This website uses its own and third party cookies to collect information that helps to optimize your visit to their web pages. Cookies will not be used to collect personal information. You can either allow or reject their use. You can also change their settings at any time. You will find more information on our Cookie Policy page.


DS4N6 Blog >> RSA Conference '23 - Hunting Stealth Adversaries with Graphs and AI - Wrap-Up and Community Resources

RSA Conference '23 - Hunting Stealth Adversaries with Graphs & AI - Wrap-Up & Community Resources

370x370_jess-garcia.jpg [24/04/23] Apr 24, 2023
Jess Garcia - One eSecurity
Twitter: j3ssgarcia - LinkedIn: garciajess

Thanks to those attending my talk at the RSA Conference '23!

On this page, you will find a list of resources mentioned during the talk that I hope will help you and the Community.

But that's not all! This is a great occasion for us, and we wanted to use the opportunity to share with the Community tools that we have been improving during the last year.

We release precisely today one of the projects that you have seen presented in the talk, the CHRYSALIS new release, this time focused on graph data structures for anomaly detection.

Together with my talk, I hope this will be a valuable contribution to the Community.


To start with, you can download the presentation & demo here:


In second place, you can find more information about the projects and tools referenced in the presentation in the previous RSA conference:


We would like to take this great day to announce the new version of CHRYSALIS v0.8.1 (AKA “ds4n6_lib”), our python DN4N6 library that provides an easy way to ingest the output of forensic tools in Jupyter and perform multiple types of Data Science and Machine Learning analysis.

CHRYSALIS now supports Sabonis (DFIR pivoting tool) developed by one of the best contributors to the DS4N6 project: Toño Díaz (jupyterj0nes).

It also adds the mlgraph module that includes two important functionalities:

  • build_lm_dataset() which generates a dataset after processing information about possible lateral movements.
  • find_lm_anomalies() that will search for anomalies and provide us with the information to build the graph that will help us in the analysis.

Very useful, isn't it?

You can get more information about CHRYSALIS in the following blog entries:

How to apply

As we have seen in the presentation, applying it is very simple, just follow these steps:

  1. Download DAISY VM and install in your pc.
  2. Collect lateral movement telemetry: Get a raw CSV file thanks to the use of Sabonis.
  3. Select the type of algorithm in CHRYSALIS: mlgraph module in CHRYSALIS which process the CSV file and generate a lateral movement dataset (build_lm_dataset()).
  4. Run the Machine Learning models: Search for the lateral movement anomalies (find_lm_anomalies()) generating a new CSV. Finally process the CSV file and get the graph.
  5. Analyze the results: Analyze the graph which represents anomalies associations.

You can get more information about here.

Thanks! Let's Stay In Touch!

Again, thank you very much for attending my presentation. I hope you enjoyed it, you learnt, and it will open your appetite to learn more about Data Science, Machine Learning and DFIR.

You can also:

  • Follow me on Twitter: @j3ssgarcia
  • Attend the courses at teach at SANS: FOR500, FOR508, FOR610, FOR578, FOR585, …
  • If you need professional DFIR help of any kind, contact me at One eSecurity

Hope to meet you personally in any corner of the world one of these days!

Jess Garcia
DS4N6 - Project Lead / One eSecurity - Founder / SANS - Senior Instructor

Follow us: Twitter: @ds4n6_io - RSS News Feed - Youtube