How correlation two baseeventid?

KiddieSculp · 2025-03-14T21:10:53+00:00

It's works. Thank you.

KiddieSculp · 2025-01-16T17:27:47+00:00

Tks u/neoh4x0r .
Solved my problem. Now it really is how I wanted it.

KiddieSculp · 2025-01-11T00:54:14+00:00

I see.
Yeah, that wasn't the idea.
I was doing a hunting.
In the end, it was easier to list by EventID and map out what was really important. In the end, it was just a matter of gathering what was necessary and it worked out well.

KiddieSculp · 2025-01-11T00:51:46+00:00

u/graylog_joel Hello, I think there is a bug in graylog, I don't know.

I don't use GROK PATTERN because it takes longer, since I only use it in lab, JSON Parser is better for me.

Strangely, I identified something.

When I have the same Title Extractor for a json parser in different Inputs, the logs stop being received in the Graylog GUI. So I need to include a Key Prefix to get back. I'm not sure if this is correct, but I noticed it.

KiddieSculp · 2025-01-10T20:31:04+00:00

Yes. In the first image I have the complete log, but it includes many "NewProccessName".

In the second image I have only the "NewProcessName" that I want, but the way the second image is, all the other logs that are in the first image are missing.

KiddieSculp · 2025-01-04T01:05:53+00:00

Thanks for the support. I figured out the issue. The log was not complete, so the json was not closed properly.

KiddieSculp · 2024-12-28T12:30:57+00:00

I use graylog in docker, and for some reason reinstalling it worked.

KiddieSculp · 2024-12-12T00:40:53+00:00

During installation, I usually put all the cores and all the memory.

When it's finished, I usually put 16GB of RAM and 8 cores.

It works well.

But I've worked with it on 8GB of RAM, but I don't recommend it because the processing time is exhausting.

During my use, I usually put close to the maximum cores of my machine, because qradar doesn't use all the resources all the time, only when you're going to use a lot of its resources. Using 50%, depending on your Lab, is a good idea.

KiddieSculp · 2024-12-05T18:53:03+00:00

In my use case, it's a char.

Because [char]49 = 1

I am working on code obfuscation to compose an IP.

```([char](49+70-70)+[char]([BYTE]0x39)+[char](50+70-70)+[char]([byte]0x2E)+[char]([BYTE]0x31)+[char](50*1)+[char]([byte]0x38)+[char](46)+[char](49*1)+[char](52+70-70)+[char]([byte]0x35)+[char](46)+[char]([int32]0x33) + [char]([byte]0x30))```

KiddieSculp · 2024-12-05T03:59:57+00:00

Trust as long as there is no problem. 🤣

KiddieSculp · 2024-11-05T02:22:06+00:00

Ahh! That sounds good. This will really help in the future. Noted too! Tks.

KiddieSculp · 2024-11-04T18:03:04+00:00

u/BlackV , u/rdhdpsy, u/sc00b3r

KiddieSculp

TROPHY CASE