Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(main): adjusted splunk api json format #1083 #1346

Merged
merged 6 commits into from
May 17, 2024
Merged

feat(main): adjusted splunk api json format #1083 #1346

merged 6 commits into from
May 17, 2024

Conversation

hitenkoku
Copy link
Collaborator

What Changed

  • Adjusted Splunk API Json Format.

@hitenkoku hitenkoku added the enhancement New feature or request label May 12, 2024
@hitenkoku hitenkoku self-assigned this May 12, 2024
@hitenkoku hitenkoku linked an issue May 12, 2024 that may be closed by this pull request
Can't used --JSON-input from JSON (export from Splunk) #1083
Closed
@hitenkoku hitenkoku marked this pull request as ready for review May 12, 2024 13:53
fukusuket
fukusuket approved these changes May 12, 2024
View reviewed changes
Copy link
Collaborator

@fukusuket fukusuket left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I confirmed ./hayabusa csv-timeline -f ~/Downloads/splunk_rest_api_output.json -J -w -A -a -o timeline.csv -C works with #1083 data :) LGTM!!🚀
(This branch does not yet include the fix for #1345, so -A, -a options are required)

@YamatoSecurity
Copy link
Collaborator

@hitenkoku Thanks so much!
I am checking with ./target/release/hayabusa csv-timeline -f ~/Desktop/splunk_rest_api_output.json -w -J -a -A -p minimal
Hayabusa is able to detect events but is not outputting correctly.
Even when I specify the minimal profile, it print out all information:

