Monitoring EventID's and then integrate it with ELK for Enrichment?
Juraj Ban
I would like to do Cloud Velociraptor for collecting specific Windows EventID's like every User Logon/Logoff, Service Creation, Process Starting with it's file hash, powershell execution, etc...
While I am thinking about Sysmon, biggest chalange is to transfer it's logs from Windows hosts centraly as not all machine are inside network (road warriors, etc...) so I sow that Velociraptor have Client/Server cert authentication and can be good fit for monitoring and central event collection and later for remote forensic.
What I would also like is to have Velociprotor with not so big HDD beacuse I have internal ELK stack with few terabytes in cluster (basically for log collection Velociprotor would me something like mediator between the endpoint logs and ELK).
Is there any way that I can then collect Event logs from Velociraptor and push them into Logstash for enrichment (example: file hash would be checked on Threat Intel [MISP, Kaspersky, ...]) and that would allow us also later to do some streaming processing for actionable actions from one place (eg. send email, open incident in Incident Response platform, ...) and maybe some kind of machine learning.
I didn't find any documentation if there is some API, on Syslog, etc... what do you say people, is that possible to do with Velociraptor?
Mike Cohen
Hi Juraj,
Yep Velociraptor should work exactly as you describe. Basically you have multiple steps:
1. Configure sysmon to do what you want (you can use the swift on
security stuff for example). Sysmon will store evens in the system
event log.
2. Install and configure Velociraptor clients and server.
3. In the GUI, Set a client monitoring artifact which watches the event logs for the event ids you want. Here is an example of an artifact which watches the event logs for service creation:
https://docs.velociraptor.velocidex.com/artifacts/events/#windows-events-servicecreation
Basically the query is like: SELECT * FROM watch_evtx(filename=systemLogFile) WHERE EventID = 7045
What this does is block forever, and watch the event log file for new events. Each time a new event is detected it is parsed and filtered by the WHERE clause and if it passes the filter it will be forwarded to the server automatically (it typically will be delayed by a couple of minutes for buffering but this is configurable).
4. The server just collects the client event logs and writes them on disk in a csv file. The file is named after the artifact you created (so you can name it whatever makes sense to you). You can then do whatever you want with them because they are just files on disk.
5. If you want to stream them to elastic you can use the elastic plugin (which is not built by default but you can rebuild it if you want):
https://github.com/Velocidex/velociraptor/blob/master/vql/server/elastic.go
You then just watch for events coming in your artifact and respond to them server side. So you can create a server side event artifact to listen for that event and push to elsatic. Using the elastic plugin you dont actually need logstash (because you are not actually parsing any logs) the plugin is essentially inserting directly to elastic.
Here is an example artifact which should be very similar:
https://docs.velociraptor.velocidex.com/artifacts/server/#server-powershell-encodedcommand
This particular artifact listens for process execution events (from all clients) and if they are encoded powershell commands it decodes them and stores the result in another artifact
SELECT ClientId, ParentInfo, CommandLine, Timestamp, utf16(
string=base64decode(
string=parse_string_with_regex(
string=CommandLine,
regex='-encodedcommand (?P<Encoded>[^ ]+)'
).Encoded)) AS Script
FROM
watch_monitoring(artifact='Windows.Events.ProcessCreation')
WHERE CommandLine =~ '-encodedcommand'
For your case you would just use
watch_monitoring(artifact='my_artifact') to receive the events
from your client monitoring artifact and use elastic() plugin to
push to elastic.
In our upcoming release all these artifacts can be configured
from the GUI so you can build head to play with.
Hope this makes sense
Mike.
--
You received this message because you are subscribed to the Google Groups "velociraptor-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to velociraptor-dis...@googlegroups.com.
To post to this group, send email to velocirapt...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/velociraptor-discuss/9e1b39dd-9a11-42f9-b539-3c073ca4b660%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
|
Michael Cohen
Also forgot to mention the python API since you asked about it is here:
https://github.com/Velocidex/velociraptor/tree/master/bindings/python
The readme has exactly the example you need - it watches the monitoring logs and returns one row at the time, if you prefer you can just push to elastic with a python script.
Thanks
Mike.
To view this discussion on the web visit https://groups.google.com/d/msgid/velociraptor-discuss/10512406-61b7-f21c-ca79-e1a44f768a1c%40velocidex.com.
Juraj Ban
To unsubscribe from this group and stop receiving emails from it, send an email to velociraptor-discuss+unsub...@googlegroups.com.
To post to this group, send email to velocirapt...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/velociraptor-discuss/9e1b39dd-9a11-42f9-b539-3c073ca4b660%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
Mike Cohen
Digital Paleontologist,
Velocidex Enterprises
--
You received this message because you are subscribed to the Google Groups "velociraptor-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to velociraptor-discuss+unsub...@googlegroups.com.