm part of the sons internet stone Center as a security handler so high it means that I received a lot of samples all those data from worldwide people who submitted us data

that's why I have access to a lot of lots a lot of events and stuff like this if you want to reach me hold some URLs my company my blog science and also brick oven of course because the organizer of the conference so the idea behind the the talk everybody makes mistake who attended hockey Lu before besides I presume a lot of people yeah we attended the call for failure also a lot of people yeah we make failure all the times of course so we have to deploy stuff new stuff we have always new projects coming on the top of the list and we have to cancel other project it's changing all the time and what I'm trying to do is learning my

mistakes so when you do a shitty work you don't have to be afraid to say yeah it was really cold I made a mistake I forgot to do this to change your password for example to change configuration to save it so we have to learn by our mistakes and the goal of this presentation is really to give you some bad stories that I faced I will not mention any customer any tool some people will maybe recognize some screenshots but the idea is really to give you real live example of what may happen when you do some load management stuff in your company block management 101 because yeah we have to do some kind of introduction and quickly lot

management is a way to collect a lot of information from all your devices application tools that run on your networks and from a security perspective the goal is to be able to search for interesting stuff inside all those events can you imagine you have to date big infrastructures with multiple operating systems appliance and in case of security incident you have to connect on multiple device okay when the guy connected on my VPN then started or RDP session they did that test that is quite boring lot management solution you have everything in central place and you can just investigate my job is not to collect logs for some customers it's just to have a look at the logs so if I

have one tool and I came from one central place check everything that's perfect but of course you know that your infrastructure all the time and so if you don't maintain this solution the load management solution you will miss interesting stuff and trust me a lot of mistakes may happen quick question for you who has a seam in your a lot of people that's neither sorry next question who is involved in the same configuration so I mean not using the same two to investigate but really to configure the seam so Cavill source of even since the find is okay and last question just for my statistic point of view who is using spring cue Radha oxide for example

a lk e lk / all the stuff yeah okay so many many people interesting when you start to talk about seam so already at a kiri we had a lot of told who in which involves team and I'll already learn and I see this kind of quotes on slides yeah we have a seaman we can inject 15 K FPS per EPS so evens per second that's a very big one yeah you know seen every day when the 30 gigabyte of Natal it's really nice but for ya oh so we get 250 hours a day that's very nice and some well for me it's I don't care about this it's like you know that people so man

they always had to joke between them yeah mine is bigger than yours is the same for me exactly I don't care about getting a lot of evens in my seam in my log management solution I need the right evens I don't care about the amounts if I have read the events interesting to do my investigation it's a win so I don't care about the size we will discuss about this in the few seconds yeah I fully agree so I also like the story of the manager so yeah I face this really every morning a manager visited the stock hair guys who are you everything is fine no incident and the subside yeah nothing all is green do I have to

be happy of scaring it does a question you never know you never know but it it's really it's a real story I knowed I knew the manager and I did it every morning so we are facing the LOX dilemma right now so also we can work in two different ways opportunistic or use cases that's to to approach that you implement when you start to deploy your rope management solution and we can quickly compare them we have the opportunistic approach so for each of them I have pro and con if you work with opportunistic approach it means that you look everything you collect a lot of stuff it's ideal for different so you need to investigate something you don't know

what you're looking for Tridentine more details more events more oqf more you will find interesting stuff this ideal to add if you use the use case approach then you will work you will in business oriented mode so it means that you will have the control of all the resources and very important for the management retail investment you can reach it it cost a lot of money to deploy such kind of tools so if you can prove to your manager that by deploying this kind of solution in six months each week you will be able to spot the bad guy or to really solve a security incident that may occur it's a win on the other side

the corn of course if you are opportunistic approach you will consume a lot of resources you will be flooded constantly by events it's like a needle in the haystack you don't know what to look for so really an ting is fine you do anything from time to time but if you work only on the hunting it's not the best the best choice you need constant fine-tuning and you have a force in prison if portion of security yeah I've again like my previous slide yeah I just a lot of gigabytes of data per day so in case of internal I know that the information will be present maybe maybe not on the other side the use case approach of course you will

