WEC Logs

[casimkhan]

How WEC logs being parsed in zircolite and matched to sigma sql statements? In my lab i am forwarding WEC logs from multiple machines to SIEM and from SIEM i can export by filtering on suspected machine all wec logs for certain time in to JSON file, which i have then converted in to JSONL by using jq -c --stream.

below command does create model and insert data without issue but not being detected.
python3 zircolite.py --events /tmp/sample-jsonl.json --ruleset rules/rules_windows_generic_full.json --jsononly

Am i doing things in correct order ?

[wagga40]

To handle JSONL sources, Zircolite flattens any JSON given, which allows conversion to a table in a SQLite in memory Db. The rules in SQL are executed on this Db to get matches.

The workflow is detailed here : Workflow.

Multiple factors can lead to your logs not being handled correctly, can you share a anonymized sample of your logs ?

[wagga40]

OK, I've tested. jq -c --stream does not give you JSONL. Using the EVTX-ATTACK-SAMPLES and jq -c --stream you have something like that :

[[295,"matches",0,"SystemTime"],"2019-07-27T22:43:43.016956Z"]
[[295,"matches",0,"Version"],3]
[[295,"matches",0,"OriginalLogfile"],"sysmon_11_7_1_uacbypass_windirectory_mocking.evtx-VLP81IMX.json"]
[[295,"matches",0,"Image"],"C:\\Windows \\System32\\winSAT.exe"]
[[295,"matches",0,"ProcessGuid"],"747F3D96-D39E-5D3C-0000-0010805A5600"]
[[295,"matches",0,"UtcTime"],"2019-07-27 22:43:42.661"]
[[295,"matches",0,"UserID"],"S-1-5-18"]

Or JSONL as described here look like that :

{"Channel":"Security","Computer":"alice.insecurebank.local","Correlation":null,"EventID":1102,"EventRecordID":25048}

Have you tested directly on what you export from your SIEM without jq ? for example, by default Splunk export to JSONL (even if it is written "JSON").

[casimkhan]

perfect i have tested direct import from splunk and it work smoothly! Thanks