Category: DFIR

Manually upload EVTX log files to ELK with Winlogbeat and PowerShell

by Zachary Burnham, posted in DFIR, ELK

While the ELK cluster is typically used for live monitoring, Winlogbeat can be tweaked to manually send "cold logs," or old, inactive Windows Event Logs (EVTX) to ELK manually. This functionality allows an analyst to take EVTX files from images of systems collected and utilize the functionality of the ELK stack for their investigations - … Continue reading Manually upload EVTX log files to ELK with Winlogbeat and PowerShell

Installing TheHive – a Security IR Platform

by Zachary Burnham, posted in Incident Response, SOC, Threat Hunting

Working in a SOC environment, it is easy to get lost in the world of case management - unable to balance and juggle the information-to-incident ratio. I have recently come across one of the better solutions to this issue; TheHive. According to their website, TheHive is a "scalable 4-in-1 open source and free security incident … Continue reading Installing TheHive – a Security IR Platform