miss locks you will not collect everything you will have some time the impression to be blind because I like basically I like log so I'm more I like to work on the opportunity cut pro because modded I have I can really search for any stuff but you have on the other side you have the impression to be blind Rock I only have this kind of haha we have an incident the incident in ax this branch office yeah but we don't have log from this branch office so we are blind case closed we cannot find anything else and it's also a slow start so you will need to take your time to deploy your infrastructure and you will reach the

return on investment but it will take more time the best of course is to have both that's normal so this is some kind of timeline so basically how you work you start with some use cases use cases are really important that's what you will you would like to spot if it happens it's based on your business if you are working on the health environment banking environment insurance IOT es ICS whatever you will have different use cases the most important is you have to know your business you have to know your organization to spot the interesting stuff then of course you need to learn the tool because it's quite complex once it's done you can start to have more use

cases you demonstrate to the management it's a win so what is me you get more resources you look more and more and more and then you can punt and react quickly and start ready to do some Trident Indian French stuff but I like this picture so Bruce Schneier the CGI it's not the tool it's the process I think that this quote has been used in many many presentation but it's real that's that's the point you need a lot of processes a lot of procedures you need to write down everything to maintain also otherwise you will fail are you ready to dive no no have some interesting bad stories so very important the most important quote of my

slide is no seam was found in the making of this sliding trust me stories has been anonymized so you will not find an e customer name brand anything but I think there are quite quite funny the first one the first failure that you may do man half is nothing is in place I'm still facing this from time to time for customers I had an incident hi - to investigate incident a few weeks ago company called me Kathy can you join because we had a security issue ok first question do you have some locks some material yes we have a firewall locks okay may I have access sure start searching for some no but I see only the tree last

weeks yeah that's no one yeah but the incident occurred four weeks ago mm-hmm okay scroll I'm sorry but cake so you will receive my invoice but I can help you [Music] of course I'm going outside and doing some sorry even if it's not successful I spend sometimes so you will see that on some slide I will always try to to puts on a light bulb it's not an excuse to have to say no money no time and son today it's quite easy to have a basic solution ALK whisperer would be free the elk is tacky spring you cannot deploy your spring with a small license 500 gigabytes or megabytes per day it's free it's easy

yes that I know I know I know I know but my goal is not to speak about Splunk I don't have any cap and I mention I have to mention some tools but I will not promote any any any solution any commercial solution say for Microsoft Microsoft has no so you know a lot of people are moving stuff to office 365 microsoft offers for free today a lot management solution close to of history 65 so by default you can have all your locks integrated into the cloud of Microsoft it's the cloud I fully agree so I will not start the debate what do we put data in the cloud or not it's not my goal today but you have solutions so

when people say we don't have any load management solutions to go sorry guys rough plenty of solution it's it will not cost you a lot a lot of money the second example know your tools if you collect lakhs of course you will have to interact with multiple devices firewalls operating systems which is Reuters blah blah blah and againt was another company this time I had to investigate neither student in an incident sorry and the fry wall was not properly configured so what they did they just looked dropped connection refused connection problem is that the company was breached via RDP connection okay class it's today but RDP was allowed because party P was to be conversing the

internet again Donna dong I will not complain about this it's not the good but RDP was allowed on the firewall so they do Jerry could you tell us who accesses the the RDP because the even throw back dropped everything so we had no locks on the system the lock the system was completely destroyed checking the file I hear but we drop only block only drop connection case closed again I can help you and it's it's fixed next example don't trust your system means it's not if you are working in a middle-sized environment in small companies usually you have to system means our so they also have a security cap so they do everything by themselves but if you

switch to a bigger company usually you have the security team a network team sister system admin team and some and it's not the system mean we decide what to lock or not if you are working in security is your job based on your use case and so to know that you need these kind of locks this one this one this one and sometimes often with the help of the management you have to push the system in say again I need this kind of works the classic examples are DNS locks on DC by default an active directory does not lock the DNS request you have to activate them but you need to run the service in debug mode and system means

they hate this so it's a debate you will have to fight against them you will have to have meetings and so on but the information is there if you need it it's up to you two to get the management support and to have access to different locks today's not tomorrow it's also a classic issue the locks value may change in time we deployed or seemed solution or load management solution six months ago and since we didn't have an incident so it's working quite fine of course we haven't we had no incident then you have an incident and you realize that last month there was a big integration of companies or some people left the company they