#text: %%2313 ¦ #text: - ¦ #text: 0 ¦ #text: 0x2cec ¦ #text: 0x3e7 ¦ #text: 0xc000006a ¦ #text: 0xc000006d ¦ #text: 8 ¦ #text: Advapi ¦ #text: C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\PopImap\Microsoft.Exchange.Imap4.exe ¦ #text: DOMAIN ¦ #text: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 ¦ #text: NT AUTHORITY\СИСТЕМА ¦ #text: NULL SID ¦ #text: SRV-EXCH-APP1 ¦ #text: SRV-EXCH-APP1$ ¦ #text: username ¦ @ActivityID: {b832a799-73d3-0000-eba7-32b8d373da01} ¦ @Guid: {54849625-5478-4994-a5ba-3e3b0328c30d} ¦ @Name: AuthenticationPackageName ¦ @Name: FailureReason ¦ @Name: IpAddress ¦ @Name: IpPort ¦ @Name: KeyLength ¦ @Name: LmPackageName ¦ @Name: LogonProcessName ¦ @Name: LogonType ¦ @Name: Microsoft-Windows-Security-Auditing ¦ @Name: ProcessId ¦ @Name: ProcessName ¦ @Name: Status ¦ @Name: SubStatus ¦ @Name: SubjectDomainName ¦ @Name: SubjectLogonId ¦ @Name: SubjectUserName ¦ @Name: SubjectUserSid ¦ @Name: TargetDomainName ¦ @Name: TargetUserName ¦ @Name: TargetUserSid ¦ @Name: TransmittedServices ¦ @Name: WorkstationName ¦ @ProcessID: 688 ¦ @SystemTime: 2023-02-01T07:50:29.386709200Z ¦ @ThreadID: 21888 ¦ @timestamp: 2023-02-01T07:50:29.386709200Z ¦ ActivityID: '{b832a799-73d3-0000-eba7-32b8d373da01}' ¦ AuthenticationPackageName: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 ¦ Caller_Domain: DOMAIN ¦ Caller_User_Name: SRV-EXCH-APP1$ ¦ Channel: Security ¦ Computer: srv-exch-app1.mail.server ¦ Error_Code: 0xc000006d ¦ EventCode: 4625 ¦ EventData_Xml: <Data Name='SubjectUserSid'>NT AUTHORITY\СИСТЕМА</Data><Data Name='SubjectUserName'>SRV-EXCH-APP1$</Data><Data Name='SubjectDomainName'>DOMAIN</Data><Data Name='SubjectLogonId'>0x3e7</Data><Data Name='TargetUserSid'>NULL SID</Data><Data Name='TargetUserName'>username</Data><Data Name='TargetDomainName'></Data><Data Name='Status'>0xc000006d</Data><Data Name='FailureReason'>%%2313</Data><Data Name='SubStatus'>0xc000006a</Data><Data Name='LogonType'>8</Data><Data Name='LogonProcessName'>Advapi </Data><Data Name='AuthenticationPackageName'>MICROSOFT_AUTHENTICATION_PACKAGE_V1_0</Data><Data Name='WorkstationName'>SRV-EXCH-APP1</Data><Data Name='TransmittedServices'>-</Data><Data Name='LmPackageName'>-</Data><Data Name='KeyLength'>0</Data><Data Name='ProcessId'>0x2cec</Data><Data Name='ProcessName'>C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\PopImap\Microsoft.Exchange.Imap4.exe</Data><Data Name='IpAddress'>-</Data><Data Name='IpPort'>-</Data> ¦ EventID: 4625 ¦ EventRecordID: 181777509 ¦ FailureReason: %%2313 ¦ Guid: '{54849625-5478-4994-a5ba-3e3b0328c30d}' ¦ IpAddress: - ¦ IpPort: - ¦ KeyLength: 0 ¦ Keywords: 0x8010000000000000 ¦ Level: 0 ¦ LmPackageName: - ¦ LogonProcessName: Advapi ¦ LogonType: 8 ¦ Logon_ID: 0x3e7 ¦ Logon_Type: 8 ¦ Name: 'Microsoft-Windows-Security-Auditing' ¦ Opcode: 0 ¦ ProcessID: '688' ¦ ProcessId: 0x2cec ¦ ProcessName: C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\PopImap\Microsoft.Exchange.Imap4.exe ¦ RecordNumber: 181777509 ¦ Source_Port: - ¦ Source_Workstation: SRV-EXCH-APP1 ¦ Status: 0xc000006d ¦ SubStatus: 0xc000006a ¦ Sub_Status: 0xc000006a ¦ SubjectDomainName: DOMAIN ¦ SubjectLogonId: 0x3e7 ¦ SubjectUserName: SRV-EXCH-APP1$ ¦ SubjectUserSid: NT AUTHORITY\СИСТЕМА ¦ SystemTime: '2023-02-01T07:50:29.386709200Z' ¦ System_Props_Xml: <Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4625</EventID><Version>0</Version><Level>0</Level><Task>12544</Task><Opcode>0</Opcode><Keywords>0x8010000000000000</Keywords><TimeCreated SystemTime='2023-02-01T07:50:29.386709200Z'/><EventRecordID>181777509</EventRecordID><Correlation ActivityID='{b832a799-73d3-0000-eba7-32b8d373da01}'/><Execution ProcessID='688' ThreadID='21888'/><Channel>Security</Channel><Computer>srv-exch-app1.mail.server</Computer><Security/> ¦ TargetUserName: l.lastname ¦ TargetUserSid: NULL SID ¦ Target_User_Name: l.lastname ¦ Task: 12544 ¦ ThreadID: '21888' ¦ TransmittedServices: - ¦ Version: 0 ¦ WorkstationName: SRV-EXCH-APP1 ¦ _bkt: index_name~18~BC1408AF-33BC-4333-8870-09FC2C90BCEF ¦ _cd: 18:275364376 ¦ _eventtype_color: none ¦ _indextime: 1712649029 ¦ _raw: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4625</EventID><Version>0</Version><Level>0</Level><Task>12544</Task><Opcode>0</Opcode><Keywords>0x8010000000000000</Keywords><TimeCreated SystemTime='2023-02-01T07:50:29.386709200Z'/><EventRecordID>181777509</EventRecordID><Correlation ActivityID='{b832a799-73d3-0000-eba7-32b8d373da01}'/><Execution ProcessID='688' ThreadID='21888'/><Channel>Security</Channel><Computer>srv-exch-app1.mail.server</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>NT AUTHORITY\СИСТЕМА</Data><Data Name='SubjectUserName'>SRV-EXCH-APP1$</Data><Data Name='SubjectDomainName'>DOMAIN</Data><Data Name='SubjectLogonId'>0x3e7</Data><Data Name='TargetUserSid'>NULL SID</Data><Data Name='TargetUserName'>username</Data><Data Name='TargetDomainName'></Data><Data Name='Status'>0xc000006d</Data><Data Name='FailureReason'>%%2313</Data><Data Name='SubStatus'>0xc000006a</Data><Data Name='LogonType'>8</Data><Data Name='LogonProcessName'>Advapi </Data><Data Name='AuthenticationPackageName'>MICROSOFT_AUTHENTICATION_PACKAGE_V1_0</Data><Data Name='WorkstationName'>SRV-EXCH-APP1</Data><Data Name='TransmittedServices'>-</Data><Data Name='LmPackageName'>-</Data><Data Name='KeyLength'>0</Data><Data Name='ProcessId'>0x2cec</Data><Data Name='ProcessName'>C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\PopImap\Microsoft.Exchange.Imap4.exe</Data><Data Name='IpAddress'>-</Data><Data Name='IpPort'>-</Data></EventData></Event> ¦ _serial: 0 ¦ _si: idx2.int ¦ _si: index_name ¦ _sourcetype: XmlWinEventLog ¦ _time: 2023-02-01T12:50:29.000+05:00 ¦ action: failure ¦ app: win:remote ¦ authentication_method: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 ¦ dest: srv-exch-app1.mail.server ¦ dvc: srv-exch-app1.mail.server ¦ dvc_nt_host: 192.168.10.41 ¦ event_id: 181777509 ¦ eventtype: endpoint_services_processes ¦ eventtype: windows_event_signature ¦ eventtype: windows_logon_failure ¦ eventtype: windows_security_authentication ¦ eventtype: wineventlog_security ¦ eventtype: wineventlog_windows ¦ eventtype: winsec ¦ host: 192.168.10.41 ¦ id: 181777509 ¦ index: index_name ¦ linecount: 1 ¦ name: User logon with misspelled or bad password ¦ process: C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\PopImap\Microsoft.Exchange.Imap4.exe ¦ process_id: 0x2cec ¦ process_name: C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\PopImap\Microsoft.Exchange.Imap4.exe ¦ process_path: C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\PopImap\Microsoft.Exchange.Imap4.exe ¦ product: Windows ¦ punct: <_='://../////'><><_='---'_='{----}'/><></><></><> ¦ session_id: 0x3e7 ¦ signature: User logon with misspelled or bad password ¦ signature_id: 4625 ¦ source: XmlWinEventLog:Security ¦ sourcetype: XmlWinEventLog ¦ splunk_server: idx2.int ¦ src: SRV-EXCH-APP1 ¦ src_ip: - ¦ src_nt_domain: DOMAIN ¦ src_nt_host: SRV-EXCH-APP1 ¦ src_port: - ¦ src_user: SRV-EXCH-APP1$ ¦ status: failure ¦ subject: User logon with misspelled or bad password ¦ ta_windows_action: failure ¦ ta_windows_status: 0xc000006d ¦ tag: authentication ¦ tag: cleartext ¦ tag: os ¦ tag: remote ¦ tag: security ¦ tag: track_event_signatures ¦ tag: windows ¦ tag: :Logon_Type: cleartext ¦ tag: :app: remote ¦ tag: :eventtype: authentication ¦ tag: :eventtype: os ¦ tag: :eventtype: security ¦ tag: :eventtype: track_event_signatures ¦ tag: :eventtype: windows ¦ user: l.lastname ¦ user_group: l.lastname ¦ vendor: Microsoft ¦ vendor_product: Microsoft Windows

Is it possible to extract out the fields defined in Details, do the field mapping, etc.. like we do for evtx?

@YamatoSecurity
Copy link
Collaborator

Also, this seems to break support for the apt29 json files:
[ERROR] timestamp parse error. filepath:/xxx/apt29_evals_day1_manual_2020-05-01225525.json,2020-05-02T02:58:44.920Z input contains invalid characters

@YamatoSecurity
Copy link
Collaborator

Sorry, one more thing:
quickxml-to-serde seems to use minidom 0.12.0 which uses an old quick-xml so we are getting these compiler warnings:
warning: the following packages contain code that will be rejected by a future version of Rust: quick-xml v0.17.2
Is there a different crate that we can use? Or else we may have to fork quickxml-to-serde and have it use a forked version of minidom which would make maintenance a little harder.

@hitenkoku

This comment was marked as resolved.

Sign in to view
@hitenkoku
Copy link
Collaborator Author

hitenkoku commented May 15, 2024
edited
Loading

@YamatoSecurity Sorry for my late replying. I fixed following problems in 5a4290b. Would you check it?

@hitenkoku Thanks so much! I am checking with ./target/release/hayabusa csv-timeline -f ~/Desktop/splunk_rest_api_output.json -w -J -a -A -p minimal Hayabusa is able to detect events but is not outputting correctly. Even when I specify the minimal profile, it print out all information:

