Boss of the SOC v1 (2015) Website Defacement
Question #1 Based on the first question, the task is to identify the IP address of an individual conducting reconnaissance using a scanning technique. I began my investigation with the search parameter index=botv1, as provided in the instructions, and incorporated imreallynotbatman.com as specified in question number 1. After running the search parameters, I identified the dest_header field in the left-side panel. Upon expanding it, I analyzed the details within and discovered references to the Acunetix Web Vulnerability Scanner, indicating its use in the reconnaissance activity. To enhance visibility and identify the IP address scanning the web server, I created a table that included the fields src_ip, dest_ip, and dest_header. I then filtered the results by searching for the keyword 'scan' within the dest_header field and applied a dedup command to the src_ip field to remove duplicate entries, effectively narrowing down the source...