forget to do that they change the firewall they split the firewall and they had it an extra layer they had it a reverse proxy whatever you want it was not integrated so you have constantly change the way you handle your logs also depending on your business you may have some some new requirements if your company is integrated into a bigger one big company your sister company may come to you and say oh sorry by default by a sorry but from starting from no you have to provide some compliance reports because the Motor Company needs this so you have to provide something so of course this half this will have a huge impact on your scene because you will

have to integrate Europe's because you don't have everything and so change change change all the time to work today is not tomorrow lock yourself I made this mistake so we're speaking about spring so on many solutions when you buy a license you have a daily kata but you can index so you have a limit so for ism you can ingest 10 8 10 k 80s person's personal or you can index X amount of gigabytes per day but when you generate the traffic for example when you index your net for your flows and you add the flow generated by the load management into the floor that you index you break your your license because it's a loop I made

this mistake so I am I agree I made the mistake so you explain you explode license at the storage so again a tip use a management network to handle your log management traffic and not the production network another one layer for I also faced this I'm a big fan of doctor so I try to deploy all my petition in docker containers and the issue that I had when you start a new you do a new you install a new application using docker you create your docker compose you have everything in place automatically docker will create a new network for you 172 dot $16 about dots I don't remember anyway my the problem that I faced I had the VPN connection

used to collect my logs and send them to my to my to my server and when I deployed so every time you deploy a new docker it will just increase the one bite of the Gusev net and docker created a signet which was a subnet of my VPN I did not see this immediately so when I had to investigate incident I'm just on my count on my system I don't receive any logs from this server for one month why because all the packets were routed internally on my daugher server because the local interface had more priority that the VPN interface wine missed a lock a lot of events so keep an eye on your audio on your routine hands-on

because you especially know because we have dynamic routing we can really we have dynamic configuration of automation of tools installation and you can face also routing issue and you lose evils in fact just or one remark when you deploy some solutions like a game as plank for water for example it will keep it will queue if the agent cannot communicate with the server it will keep all the data in a queue because network updates may always occur and when the connectivity is back it will teach you everything and you will get your events except that I don't I don't know what's the the maximum retention for spring for water but in my case the routing issue

was way longer so basically I missed a lot of friends the wrong index classic also when you configure a new source of events in many many different platforms playing lqf indexes and you send your firewall logs to this index your system logs to this index application logs to this index and some but you have also the the main or the default index and if you forget I also did the mistake I made a lot of mistakes just me I forgot to specify the index but when you ever written when you have a daily or monthly weekly report and you say I would like to generate the statistic for my firewall statistic for my IDs and you say in my decree serve on

this index but you send 50% of your events in the wrong index the report will be will be bad because you are missing a lot of work of Linux so basically what I am doing now the default index in the log management solution should never received any event and you had a control by yourself if you received even then you create an alert and see oh there are chances that some events are not properly routed integrate in text and you can investigate and quickly fix the problem default configure classic issue also especially this one I like you know I like security vendors when I was working with with the customer the discus owner was using

ArcSight it was 10 years ago and they both the PCI compliant compliance package so it means that you just buy its cost a lot of money but you add extra rules extra reports in your seam in your log management configuration and by default you will get PCI compliance reports it's nice yeah it works except that what oxide forgot to mention is that you need to apply or is my pointer you need to apply tax to the assets so you need to review all the assets in your database and say this one is PCI compliant is part of the PCI programs this one this one this one this one and not this one if you applied the rules by default you

will just have an empty report because by default you don't have any PCI lost in your database in your CND mix one miss configuration just imagine you have a cluster offer of appliances working in fare over so not acting too active passive not active active and everything is fine so you get the logs I think it was an f5 cluster and you get logs everything is fine and suddenly you have again to investigate incidents I don't see any logs for a while so start to investigate and then you seen the lot of EFI that the crystal switch to the other node but yo donut was misconfigured no log management oh that's bad it happens also

so miss configuration so when you deploy a cluster stuff like this be sure to test and be sure to send events the right destination surf groups this one was very very very bad so from time to time have to create alerts because I'm just expecting an incident an event to occur and on one of my system I created another ad when I see this term it was a domain name just drop me an email and generate an another for me and this is the configuration it's not very readable but I will explain you this is the screenshot of my of my configuration spring in fact the alert name is mail mail from blah blah blah de

