Thursday, December 21, 2023

Speeding up report reading and security/SOC alert triaging by auto-highlighting keywords on webpages

Introduction:

If you're a security analyst or threat researcher, you may spend a lot of time reading reports/blogs or looking through SIEM. 

It might get annoying to look for specific keywords/fields when looking through things, especially SIEM output. I know I had this issue.

I thought it'd be nice to have an extension that auto-highlighted things for me. While looking for such extension I found "Highlight This" extension. There are multiple extensions like that but this one took URL's of keywords so I thought it was perfect to pair it with Github as I may be adding/removing keywords.

Extension can be found here: https://chromewebstore.google.com/detail/highlight-this-finds-and/fgmbnmjmbjenlhbefngfibmjkpbcljaj?pli=1

Developers sites:

https://highlightthis.net/

https://deboel.eu/

The extension developer does have an optional subscription service which gives you additional abilities. (https://highlightthis.net/Subscription.html


Github repo I'm using this with is here: https://github.com/BoredHackerBlog/highlight_keywords

You should probably make your own list based on your needs.

Setup:

Download the extension and remove the default list. Activate subscription or activate free version (or try unlimited version for a limited time)

Add a new list. In my case, I'm pulling a list of keywords from Github so I can keep updating the list on Github in the future.

Add a list URL and customize all other options then start browsing!

I disabled "Only detect complete words" which can cause some bad highlighting, I'd recommend messing around and finding what works best for you.



The extension also gives you a report of the things it detected:



Results:

The DFIR Report page kinda looks like this:


https://thedfirreport.com/2023/12/04/sql-brute-force-leads-to-bluesky-ransomware/

Some XML sample logs


https://github.com/BoredHackerBlog/mitre_attack_xml_eventlogs/