#text: %%2313 ¦ #text: - ¦ #text: 0 ¦ #text: 0x2cec ¦ #text: 0x3e7 ¦ #text: 0xc000006a ¦ #text: 0xc000006d ¦ #text: 8 ¦ #text: Advapi ¦ #text: C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\PopImap\Microsoft.Exchange.Imap4.exe ¦ #text: DOMAIN ¦ #text: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 ¦ #text: NT AUTHORITY\СИСТЕМА ¦ #text: NULL SID ¦ #text: SRV-EXCH-APP1 ¦ #text: SRV-EXCH-APP1$ ¦ #text: username ¦ @ActivityID: {b832a799-73d3-0000-eba7-32b8d373da01} ¦ @Guid: {54849625-5478-4994-a5ba-3e3b0328c30d} ¦ @Name: AuthenticationPackageName ¦ @Name: FailureReason ¦ @Name: IpAddress ¦ @Name: IpPort ¦ @Name: KeyLength ¦ @Name: LmPackageName ¦ @Name: LogonProcessName ¦ @Name: LogonType ¦ @Name: Microsoft-Windows-Security-Auditing ¦ @Name: ProcessId ¦ @Name: ProcessName ¦ @Name: Status ¦ @Name: SubStatus ¦ @Name: SubjectDomainName ¦ @Name: SubjectLogonId ¦ @Name: SubjectUserName ¦ @Name: SubjectUserSid ¦ @Name: TargetDomainName ¦ @Name: TargetUserName ¦ @Name: TargetUserSid ¦ @Name: TransmittedServices ¦ @Name: WorkstationName ¦ @ProcessID: 688 ¦ @SystemTime: 2023-02-01T07:50:29.386709200Z ¦ @ThreadID: 21888 ¦ @timestamp: 2023-02-01T07:50:29.386709200Z ¦ ActivityID: '{b832a799-73d3-0000-eba7-32b8d373da01}' ¦ AuthenticationPackageName: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 ¦ Caller_Domain: DOMAIN ¦ Caller_User_Name: SRV-EXCH-APP1$ ¦ Channel: Security ¦ Computer: srv-exch-app1.mail.server ¦ Error_Code: 0xc000006d ¦ EventCode: 4625 ¦ EventData_Xml: <Data Name='SubjectUserSid'>NT AUTHORITY\СИСТЕМА</Data><Data Name='SubjectUserName'>SRV-EXCH-APP1$</Data><Data Name='SubjectDomainName'>DOMAIN</Data><Data Name='SubjectLogonId'>0x3e7</Data><Data Name='TargetUserSid'>NULL SID</Data><Data Name='TargetUserName'>username</Data><Data Name='TargetDomainName'></Data><Data Name='Status'>0xc000006d</Data><Data Name='FailureReason'>%%2313</Data><Data Name='SubStatus'>0xc000006a</Data><Data Name='LogonType'>8</Data><Data Name='LogonProcessName'>Advapi </Data><Data Name='AuthenticationPackageName'>MICROSOFT_AUTHENTICATION_PACKAGE_V1_0</Data><Data Name='WorkstationName'>SRV-EXCH-APP1</Data><Data Name='TransmittedServices'>-</Data><Data Name='LmPackageName'>-</Data><Data Name='KeyLength'>0</Data><Data Name='ProcessId'>0x2cec</Data><Data Name='ProcessName'>C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\PopImap\Microsoft.Exchange.Imap4.exe</Data><Data Name='IpAddress'>-</Data><Data Name='IpPort'>-</Data> ¦ EventID: 4625 ¦ EventRecordID: 181777509 ¦ FailureReason: %%2313 ¦ Guid: '{54849625-5478-4994-a5ba-3e3b0328c30d}' ¦ IpAddress: - ¦ IpPort: - ¦ KeyLength: 0 ¦ Keywords: 0x8010000000000000 ¦ Level: 0 ¦ LmPackageName: - ¦ LogonProcessName: Advapi ¦ LogonType: 8 ¦ Logon_ID: 0x3e7 ¦ Logon_Type: 8 ¦ Name: 'Microsoft-Windows-Security-Auditing' ¦ Opcode: 0 ¦ ProcessID: '688' ¦ ProcessId: 0x2cec ¦ ProcessName: C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\PopImap\Microsoft.Exchange.Imap4.exe ¦ RecordNumber: 181777509 ¦ Source_Port: - ¦ Source_Workstation: SRV-EXCH-APP1 ¦ Status: 0xc000006d ¦ SubStatus: 0xc000006a ¦ Sub_Status: 0xc000006a ¦ SubjectDomainName: DOMAIN ¦ SubjectLogonId: 0x3e7 ¦ SubjectUserName: SRV-EXCH-APP1$ ¦ SubjectUserSid: NT AUTHORITY\СИСТЕМА ¦ SystemTime: '2023-02-01T07:50:29.386709200Z' ¦ System_Props_Xml: <Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4625</EventID><Version>0</Version><Level>0</Level><Task>12544</Task><Opcode>0</Opcode><Keywords>0x8010000000000000</Keywords><TimeCreated SystemTime='2023-02-01T07:50:29.386709200Z'/><EventRecordID>181777509</EventRecordID><Correlation ActivityID='{b832a799-73d3-0000-eba7-32b8d373da01}'/><Execution ProcessID='688' ThreadID='21888'/><Channel>Security</Channel><Computer>srv-exch-app1.mail.server</Computer><Security/> ¦ TargetUserName: l.lastname ¦ TargetUserSid: NULL SID ¦ Target_User_Name: l.lastname ¦ Task: 12544 ¦ ThreadID: '21888' ¦ TransmittedServices: - ¦ Version: 0 ¦ WorkstationName: SRV-EXCH-APP1 ¦ _bkt: index_name~18~BC1408AF-33BC-4333-8870-09FC2C90BCEF ¦ _cd: 18:275364376 ¦ _eventtype_color: none ¦ _indextime: 1712649029 ¦ _raw: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4625</EventID><Version>0</Version><Level>0</Level><Task>12544</Task><Opcode>0</Opcode><Keywords>0x8010000000000000</Keywords><TimeCreated SystemTime='2023-02-01T07:50:29.386709200Z'/><EventRecordID>181777509</EventRecordID><Correlation ActivityID='{b832a799-73d3-0000-eba7-32b8d373da01}'/><Execution ProcessID='688' ThreadID='21888'/><Channel>Security</Channel><Computer>srv-exch-app1.mail.server</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>NT AUTHORITY\СИСТЕМА</Data><Data Name='SubjectUserName'>SRV-EXCH-APP1$</Data><Data Name='SubjectDomainName'>DOMAIN</Data><Data Name='SubjectLogonId'>0x3e7</Data><Data Name='TargetUserSid'>NULL SID</Data><Data Name='TargetUserName'>username</Data><Data Name='TargetDomainName'></Data><Data Name='Status'>0xc000006d</Data><Data Name='FailureReason'>%%2313</Data><Data Name='SubStatus'>0xc000006a</Data><Data Name='LogonType'>8</Data><Data Name='LogonProcessName'>Advapi </Data><Data Name='AuthenticationPackageName'>MICROSOFT_AUTHENTICATION_PACKAGE_V1_0</Data><Data Name='WorkstationName'>SRV-EXCH-APP1</Data><Data Name='TransmittedServices'>-</Data><Data Name='LmPackageName'>-</Data><Data Name='KeyLength'>0</Data><Data Name='ProcessId'>0x2cec</Data><Data Name='ProcessName'>C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\PopImap\Microsoft.Exchange.Imap4.exe</Data><Data Name='IpAddress'>-</Data><Data Name='IpPort'>-</Data></EventData></Event> ¦ _serial: 0 ¦ _si: idx2.int ¦ _si: index_name ¦ _sourcetype: XmlWinEventLog ¦ _time: 2023-02-01T12:50:29.000+05:00 ¦ action: failure ¦ app: win:remote ¦ authentication_method: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 ¦ dest: srv-exch-app1.mail.server ¦ dvc: srv-exch-app1.mail.server ¦ dvc_nt_host: 192.168.10.41 ¦ event_id: 181777509 ¦ eventtype: endpoint_services_processes ¦ eventtype: windows_event_signature ¦ eventtype: windows_logon_failure ¦ eventtype: windows_security_authentication ¦ eventtype: wineventlog_security ¦ eventtype: wineventlog_windows ¦ eventtype: winsec ¦ host: 192.168.10.41 ¦ id: 181777509 ¦ index: index_name ¦ linecount: 1 ¦ name: User logon with misspelled or bad password ¦ process: C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\PopImap\Microsoft.Exchange.Imap4.exe ¦ process_id: 0x2cec ¦ process_name: C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\PopImap\Microsoft.Exchange.Imap4.exe ¦ process_path: C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\PopImap\Microsoft.Exchange.Imap4.exe ¦ product: Windows ¦ punct: <_='://../////'><><_='---'_='{----}'/><></><></><> ¦ session_id: 0x3e7 ¦ signature: User logon with misspelled or bad password ¦ signature_id: 4625 ¦ source: XmlWinEventLog:Security ¦ sourcetype: XmlWinEventLog ¦ splunk_server: idx2.int ¦ src: SRV-EXCH-APP1 ¦ src_ip: - ¦ src_nt_domain: DOMAIN ¦ src_nt_host: SRV-EXCH-APP1 ¦ src_port: - ¦ src_user: SRV-EXCH-APP1$ ¦ status: failure ¦ subject: User logon with misspelled or bad password ¦ ta_windows_action: failure ¦ ta_windows_status: 0xc000006d ¦ tag: authentication ¦ tag: cleartext ¦ tag: os ¦ tag: remote ¦ tag: security ¦ tag: track_event_signatures ¦ tag: windows ¦ tag: :Logon_Type: cleartext ¦ tag: :app: remote ¦ tag: :eventtype: authentication ¦ tag: :eventtype: os ¦ tag: :eventtype: security ¦ tag: :eventtype: track_event_signatures ¦ tag: :eventtype: windows ¦ user: l.lastname ¦ user_group: l.lastname ¦ vendor: Microsoft ¦ vendor_product: Microsoft Windows

