Home - JCSC-JE/Graylog-IR GitHub Wiki
Welcome to the Graylog-IR Project
The aim of this project is to help small national CSIRTS automate incident response triage. The project will show you how to build a Graylog system which can be used to analyse the following types of logs. It is meant to speed up initial triage. The system supports the following logs sources
- Windows EVTX files
- CSV files
- JSON Files
- Sysmon Support
- IIS 8.5 support
Prerequisites
You must have enabled Windows to log events correctly on your windows systems, otherwise you will get very little logs of use after ingestion.
Have a look at the following Github repositories
Yamato Security Enable Windows Logging for DFIR
Australian Signals Directorate Windows Event logging Github repository Windows Logging Technical Guidance
Getting Started
Download this repository to your local machine:
git clone https://github.com/JCSC-JE/Graylog-IR.git
Installation
For details on installation please see the wiki Installation page. It should be noted that a VM can be provided if you contact the JCSC.
Architecture
For details on architecture please see the Architecture page.
Dashboards
Below is an example of dashboards available, more will be added in July 2024.
Credit
This work would not be possible without the work of others. While their work is credited where seen, below is a list of contributors and their respective projects:
SwiftOnSecurity
Sysmon-Config - Crowd-sourced Sysmon configuration file template for high-quality event tracing
https://github.com/SwiftOnSecurity/sysmon-config