Where are the discussions on analyzing logs in DFIR?
It's funny how much (or rather, little) is talked about in DFIR circles about analyzing logs before/during an incident.
While it is really sexy (oh yeah!) to be able to dig out stuff from a computer that Joe or that pesky malware writer tried to hide, responding to incidents requires information to be surfaced as much and fast as possible in order to solve the mystery and contain the damage. And for organization-scale incidents, one great source of information would be the logs generated from the various endpoints/perimeter devices.
So far there's the area of SIEMs and logs management, where we get the heavyweights like Anton Chuvakin. The closest could perhaps be SANS' network forensics course offerings, but the coverage is glancing at best. But looking for discussions in terms of analyzing logs specifically for DFIR, zilch. Perhaps I'm looking at the wrong areas, if so do let me know 
As with many security-related domains, the more an area is publicly shared, researched and discussed, the more the good guys stand to gain. The flip side argument being that the bad guys are reading the same stuff too, but that's another topic to be visited another time.
Till then, will share whatever I can about this area that I've learnt so far. It's really a curious monster in itself amongst DFIR efforts.
Highly Predictive Blacklists
SANS Internet Storm Center has a service for DShield log contributors called HPBs (Highly Predictive Blacklists). Since their summary is succinct enough I will just quote it here:
DShield.org in collaboration with SRI International has established a new experimental custom source address blacklist generation service available to all DShield.org contributors. This new service utilizes a radically different approach to blacklist formulation called Highly Predictive Blacklisting. Each DShield contributor can now access a unique HPB (instructions below) that reflects the most probable set of source addresses that will connect to that contributor's network over a prediction window that may last several days into the future.
Highly predictive blacklists employ a link analysis algorithm similar to Google's PageRank scheme used to find the most relevant web pages given a user's query. Similar to a web query, DShield contributor's firewall logs are cross-compared in search of overlaps among the attackers they report. Each attacker address that is included in an HPB is selected by favoring those ad-dresses that are encountered by other contributors that share degrees of overlap with the HPB owner.
How does it work (for non math geeks
): We compare your firewall logs to firewall logs submitted by others. If you and other submitters are hit on similar ports, then your are more likely to be attacked by the same IPs. Your personal "HPB" is created from the IP addresses that target submitters with similar reports as you.
While this is directly useful to firewall administrators, the concept could potentially be extended to other domains/uses too. Filing this under "bag of tricks" for now
Family gatherings
Family gatherings...
...the time for short but precious catch ups.
...the time to meet prospective new additions to the family
...the time where I remember the grace of family members towards one another, especially to the "wayward" ones... (how unfathomably deep is God's grace to us in Jesus, when I can't even fully understand the family type?)
...the time when we remember that many (of them) are just a phone call away actually.
I like family gatherings. 