SpectX4DFIR

Apologies for the lag between posts, dear reader. I’m in the midst of a doctoral dissertation, almost finished my second chapter, and it doesn’t leave a lot of room for additional writing. Treat this entry as a stop gap, courtesy of Raido, from SpectX, the subject of our last toolsmith #143 on SpectX4DFIR. Herein, Raido provides us with a SpectX query to count hits from IPs during different time intervals.

Welcome to the first COVID edition of toolsmith, I do hope this finds you all safe, healthy, and sheltered to the best of your ability.
In February I received a DM via Twitter from Liisa at SpectX regarding my interest in checking out SpectX. Never one to shy away from a tool review offer, I accepted. SpectX, available in a free, community desktop version, is a log parser and query engine that enables you to investigate incidents via log files from multiple sources such as log servers, AWS, Azure, Google Storage, Hadoop, ELK and SQL-databases. Actions include:

• Large-scale log review
• Root cause analysis (RCA) during incidents
• Historical log analysis
• Virtual SQL joins across multiple sources of raw data
• Ad hoc queries on data dumps

SpectX architecture differs from other log analyzers in that it queries raw data without indexing directly from storage. SpectX runs on Windows, Linux or OSX, in the cloud, or an offline on-prem server.