/export-evtx

Export Windows Event Logs to a format ingestible by Security Onion (.evtx)

Primary LanguagePowerShellGNU General Public License v3.0GPL-3.0

export-evtx

Export Windows Event Logs to a format ingestible by Security Onion (.evtx)

Description

Exports Windows Event Logs to an archive, which can then be exported to different SIEMs and Security Onion solutions. This niche tool was written for scenarios where logs needed to be stored and moved to external SIEM's not reachable by the target.

Parameters:

#    -Context       -->    The name of the TTP being collected (example: 'Sliver HTTP C2')
#    -Offset        -->    The last X minutes of logs to collect (default: last 30 minutes)
#    -OutputDir     -->    Intended output directory (default: %PUBLIC%\Documents)
#    -LogSet        -->    Additional logset to collect & export.
#    -Help          -->    Return Get-Help information

Defaults:

  • Exports logs to the Public Documents directory (%PUBLIC%\Documents)
  • Exports the last 30 minutes of logs.
  • Attempts to export the following logsets:
    • "Application",
    • "System",
    • "Security",
    • "Microsoft-Windows-Sysmon/Operational",
    • "Microsoft-Windows-PowerShell/Operational"

(Note: MUST BE RAN WITH ELEVATED PRIVILEGES.)

Usage

# Below example will create a labeled .zip in containing the last 45 minutes of logs
export-evtx -Context 'Github Showcase' -Offset 45 -OutputDir .\Examples

Usage

Security Onion Ingestion

  1. Move the archived logs to your Security Onion sensor via your preferred method (USB, SCP, etc.)
  2. Unzip the archive
  3. Import with so-import-evtx

(Note: Below image unrelated to usage example.) Ingestion

Get-Help

Get-Help