search

wagga40 / Zircolite

A standalone SIGMA-based detection tool for EVTX, Auditd and Sysmon for Linux logs
671 stars 91 forks source link

detected_events.json issue #60

Closed rahmanonik18 closed 1 year ago

rahmanonik18 commented 1 year ago

I am importing a JSON file from Splunk and trying to analyze it. My detected_events.json shows empty. Do i need the EVTX or is it because of the splunk?

wagga40 commented 1 year ago

Hi,

Your file must have 1 json event per line (JSONL) when using json as input. Did you provide the —jsononly argument when you ran Zircolite ?

rahmanonik18 commented 1 year ago

Yes, I did. But it doesn't work. Should I copy my Json here?

wagga40 commented 1 year ago

Yeah please share if you can.

rahmanonik18 commented 1 year ago

I wanted to know, I have analyzed and get EVTX file using autopsy, So when i am running the following command

python zircolite.py --evtx ../Autopsy-SAMPLES/ --ruleset rules/rules_windows_sysmon.json --template templates/exportFor ZircoGui.tmpl --templateOutput gui/data.js

it is giving me following output

███████╗██╗██████╗  ██████╗ ██████╗ ██╗     ██╗████████╗███████╗
╚══███╔╝██║██╔══██╗██╔════╝██╔═══██╗██║     ██║╚══██╔══╝██╔════╝
  ███╔╝ ██║██████╔╝██║     ██║   ██║██║     ██║   ██║   █████╗
 ███╔╝  ██║██╔══██╗██║     ██║   ██║██║     ██║   ██║   ██╔══╝
███████╗██║██║  ██║╚██████╗╚██████╔╝███████╗██║   ██║   ███████╗
╚══════╝╚═╝╚═╝  ╚═╝ ╚═════╝ ╚═════╝ ╚══════╝╚═╝   ╚═╝   ╚══════╝

-= Standalone SIGMA Detection tool for EVTX/Auditd/Sysmon Linux =-

[+] Checking prerequisites [+] Extracting events Using 'tmp-0ORKE0HU' directory 100%|████████████████████████████████████████████████████████████████████████████████████████████████████████████████████| 123/123 [00:01<00:00, 61.99it/s] [+] Processing events 100%|████████████████████████████████████████████████████████████████████████████████████████████████████████████████████| 123/123 [00:01<00:00, 65.60it/s] [+] Creating model [+] Inserting data 100%|██████████████████████████████████████████████████████████████████████████████████████████████████████████████| 28581/28581 [00:03<00:00, 9184.07it/s] [+] Cleaning unused objects [+] Loading ruleset from : rules/rules_windows_sysmon.json [+] Executing ruleset - 1199 rules 100%|████████████████████████████████████████████████████████████████████████████████████████████████████████████████| 1199/1199 [00:00<00:00, 1667.00it/s] [+] Results written in : detected_events.json [+] Cleaning

It doesn't write anything in detected_events.json and also not creating data.js for gui representation, why is that?

wagga40 commented 1 year ago

From what I see the simple explanation is that nothing has been detected. It means that no sigma rules have matched against your EVTX file.

The ruleset you used is for Windows system with sysmon installed, if you don’t have sysmon use the generic ruleset.

NB : for the gui, using the —package option is easier