Import EventLog into Splunk
During my incident response engagement, I always need to import EventLog into Splunk for further analysis. Of source, I am not trying to convince anyone to use Splunk during their incident response process. I use Splunk just because there are some commands such as transaction, streamstats and eventstats which are difficult to replace with other tools, and we have some ready-to-use threat hunting query which we can speed-up our initial triage process.
By default, Windows EventLog evtx files are stored in C:\Windows\System32\winevt\Logs, and evtx files are protected by the Windows kernel. Therefore, you cannot directly edit or copy those evtx files for processing. If you do this, you risk to corrupt the Windows Event Log evtx file. To export evtx file, just open “Event Viewer”, and then right click to save evtx file.
In the view of Windows program design, you need to call Windows API and let Windows to complete the requested actions for you. Similarly, Splunk also use native Windows API to process the exported evtx file, you must use a Windows machine with Splunk installed (either Universal Forwarder or any full Splunk instance including All-in-one Splunk instance or Heavy forwarder instance) to process the evtx file. In other word, the inputs.conf should be deployed or defined on a windows machine in order to successfully import Event Log into Splunk. You will need to use the sourcetype preprocess-winevt. If you do not explicit define the correct sourcetype, Splunk will display garbled characters after import EventLog evtx file. You can find the working version of inputs.conf below:
[monitor://C:\analysis\*sysmon.evtx]
disabled = 0
sourcetype = preprocess-winevt
host = victim_machine
index = wineventlog
crcSalt = <SOURCE>
As you can see below, Splunk correctly import and automatically recognize the correct sourcetype, which is WinEventLog:Microsoft-Windows-Sysmon/Operational in this case.
Hunting evil with Sysmon, AutoRuns, and other free tools
- Swift on Security provided perfect Sysmon template available 網址
- ADS (AlternateDataStreams) sometimes used by attacker to hide their existence. The latest version of Sysmon now logs ADS activities. https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-15-filecreatestreamhash
- AutoRuns to WinEventLog PowerShell script by Palantir Technologies. It is really good for daily threat hunting automation and SIEM integration.
- Parsing Sysmon Events for IR Indicators by CrowdStrike
- KAPE – a fast forensically relevant artifacts collector and parser