I wanted to post a sample of the AI-Generated reporting that I was able to achieve with only a little bit of tweaking to the prompts in the base script. The value add here for someone in my position with limited time and resources is incredible. My next implementation of this, will be internal focused on that Security Onion stack and the report will be directed at what I need to address daily on my internal assets. ...
The previous two posts got all three streams into Loki, unified by src_ip and joinable by Community ID. That’s a powerful dataset, but it has a problem: it’s enormous. A single day produces tens of thousands of Cowrie events, thousands of Suricata alerts, and thousands of Zeek records. Nobody is reading that by hand every morning. This post covers the layer that makes the whole thing usable, a Python script that pulls the day’s data, scores attackers by how interesting they are, and hands the most significant ones to Claude to write up as per-attacker narratives. ...