Is it possible to extract out the fields defined in Details, do the field mapping, etc.. like we do for evtx?

Sorry, one more thing: quickxml-to-serde seems to use minidom 0.12.0 which uses an old quick-xml so we are getting these compiler warnings: warning: the following packages contain code that will be rejected by a future version of Rust: quick-xml v0.17.2 Is there a different crate that we can use? Or else we may have to fork quickxml-to-serde and have it use a forked version of minidom which would make maintenance a little harder.

@YamatoSecurity
Copy link
Collaborator

@hitenkoku Thanks! I checked that both the web exported splunk json and REST exported JSON both work. However, the apt29 JSON logs are not working now. Can you check that? I am still getting the timestamp errors.

@hitenkoku
Copy link
Collaborator Author

@YamatoSecurity I fixed follwing problem in cf4027d.

I am sorry for taking up so much of your time. Would you recheck it?

@hitenkoku Thanks! I checked that both the web exported splunk json and REST exported JSON both work. However, the apt29 JSON logs are not working now. Can you check that? I am still getting the timestamp errors.

YamatoSecurity
YamatoSecurity approved these changes May 17, 2024
View reviewed changes
Copy link
Collaborator

@YamatoSecurity YamatoSecurity left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@hitenkoku Thanks so much! I tested that all formats are woking now.

@hitenkoku hitenkoku merged commit 2845ad1 into main May 17, 2024
5 checks passed
@hitenkoku hitenkoku deleted the 1083-cant-used-json-input-from-json-export-from-splunk-rest-api branch May 17, 2024 13:40
@fukusuket fukusuket mentioned this pull request Oct 12, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@YamatoSecurity YamatoSecurity YamatoSecurity approved these changes

@fukusuket fukusuket fukusuket approved these changes

Assignees

@hitenkoku hitenkoku

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Can't used --JSON-input from JSON (export from Splunk)
3 participants
@hitenkoku @YamatoSecurity @fukusuket