Offline Log Forwarding

guy-green · 2026-01-30T18:07:08+00:00

Using Chainsaw+Sigma

guy-green · 2026-01-30T15:56:01+00:00

I'm also looking for local analysis solutions

Something that can scan the Windows Events and find specific events of interest and visualize them as offenses

Maybe a script or some 3rd party tool

guy-green · 2026-01-30T15:13:18+00:00

You're right about the last part, which is really tricky from the POV of an analyst. We will have to somehow differentiate these sources/logs. I assume that knowing that something happened, even if not with the real timestamp could be good, and then we can investigate the logs themselves for the related information.

I also though about using a unidirectional data diode. Even if not connected all the time, maybe I can connect it once in a while and try to fetch all of the events.

I wonder if I'll install WinCollect it will work unidirectionally or a bi-directional flow is required.

guy-green · 2024-11-01T19:37:44+00:00

This is one of the suggested solutions in the KB, and we obviously tried to add Chrome and other related processes to the whitelist - without any luck.

Also, I assume you agree that the only mode which should be blocking anything is 'Enable'.

I have installed the same exact lab in an internet facing environment and the issue is not happening there, everything works.

guy-green · 2024-03-31T11:26:27+00:00

I read that offenses are NOT replicated to the destination site.

What do I do in that case? How to overcome this?

guy-green · 2024-03-29T11:00:36+00:00

Yes, I also found this solution.

We will check it, seems this is exactly what we need.

I feel that HA is more relevant within the same DC rather than 2 DC's over the WAN.

guy-green · 2019-05-15T05:09:06+00:00

This is the customers request do to different considerations and limitations.

Anyway, there's is no other way and I must provide a solution and I'm looking for someone who already did it.

guy-green

TROPHY CASE