importing stored sysmon events (json)

[splunk-user1]

Possible to import sysmon events stored as json ? Since it does not meet 1 of the mandatory requirements timestamp_desc

Also the timestamp format is "datetime": "yyyy-mm-ddThh:mm:ss.sssZ" instead of 2015-07-24T19:01:01+00:00

Thank you

[jaegeral]

Hey, if it does not meet the requirements, it will not be possible to import it using the web ui.

There are other methods to import them, e.g. https://timesketch.org/developers/api-upload-data/ which does require some coding.

Depending on the sysmon source, it might be possible to run it via plaso to get it in a format that is accepted from Timesketch. Besides that we are trying to stay away from being to open for formats because it very quickly becomes very complicated to keep up with all the different parsers, data formats and so on.

[splunk-user1]

I added the requisite fields & converted to CSV, which made import easy. Thanks

[berggren]

Another solutoion here is to ust run the Sysmon evtx files in Plaso and import it that way. That also has the benefit of setting data_type correctly, and parsing out eventid etc.

I'm curious: @splunk-user1 what is the use case for exporting to json instead of getting the original evtx files?

[splunk-user1]

Thank you for responding @berggren.

Reg use case for json, the site from where I received the logs uses remote forensic tool that stores collected data in JSON format only