a domain and I would like to be notified when I see a mail sent to or from this domain so I created my other perfect blah blah blah and what I did I put in the subject of the alert Splunk alert name and the name of my alert is made from domain will be guess what I was fluid because in my main server I'm also logging the subject from two subjects so it means that the allarod so a lot the first time the other triggered is so the domain but it also so Splunk reacted sent a mail using the same mail server in the subject that was the domain name and he started in start of

course this kind of stuff happened Sunday at 2:00 a.m. so when you are having the Monday at the effete oh but through the back man this was it was a very nice one next gaps in locks this is this I was looking for a nice screenshot and I did not find the screenshot related to to log management so it's or screenshot that I grabbed onto a good image but it really gives you a good overview of the of the program so when you have network outages or when the system is down a system reboots and the agent is not automatically restarted it means that you have gaps in your in your in your events and of course trust me

when you you will have to investigate an incident the incident will be on this timestamp that's that you know Murphy's Law it is horizontal so gaps are very important so the goal is to create an alert when the gap is detected if you don't see any events coming from this device for this amount of time trigger an alert this amount of time can be five minutes if it's really critical a system can be one week one day whatever but create errors can be notified that I didn't see any events coming from this system for a while it could be interesting to investigate a great ah you saw as I said your system mean your beloved season mean deploy new tools but

I also have to a great I hope they're great but they're great tools appliance they played that blow new fame race and so on and from time to time the API changed and you use this API to collect logs and suddenly does not work anymore so it me that you have a gap because you don't see and even it's the worst case I prefer to have a back gap GT satya prime does not work anymore instead of her being bad events not properly formatted or cest and Sons but the API is not working so what we have to do RTFM check the new API version what are the new keyword and loser that you can perform

and so on and so on and so you use your time basically this one is nice reused even IDs I was not it what I did not detected this myself it was provided by a friend so I will not disclose which vendor I will not disclose which can even do basically you know that some firewall they have so they work a player seven the integrate an IDs and this vendor so they generate event ID so even tidy ten is for example blocked RDP session even twenty is route login attempt I don't know stuff like this but I don't know why properly probably for to optimize and to clean up the even database they decided at a certain point to reuse

previous even tie these two new events so if you have in your in your alert and your writing system you have some unrest based on an event ID and suddenly they decide to change it what may happen it may be be crazies inside of your sock I see plenty of RDP attendants on top but it's not the same event is not one it happens yeah lack of sim so see means common information model and this was is also classic people usually when they deploy a sim solution a lot management solution they also they like to have more content - so - - - too hot from enrichment system so for example spring you can deploy a lot of spring apps they

have an app store like Apple Google and so you can download apps and those apps they handle specific events they enrich staff they can create new report is beautiful it works most of the time except that some developers they don't respect the common information model you have three types of information SRC ie source s our CIP Wizards underscore IP in many apps the developer may decide to use society with an underscore source IP without an underscore but if you have this in your database and you have reports or others and you see if I see after SRC under underscore IP equals blah blah blah send me an alert immediately if the IP is generated on an event but it's after CIP wizard on

the scope you will miss it stupid but it happens also a lot of time that's why Splunk is pushing to have the command information model whereas my pointer come on I lost my pointer anyway so common formation maleic means that when a developer would like to publish his application of the Odin sprang up store it must respect the common information model otherwise the application will be rejected sock fatigue it's not a failure but it depends it's a consequence of all the the different issue that we saw too much false positives generate a fatigue and then finally people will reduce we have reduced capacities to react trust me if you have people paid to do false

positives false positives false positive possibility photo ops it was a real one it's missed because that's a human brain you cannot ask people to watch rocks and to to to to validate for positive all the time so based on all the consequences that we saw a few minutes ago you can reach some shock fatigue which is also a failure we have enough so I think that it was nice example no I would like to to give you some rules to avoid is because the goal is to be constructive so when you be again when you make mistakes try to implement stuff to reduce the mistakes and most of the time issue you will discover them when

