APTAAnomaly
Windows event log anomaly detection powered by ATPA technologies
This repository contains a velociraptor artifact. It collects windows event log data, learns models from those logs, and uses those models to detect anomalous behavior.
NOTE
This is a prerelease, the tools used in this artifact are still under heavy development. There will most likely be bugs, but we would love to hear about any issues you encounter so we can fix them as quickly as possible. Any other kind of constructive feedback is also very welcome!
Parameters
If you run APTAAnomaly during an incident and want results asap, you can set CPULoad to 1. If you want to run it on a machine still in production, you can set CPULoad to a lower number, e.g. 0.125. It's the fraction of cores to use for processing the log data rounded up to the next full number of cores.
Usage
First, get the artifact into velociraptor. An easy way to do this is by going to the view artifacts tab in the web UI, pressing the add an artifact button and copying the contents of the Windows.EventLogs.APTAAnomaly file into the editor that pops up.
Then, to prevent spamming github with download requests for the artifact zip file, click the APTAAnomaly link under Tools
And hit Serve Locally. Note, you may have to click Materialize Hash first.
After this, you can run the artifact from a notebook with the following VQL:
SELECT * FROM Artifact.Windows.EventLogs.APTAnomaly()Which after a few minutes (depending on the size of your logs) will result in an output that should look something like this:
This is essentially a table containing the log lines from each evtx file, sorted by novelty score.
Want more?
Check out our timeline explorer. It ingests the annoated log files and makes it really easy to drill down, correlate, and explore all the logs.