Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

detected_events.json issue #60

Closed
rahmanonik18 opened this issue May 10, 2023 · 5 comments
Closed

detected_events.json issue #60

rahmanonik18 opened this issue May 10, 2023 · 5 comments

Comments

@rahmanonik18
Copy link

I am importing a JSON file from Splunk and trying to analyze it. My detected_events.json shows empty. Do i need the EVTX or is it because of the splunk?
@wagga40
Copy link
Owner

wagga40 commented May 10, 2023
edited
Loading

Hi,

Your file must have 1 json event per line (JSONL) when using json as input.
Did you provide the —jsononly argument when you ran Zircolite ?

@rahmanonik18
Copy link
Author

Yes, I did. But it doesn't work. Should I copy my Json here?

@wagga40
Copy link
Owner

wagga40 commented May 10, 2023

Yeah please share if you can.

@rahmanonik18
Copy link
Author

I wanted to know, I have analyzed and get EVTX file using autopsy, So when i am running the following command

python zircolite.py --evtx ../Autopsy-SAMPLES/ --ruleset rules/rules_windows_sysmon.json --template templates/exportFor
ZircoGui.tmpl --templateOutput gui/data.js

it is giving me following output

███████╗██╗██████╗  ██████╗ ██████╗ ██╗     ██╗████████╗███████╗
╚══███╔╝██║██╔══██╗██╔════╝██╔═══██╗██║     ██║╚══██╔══╝██╔════╝
  ███╔╝ ██║██████╔╝██║     ██║   ██║██║     ██║   ██║   █████╗
 ███╔╝  ██║██╔══██╗██║     ██║   ██║██║     ██║   ██║   ██╔══╝
███████╗██║██║  ██║╚██████╗╚██████╔╝███████╗██║   ██║   ███████╗
╚══════╝╚═╝╚═╝  ╚═╝ ╚═════╝ ╚═════╝ ╚══════╝╚═╝   ╚═╝   ╚══════╝

-= Standalone SIGMA Detection tool for EVTX/Auditd/Sysmon Linux =-

[+] Checking prerequisites
[+] Extracting events Using 'tmp-0ORKE0HU' directory
100%|████████████████████████████████████████████████████████████████████████████████████████████████████████████████████| 123/123 [00:01<00:00, 61.99it/s]
[+] Processing events
100%|████████████████████████████████████████████████████████████████████████████████████████████████████████████████████| 123/123 [00:01<00:00, 65.60it/s]
[+] Creating model
[+] Inserting data
100%|██████████████████████████████████████████████████████████████████████████████████████████████████████████████| 28581/28581 [00:03<00:00, 9184.07it/s]
[+] Cleaning unused objects
[+] Loading ruleset from : rules/rules_windows_sysmon.json
[+] Executing ruleset - 1199 rules
100%|████████████████████████████████████████████████████████████████████████████████████████████████████████████████| 1199/1199 [00:00<00:00, 1667.00it/s]
[+] Results written in : detected_events.json
[+] Cleaning

It doesn't write anything in detected_events.json and also not creating data.js for gui representation, why is that?

@wagga40
Copy link
Owner

wagga40 commented May 11, 2023

From what I see the simple explanation is that nothing has been detected. It means that no sigma rules have matched against your EVTX file.

The ruleset you used is for Windows system with sysmon installed, if you don’t have sysmon use the generic ruleset.

NB : for the gui, using the —package option is easier

@wagga40 wagga40 closed this as completed Jun 9, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@wagga40 @rahmanonik18