-
|
I've Copied a EVTX file ~30 GB directly from my wec .. I need to run Zircolite over it and get results in a MiniGUI. (Completely offline a way of my SIEM -Qradar-) Which command shall I use and which VM preferred ?!! |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment
-
|
Hello, Since your VM have limited RAM compared to the size of your aggregated EVTX file, you should try to split the file. One way to do it is to convert the EVTX file to JSON, split this file and handling each resulting split file separately. On your Linux VM or on your Windows 10 VM (with WSL2) in the Zircolite directory :
./bin/evtx_dump_lin -o jsonl YOUR_FILE.evtx -f YOUR_FILE.evtx.json # Linux
# or
./bin/evtx_dump_win -o jsonl YOUR_FILE.evtx -f YOUR_FILE.evtx.json # Windows
split YOUR_FILE.evtx.json SplitJson -b 2G -a 5 -d --additional-suffix=.json
# the value provided with the -b argument will be the size of each split file (2GB here)
# If you have SYSMON
zircolite_win10.exe -e SplitJson00001.json -r rules/rules_windows_sysmon_full.json --jsononly
...
# If you do not have SYSMON
zircolite_win10.exe -e SplitJson00001.json -r rules/rules_windows_generic_full.json --jsononly
...If you want to use all the cores of your VM (GNU Parallel is required) you can speed up the process with the technique details here : find <SPLITJSON_DIRECTORY> -type f -name "*.json" | parallel -j -1 --progress <ZIRCOLITE_BINARY> --evtx {} --ruleset rules/rules_windows_sysmon.json --jsononly --outfile {/.}.detected.json |
Beta Was this translation helpful? Give feedback.
Hello,
Since your VM have limited RAM compared to the size of your aggregated EVTX file, you should try to split the file. One way to do it is to convert the EVTX file to JSON, split this file and handling each resulting split file separately.
On your Linux VM or on your Windows 10 VM (with WSL2) in the Zircolite directory :
split YOUR_FILE.evtx.json SplitJson -b 2G -a 5 -d --additional-suffix=.json # the value pro…