EVTX in JSON format not being interpretted. #290
Comments
|
hello - this hasn't been forgotten, I promise. thanks for your patience as I got some foundational stuff ready for faster development. at this time, we're not parsing velociraptor output but #250 has that as a feature request. I'm just starting to handle data from Hayabusa though (as of today). this may meet the analytic need, albeit through a different tool. velociraptor handling is hopefully a fairly near-term goal, though. If you can paste a few entries here (redacted fine - just keep JSON format valid), I can take a look to see what may be happening. |
|
Hey Phil, Thanks for replying. For your info I am actually using the Winlogbeat parser from Kape. {"@timestamp":"2023-11-14T08:52:33.556Z","@metadata":{"beat":"winlogbeat","type":"_doc","version":"8.11.1"},"winlog":{"api":"wineventlog","event_id":"5719","event_data":{"param1":"REDACTED","param2":"%%1311","Binary":"5E0000C0"},"channel":"System","record_id":3191243,"task":"None","opcode":"Info","provider_name":"NETLOGON","computer_name":"REDACTED","keywords":["Classic"]},"message":"This computer was not able to set up a secure session with a domain controller in domain REDACTED due to the following: \nWe can't sign you in with this credential because your domain isn't available. Make sure your device is connected to your organization's network and try again. If you previously signed in on this device with another credential, you can sign in with that credential. \nThis may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator. \n\nADDITIONAL INFO \nIf this computer is a domain controller for the specified domain, it sets up the secure session to the primary domain controller emulator in the specified domain. Otherwise, this computer sets up the secure session to any domain controller in the specified domain."} Let me know if you need anything else. Thank you for all your help as this really does help everyone in the community :) |
|
I know it's been a while but I've just prepped a testing VM that needed to be done before we could re-approach this one. what is the filename for this sample? that will determine how (and if) it is handled. since it's velociraptor-specific, it's quite possible/likely that this is not a handled KAPE log - yet! pending your input on the filename, this will like be folded into broader handling of velociraptor data in #250. Right now, the following KAPE logs are ingested:
|
|
Hey Phil. Which filename did you want? The main directory of the output of velociraptor? Collection-HOSTNAME_DOMAINNAME-2024-01-24T10_55_30_01_00 |
Hello Phil,
I've been testing your distribution and love it so far. I have successfully been able to use the SOFELK parser in gkape but I was wondering if it was possible for SOF-ELK to read EVTX files in JSON format. I was using the velociraptor plugin to convert the EVTX (https://docs.velociraptor.app/docs/forensic/event_logs/) to JSON and putting the outputted file under /logstash/kape but I dont see it being ingested at all.
Is what im trying to do not feasible or am I making a mistake somewhere. Appreciate your time and help :)
Warm regards,
Marc
The text was updated successfully, but these errors were encountered: