Especially during my time at Gartner as an analyst, I heard many preposterous claims about TAM’s and IT security budgets and associated pricing strategies. Someone telling you that they supposedly sell to mid-sized enterprises, yet their solution comes with a minimum price tag of $500,000 just stretches believability. A few were exaggerating to fool the analyst but based on end user feedback and having seen pricing, there seemed to be a lot of confusion around what is realistic to ask.

My main observation is that in many cases the assumptions were based on what a vendor wanted to get, rather…

Malware Outbreak visualized as Network Graph

Welcome to our second article on Brim’s Data Science blog. In the first article in this series , we learned how to use Brim’s python library to fetch Zeek data into Pandas.

Today we’re going to build on what we learned last time. Instead of just looking at Zeek data by itself, we’re going to fuse Zeek and Suricata data together. We’re also going to improve how we visualize our network graph to gain some useful insights.

About Brim

If you’re new to Brim, Zeek and Suricata:

  • Brim is an open source tool to search and analyze pcaps, Zeek and Suricata logs.

Qakbot is the newest guise of Qbot, a banking trojan that was first detected in the wild in 2009. Originally focused on the theft of banking credentials via keystroke logging, it has since evolved to deliver a variety of payloads. More recently it has been in the news headlines for increased activity conducting Malspam campaigns.

As mentioned above, the iteration of Qakbot we’ll be looking at includes a Spambot payload, so we’ll be looking for SMTP traffic. The sample we are using also has another interesting characteristic. It uses Cobalt Strike for Command & Control (C2). Cobalt Strike is a…

Brim is a full nano network intrusion detection and threat hunting platform, and best of all, it’s open source. There is no need to install half a SOC or a dozen databases on a laptop to run a breach assessment or conduct a threat hunt. All you need is network data and Brim.

We’ve just released Brim v0.22.0 with some really cool features, rounding out the investigation and threat hunting workflow, including a new query library, CSV and NDJSON export, and a dedicated Suricata alert view.

If you are just getting started with Brim, you can download it here and…

We are really excited to announce that we have extended our pcap post-capture analysis engine in Brim with Suricata. In addition to Brim analyzing raw packet data with Zeek, you can now also detect malicious indicators of compromise using Suricata’s Emerging Threats OPEN ruleset.

Phil Rzewski, Brim’s community director who has been the driving force behind the integration effort, explains that “Our community of users helped validate that Suricata is the next obvious data source for Brim. Most are familiar with Suricata and would like to be using it more. …

Network Graph Visualization of IP Traffic


Network Graphs are a way of structuring, analyzing and visualizing data that represents complex networks, for example social relationships or information flows.

A typical application, and of special interest for threat hunters, modelers and analysts, is the modelling and analysis of TCP/IP network communications.

With the release into open beta of Brim’s Python library, it’s never been simpler to bring the world of Zeek and Network Graphs crashing together. Let’s do some Security Science!



You will need to install Brim on your local workstation where you will be launching Jupyter from.

TIP! You can find detailed installation instructions for Brim…

The US Cybersecurity and Infrastructure Security Agency recently released an advisory warning of a resurgence of the Emotet malware.

Emotet started out in 2014 as a Banking Trojan, but has since evolved into a sophisticated malware, offered on the Darknet as a commercial Cybercrime-as-a-Service platform.

Victims that are infected with Emotet are usually targeted with a phishing email containing a macro-enabled malicious document, or a link to one hosted on a compromised website. The malware frequently acts as a “dropper” and downloads additional components and payloads. Emotet has worming capabilities and may attempt to enumerate and infect further victims on…

In the last article, I shared my favourite Brim ZQL queries to begin a threat hunting investigation in Zeek data. We covered pretty generic observables and events, so this time we’ll delve into how you can get better insights into network activity and actors.

TIP! You can find detailed installation instructions for Brim on Windows, Linux and macOS under

Zeek produces a dedicated “conn.log” stream containing all of the relevant connection data, for example IP addresses, ports, or connection duration and throughput, which most of our analysis will lean on. …

Threat Hunting is challenging — there’s an adversary trying to hide after all — so any tool that can speed up your time to insight should be in a hunter’s tool chest. And while advanced analytics, anomaly detection, machine learning and similar emerging approaches are without doubt powerful and have helped reduce the attacker’s advantage, there are times you just have to delve into the raw data. …

Oliver Rochford

Oliver is a Security Subject Matter Expert at Brim Security

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store