New feature: Import Hayabusa JSONL #12874
Replies: 1 comment 1 reply
-
|
Hi Zach! In the immediate term, an Elasticsearch ingest pipeline could be used to parse the Hayabusa data if it were dropped into a particular directory on the Security Onion host or endpoint with Elastic Agent installed. Otherwise, a more long term solution would require import via the UI which might require more formal development and testing, which isn't supported or able to be accommodated at this time. I can test the former as I have time. |
Beta Was this translation helpful? Give feedback.
-
|
Thanks Wes! That would be great. No need for a UI change, just a way to import data would be great. |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
It is nice that SO can import evtx files but that is not scalable for large incidents (ie. trying to import thousands of
evtxfiles with hundreds of GBs). It would be nice if SO could import Hayabusa's JSONL results. Hayabusa is scalable in that can be run on all Windows endpoints via tools like Velociraptor and will generate a much smaller output than the total.evtxfiles. It also has one of the best native sigma support and rule sets specifically designed for analyzing Windows event logs.Beta Was this translation helpful? Give feedback.
All reactions