you have to investigate I don't spend my day on my log management solution I use my system when I need to so when I need to investigate some things otherwise I even don't look don't connect on the solution so implement rules to perform self monitoring the goal of this kind of solution is to generate alerts so generate errors to monitor if the errors are working properly so simply example you can detect gaps quite easy another rule implement test scenarios to validate the use cases in many many many times organization they use play books that have use case yeah if we see this and this and this and this we fire an alert developers to people responsible for the

solution they do some tests it works does it work again one month later two months later for example the classic is the classic example when you integrate miss another nice project with your load management solution the classic first error that people do is if I see a domain name so a communication to a domain name which is part of my list of malicious domain name from Miss I generate an alert okay that's nice but how do you test it it's very easy you just create a fake domain that only your organization is is knows and you try to result from a repetition once a month this domain name and this if this domain name appears in your log the use case

works otherwise you have to decide why it's easy check and so simply to do to implement playbooks you have to reserve also some time to review to review them so when you deploy that's the same issue when you have a playbook in place the playbook should have somewhere a step it's like a development lifecycle review it implements mute check verify if if it's still up to date a good tip you can use Sigma to do that so if when you have to implement new use case and so on use Sigma my recommendation is you have Sigma you put all your rules into a good lab instance so it means that you have the installation you can work multiple

people may work on the same Sigma rules and you can you can create interesting scenarios and every his lock you see will change what when and so on and so regarding miss either I just sometimes I hide these puffs like this and I remember another incident that I face using miss my miss pin stands so basically what I'm doing once once a day at night I just export the man issues domain form I'm from my miss pin stands I store this in a CSV file and the CSV file is indexed by my my dog management solution guess what so I'm doing this using the curve blah blah blah pearl output redirected to a CSV file and one day my miss was done I

don't remember why but miss paws down so at 2:00 a.m. my cron job started he tried to connect with Miss instance it did not work but what did curl its each write nothing to my CSV file and my face is my CSV file was indexed so it mean that for a few hours or if you execute the script once a month once a week the CSV file was empty so it may I missed the detection of all the malicious domain for this amount of time stupid again but it happened regarding use case I like to to explain your screens as reverse engineering it's a good tip when you do have to implement use cases the

goal is to ask yourself when do I need to be alerted for example when have an admin login on the domain controller a suspicious RDP from a specific country specific site and some and when you have this information the goal is to have to make some reverse engineering to to define where are the interesting events from so based on this you will be able to collect at the right place all the log mandatory to generate your rules and to be sure that you will fulfill the use case that was the last slide so I hope that you learn a lot maybe some people say I already faced this indeed I faced the situation in my company I'm open for

questions I don't know how many time have the perfect questions come on it was very interesting talk thank you and I have the one of the the point number four that you have so today is not equal to tomorrow yeah so ideally you want to store and keep the locks forever and the order to know that there's a Ross i0r format of the locks right but you face three problems so I really want to hear so take on that so the first one is the capacities for the storage mm-hmm second one the performance yeah and the third one exactly so um I forgot so let's take the first two first right so the performance and the storage what do you take on that

I think it's even if the storage is quite cheap today do what you can do to increase your storage you can work on different type of media so for example you work on SSD for the life events so they even for the last 15 days one last mall and so on then you switch to a normal hard drive and so on or so what some companies do they just archive the the data export the data in a specific file format the icon that just you Newton archive and destroy it on cd/dvd whatever and so on and it starts from I own a safe place so it means that if you have to investigate an incident which

occurred two years ago may happen we never know you Jeff you have a DVD ok 2017 you wrote again DVD and new that's that's wet word because I think that if you have to investigate an incident which occurred two years ago its yeah it could be urgent but you have time to restore the kyv to process them to load them again in the system may be deploy another system in parallel to the for example I have my spring instance ok again no marketing but in my mind I'm using spring I have my my official sprague instance and one I have to investigate some incident I just found a spring container I load all the data

inside the spring container and when the the incident is closed I just destroyed the container all avidan's are gone and so on and I don't pollute my official spring with new in this III broke the performance down stuff like this just if you install the sprung container you get a full license for 30 days it's enough to investigate so you can indexed the huge amount of data so do this and you don't pollute your system and you have an instance dedicated only for this case and you also avoid some send some data leak between because if you if you if you index in the wrong index you will maybe have data for multiple customers I mean

