Core|Threat Syslog Server. Collect, parse and analyze security logs. Use the Core|Threat Agent to collect logs from your windows endpoints.
run ip:port - Run Server default
debug - Run Server in debug mode
debug - Run Server in debug mode with filter - example: debug .*lsass.* or .*event.id.3.* or .*event.id.1.*
- Runs listener and collect logs
- Use rules to identify threats
Sysmon only captures established network connections. To monitor other connections too, start tcpdump
tcpdump -i any -nnnn "tcp[tcpflags] & (tcp-syn) == tcp-syn" and host 10.10.10.101
Restore snapshot
VBoxManage.exe snapshot "WIN10CLIENT-MalwareAnalyse" restore "Analyse01"
Power-Off VM
vboxmanage.exe controlvm WIN10CLIENT-MalwareAnalyse poweroff
Power-On VM
vboxmanage.exe startvm WIN10CLIENT-MalwareAnalyse
Tail over the log
tail -f corethreat_server.log | grep HUMANLOG