You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hello all! This is my first post here, so please let me know if I've done any formatting incorrectly.
I am running Security Onion 2.3.200 on a Standalone node for testing before I get a full distributed setup rolling. One of the Use Cases I am working on is incorporating Autoruns logs into Security Onion. I see the Pertinax GitHub page, and I see that it is for an older SO version, and was unable to get something similar working for the 2.3 version. So I switched over to trying to get Winlog-Beats to forward a Windows Event Log version of Autoruns output, thanks to Palantir's script. That is working just fine. I can see the logs using Hunt, by "event.dataset:'Autoruns'" just fine. The issue, though, is I would like to be able to perform more granular searches on VirusTotal detections.
Currently, I am receiving the following in the 'Message' and 'winlog.event_data.param1' section of the log, with the correct information that I've removed for security:
My question is, and I would greatly appreciate anyone's help with this, how do I get Security Onion to parse the 'Message' section or 'winlog.event_data.param1' section and show me different fields for at least 'VT detection' and the hashes?
I do not believe I need to create a separate Ingest Pipeline but this, because the Windows Event Log is being ingested already. It is being parsed by what I assume is the Index Template "so-beats" and the Component Template "winlog-mappings", based on context clues from other Windows Event Logs.
What I have tried so far:
Create a Component Template for 'autoruns' that takes 'message' and has mapping to each of the above fields.
Edit the 'winlog-mappings' Component Template to include 'param1' sub-mapping date and text fields based on the log information, as I didn't find a sub-mapping for 'message' specifically.
I am worried that this may be a fruitless endeavor because of the way that the log is setup, with everything being stored in 'Event Data' and no 'Data Name' within the XML for the logs.
Please let me know if there is anything else I would need to add for context or help. I would be more than happy to do so.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
-
Hello all! This is my first post here, so please let me know if I've done any formatting incorrectly.
I am running Security Onion 2.3.200 on a Standalone node for testing before I get a full distributed setup rolling. One of the Use Cases I am working on is incorporating Autoruns logs into Security Onion. I see the Pertinax GitHub page, and I see that it is for an older SO version, and was unable to get something similar working for the 2.3 version. So I switched over to trying to get Winlog-Beats to forward a Windows Event Log version of Autoruns output, thanks to Palantir's script. That is working just fine. I can see the logs using Hunt, by "event.dataset:'Autoruns'" just fine. The issue, though, is I would like to be able to perform more granular searches on VirusTotal detections.
Currently, I am receiving the following in the 'Message' and 'winlog.event_data.param1' section of the log, with the correct information that I've removed for security:
Time :
Entry Location :
Entry :
Enabled :
Category :
Profile :
Description :
Signer :
Company :
Image Path :
Version :
Launch String :
VT detection :
VT permalink :
MD5 :
SHA-1 :
PESHA-1 :
PESHA-256 :
SHA-256 :
IMP :
My question is, and I would greatly appreciate anyone's help with this, how do I get Security Onion to parse the 'Message' section or 'winlog.event_data.param1' section and show me different fields for at least 'VT detection' and the hashes?
I do not believe I need to create a separate Ingest Pipeline but this, because the Windows Event Log is being ingested already. It is being parsed by what I assume is the Index Template "so-beats" and the Component Template "winlog-mappings", based on context clues from other Windows Event Logs.
What I have tried so far:
I am worried that this may be a fruitless endeavor because of the way that the log is setup, with everything being stored in 'Event Data' and no 'Data Name' within the XML for the logs.
Please let me know if there is anything else I would need to add for context or help. I would be more than happy to do so.
Thank you for your time!
Beta Was this translation helpful? Give feedback.
All reactions