in the bad index and stuff rightly so deploy multiple platforms I think is that the visible so you have the very big lumps for example windows locks it's a nightmare so if we want to store them in a raw format the performance will be a big problems sprung for example you have to put windows know is a huge problem and now I remember the Third Point which is a license so if you want to keep the original format of the lost some time you have to pay a lot for the license so it depends on on on on your business because in some business you you must keep the root what we call the row isn't

for if it really read answers if you go if you go to the court and so on you have you need to row even untouched and so on or in this case I will say if you need it for compliance reasons it means that you have a budget and you have to force in the budget for this comprehend reason case closed for me but for investigations I don't mean the raw event and you are facing the very first slide so opportunistic or use case approach because if you if you say I'm working with use case for example Windows events we everybody know that if you lock all the windows events you will be flooded by a lot of a lot of yeah

junk material but if you have use cases you know exactly which event block and you will only focus on those ones so again if you have compliance need and you need to keep everything it mean that you need to budget and you go to your manager and ask for more money there is no magic [Music] thanks for the nice presentation it goes around the same area that you have been discussing but a little bit into the active side not archiving of logs there are a lot of very well received these lines around now in the open-source community for example the system on configuration from the Swift on security and right though would it beat configuration from the UK national

cybersecurity center they have one as well that's open source and both of them are great are super great for configuring those kind of locks the problem is even those optimized and really well written configuration generate a lot of logs the moment your environment is start exceeding like for example 10 workstations and you start like hovering to like the hundreds of machines and you end up like generating as you said in one of the slides 30 gigs of logs birthday or even 200 Lux birthday we tried the UK national cyber security center who did bit configuration on like a cloud fleet and architect Cameroonian like the two servers that we are using for the login are dead because of the traffic that

they were hit by so it's a lot of optimization so my question is how do you find the sweet spot between the amount of locks you are actively collecting and the amount of lock that guarantees that if something wrong happened you will have at least enough information to find out what went wrong and how to counter it and protect yourself or the company just one word retention apply different retention policies so if you events that you parse because you need to pass them because you know it's your use case based on use cases you define the retention of why you're here for exampie cuz they could the events are only the use for events for this use case if you need to do some

thread and tink and so the opportunistic mode as I explained apply a retention of six weeks to mom one month I don't know and so it means that if you are facing an incident okay you have a limited amount of time you have to be quick to react and to certain your locks but you don't break your license you don't break your server your storage cost and some so retention is and you can also apply retention by type of devices headquarters retention one your branch offices six months VPN locks for remote users three months you can you can you redefine by yourself how you manage your logs that's the magic of the tool I like this you really do you

create the index as you want you create the retention policies and you can really fine-tune and be sure the goal is to to have enough time and to be sure to find the right information at the right time transplant thanks just the question at the beginning we mentioned about all the different use cases and different ways to design use cases from your perspective how do you evaluate the effectiveness of this use cases I mean there's typically there's a kind of business requirement or compliance requirement you try to align your use cases but how do you make sure that with the use cases in place you satisfy all the requirements that have been put in there by the business for instance so

first so as I mentioned you can you have to form a technical point of view you have to test your use case so you are looking for specific domains once a month to generate our query on this very unique domain that only you know so you are sure that the use case is working no I will say that the the use case you can have use case coming from the management compliance reason or for example the bad the the CISO may ask okay or provide me once a month the list of domains would what we call the dormant accounts so account who did not looked for X amount of time so it's coming from the

management so they have ur it's it's normal process they have a request you implement it works and they have you provide the result it's up to you to update you if the requirements are changing in time the other use case depends also the technical use case in I think depends on the the threat landscape so you will implement use cases based on the knee what's in the news for example the magic RDP vulnerability the pseudo vulnerability a few weeks ago one two weeks ago something like that there was a sigma rules developed for this you do exploit at in two days after the exploit was released so I mean the goal is also to know your infrastructure

if you know that you have unique servers you used to do and this and this and this and you have a vulnerability so implement the use case and in this case it's up to you to to decide when it's not needed anymore based on this I like one of the new feature of the latest mips miss then we have to stop stirring but we can continue the discussion offline the new miss feature the decaying of IOC s it's exactly this so even IOC which has a value at the time and based on the time the value will decrease until the IOC according to your business looks less interesting does it answer your question yeah thank you very much

I had a cure right