Sign in Subscribe
By Roger PRIOU in Tips β€”

Usage of replayEVTX script

Discover how to use with QRadar my homemade script to replay EVTX logs.

I designed a script to facilitate replay of logs in QRadar and other destination you want. In this quick tip, I will show you how to use it with QRadar in order to test log reception, rules, or event log parsing and mapping.

Download script package

In the package you will find:

  • Python script (replayEVTX.py)
  • Python requirements for the script to work properly (requirements.txt)
  • README.md, a quick summary of the package and usage

Now, you have the package, and you have validated it locally with the command replayEVTX.py --input myEVTXfile.evtx --output stdout go on QRadar and create a syslog Log Source like this one:

  • Log Source Type = Microsoft Windows Security Event Log
  • Protocol = Syslog
  • Coalescing Events = No
  • Log Source Identifier = <IDENTIFIER>

Leave everything else to default or with values of your infrastructure. Remember the value of <IDENTIFIER>, it will be used in the script options to rewrite the hostname so QRadar will know in which Log Source the logs will be sent.

πŸ’‘
Taking advantage of manipulation of the hostname in the script allows you to create multiple Microsoft Log Source with different types (SQL, AD, DNS…) and still be able to replay logs individually in each test Log Source without any trouble.

Once you have created and deployed the Log Source, open a tab in the Log Activity and display Real Time logs for this Log Source. Then, go on the machine where you have the script package and try this command replayEVTX.py --input myEVTXfile.evtx --output syslog --server <QRADAR_IP> --port <QRADAR_SYSLOG_PORT> --format qradar --hostname <IDENTIFIER>. If everything is set up correctly, you will see logs on the QRadar tab. If you do not see logs verify these points:

  • Can my machine reach QRadar? To validate this point try to netcat or something like that from the machine to QRadar on the port on which you want to communicate.
  • Are my logs properly routed by QRadar? To validate this point, go on QRadar command line and execute a packet capture with proper options to display logs you receive on syslog from your machine. If you see logs without a good header like this one <133><DATE> <IDENTIFIER><FULL LOG>, review the script execution.
  • Are my logs properly parsed by QRadar? To validate this point, review if logs are received by the SIM Generic Log Source instead of the dedicated Log Source.

When everything is working, you will be able to play with several options to replay logs and test different parts of your monitoring like these:

  • --delay <SECONDS> : with this option, make a specific pause between every log. It can be helpful when you want to validate slow brute force use cases.
  • --prefix <SOMETHING> : with this option, add something before the log. It can be useful when you want to test how QRadar will behave when you send him garbage or approximative logs. You can also manage Log Source Gateway use case by crafting specific headers too.

You reach the end of this article, huge thanks for reading 🫢

πŸ‘¨β€πŸ‘©β€πŸ‘§β€πŸ‘¦ To become a more friendly guru of QRadar, join the community and subscribe to the newsletter.

πŸ€— To become a nicer guru of QRadar, leave a comment, your feedback will always be welcome (when constructive of course).

Subscribe to qradar.guru

Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe