Apologies if this is not the place to ask this but I’ve got intel feeds working (criticalstack) for the past few days and was wondering if it is possible to interrogate existing logs with the new intel using bro-cut ( I have months worth where there was a clear breach due to network misconfiguration?
I guess it is possible, but would require more a shell based diff or something? I know you can replay packet dumps but it would appear not logs?
Also, haven’t seen this mentioned anywhere - with bro-cut what globbing / regular expression options are there? eg!.