Wrangling Windows Event Logs with Hayabusa & SOF-ELK (Part 1)

Source: Black Hills Information Security, Inc.

Author: BHIS

URL: https://www.blackhillsinfosec.com/wrangling-windows-event-logs-with-hayabusa-sof-elk-part-1/

Wrangling Windows Event Logs with Hayabusa & SOF-ELK (Part 1)

ONE SENTENCE SUMMARY:

Hayabusa and SOF-ELK streamline Windows Event Log analysis by reducing entries and enhancing search efficiency for investigations.

MAIN POINTS:

1. Event logs are crucial yet overwhelming in Windows security investigations.
2. Hayabusa helps filter event logs by reducing entries significantly.
3. Hayabusa outputs timelines in CSV or JSON with rule-based severity.
4. SOF-ELK ingests and parses Hayabusa outputs for efficient analysis.
5. SOF-ELK offers a user-friendly web UI for searching and filtering logs.
6. Windows, Mac, and Linux platforms support the Hayabusa tool.
7. Hayabusa can achieve a 75% reduction in event log entries.
8. Focus on high-severity rule hits for prioritized analysis.
9. Utilize SOF-ELK’s virtual machine and secure copy (scp) for output transfer.
10. Adjust data views and filters in SOF-ELK to refine investigations.

TAKEAWAYS:

1. Use Hayabusa for substantial log entry reduction during investigations.
2. SOF-ELK facilitates detailed search and analysis of log data.
3. Utilize high-severity filtering to streamline investigation focus.
4. Familiarize with SOF-ELK’s web UI for seamless data review.
5. Enhance investigation efficiency by combining tools effectively.