One interesting apsect of managing a Security Analytics instance I'm sure most of you all have shared the pain of is Windows event source management. And if any of you are like me, you have a level of impatience that is monumental. I tend to let my impatience feed into some innovation and innovation not shared is a waste.
Through the beauty of Excel concatentation formulas in the right spot, I give you my REST API template (v1).
Enter appropriate data here
- Column A - HTTP/HTTPS
- Is your log collector using encryption or not?
- Column B - Log collector
- Enter your log collector address or IP address here
- Column C - Event source category
- Enter your event source category name here (If you don't have it handy.... just wait.... I got a column for that)
- Column D - Event source address
- Enter the IP address of the desired server
- Column E
- It's hidden.
- Formula magic goes on here and it's not really needed to enter data (that comes from column D)
Get your formulated data here
- Column G - General event source category query
- Once you have the above columns populated accordingly, this column will create the general query to get the event source categories
- Column H - Query if event source is there
- This will tell you if the desired event source is there
- Column I - Delete event source
- Just like it says
- If the above values are correct, the result will show "Success"
- If it's not correct, it could show a value like this:
- caught exception while deleting windows type configuration: The node "x_x_x_x" is not a child of /logcollection/windows/eventsources/$event_source_category
- Authenticate to your log collector via REST API first
- Bash script - curl -k -u admin:$password "$value_from_formulated_data"
- Web browser - Open up tab to https://$log_collector_address:50101 and authenticate
- Populate column A through D accordingly (if you don't know the value for column C, populate as much as possible and get the resulting value from column G and use that to start to form your query. Take that data and populate column C accordingly)
- Copy the contents of column G into script or browser window to obtain your event source categories
- Or, copy the contents of column H (query) or column I (delete) as needed
I do plan on sharing (once all is said and done) some Python scripts I've been working on to obtain desired data (logstats, Warehouse connector behind numbers all in one shot, decoder stats, Broker/Concentrators consumption status in one shot, etc)
Due to some quick testing and formula sanitization from my original copy, there was a small typo in two formulas. v2 is working better. I even attached my query template.
- Populate IP's in column A
- Take the value generated in column E, paste into a notepad window trim away excess unneeded. (I've noticed you can query in Investigation a maximum 50 IP's in one big query)