Loki

The previous two posts got all three streams into Loki, unified by src_ip and joinable by Community ID. That’s a powerful dataset, but it has a problem: it’s enormous. A single day produces tens of thousands of Cowrie events, thousands of Suricata alerts, and thousands of Zeek records. Nobody is reading that by hand every morning. This post covers the layer that makes the whole thing usable, a Python script that pulls the day’s data, scores attackers by how interesting they are, and hands the most significant ones to Claude to write up as per-attacker narratives. ...

In the previous post I got two of the three streams live on the Pi: Cowrie and Suricata, both shipping to Loki through Alloy with a shared src_ip key. This post covers the Mac side, which is where the third stream comes in and where the whole correlation idea stops being a diagram and starts being something you can actually query. By the end of it, one attacker IP lights up across all three tools at once, and any single network flow can be matched between Suricata and Zeek deterministically rather than by eyeballing timestamps. ...

A quick preface before we get into the technical stuff. The next several sections are AI generated. I dumped my notes, config files, scripts and all the rest into a project in Claude, then prompted it through how I wanted the post compiled, linked and published. I have already had many nights of tinkering, troubleshooting and building a rather large note repository on this project, I didn’t want to take another week trying to type up, link and copy/paste code snippets in here. This is just much more efficient and I highly encourage it. Now, on to the juicy details! ...

Now we get into the part of the project that I have little to no experience in. While I have used the tools, I don’t have years of working knowledge and I have certainly never combined them in this way in an attempt to build a narrative around an attack. Thus enter my good buddy Claude to fill in the gaps. I knew what I wanted, but not how to get there. I have been in school with SANS for some time now and while I have learned an absolute ton, I don’t claim myself to be an expert in anything. Since this is my first experience setting up a honeypot like this, I started reading about different ways to parse the data… and man there are a lot of them. I decided that while I could follow a write up of someone that had come before me to the letter and have a working solution in no time, I would probably learn more by explaining what I wanted to AI and having it coach me through the process. ...