Analyzing Historical ETW and Windows Event Logs with Wazuh for Digital Forensics#

Introduction#

Digital forensics and incident response often require analyzing historical log data from compromised systems. While Wazuh excels at real-time monitoring, forensic investigations frequently involve analyzing archived Windows Event Logs (EVTX files) and ETW traces collected from previously compromised systems.

This comprehensive guide provides production-ready methods to:

📂 Process Historical EVTX Files: Import and analyze archived Windows Event Logs
🔍 ETW Trace Analysis: Extract insights from historical ETW traces
🕵️ IOC Detection: Identify indicators of compromise in historical data
⏰ Timeline Reconstruction: Build attack timelines from log artifacts
📊 Forensic Reporting: Generate comprehensive incident reports
🔄 Integration Workflows: Seamlessly incorporate into existing DFIR processes

Understanding Historical Log Analysis Challenges#

Traditional SIEM Limitations#

1
flowchart TB
2
    subgraph "Traditional SIEM Challenges"
3
        C1[Real-time Focus]
4
        C2[Live Data Streams]
5
        C3[No Historical Import]
6
        C4[Limited Offline Analysis]
7
    end
8

9
    subgraph "Forensic Requirements"
10
        F1[Archived EVTX Files]
11
        F2[ETW Trace Files]
12
        F3[Offline Analysis]
13
        F4[IOC Detection]
14
        F5[Timeline Reconstruction]
15
    end
16

17
    subgraph "Wazuh Forensic Solution"
18
        S1[EVTX Processing Pipeline]
19
        S2[ETW Conversion Tools]
20
        S3[Custom Decoders/Rules]
21
        S4[Historical Import Workflows]
22
        S5[Forensic Dashboards]
23
    end
24

25
    C1 -.->|Challenge| F3
26
    C2 -.->|Challenge| F1
27
    C3 -.->|Challenge| F2
28
    C4 -.->|Challenge| F4
29

30
    F1 --> S1
31
    F2 --> S2
32
    F3 --> S3
33
    F4 --> S4
34
    F5 --> S5
35

36
    style C1 fill:#ff6b6b
37
    style S1 fill:#51cf66
38
    style F4 fill:#4dabf7

Key Challenges#

Challenge	Impact	Solution
File Format Compatibility	EVTX not natively supported	Conversion to supported formats
Volume Processing	Large historical datasets	Parallel processing pipelines
Context Preservation	Loss of temporal relationships	Timeline-aware analysis
IOC Detection	Manual correlation required	Automated rule-based detection
Reporting	Fragmented evidence	Unified forensic dashboards

Architecture Overview#

Complete Forensic Analysis Pipeline#

1
flowchart TB
2
    subgraph "Forensic Evidence Sources"
3
        E1[EVTX Files]
4
        E2[ETL Traces]
5
        E3[System Artifacts]
6
        E4[Memory Dumps]
7
    end
8

9
    subgraph "Processing Layer"
10
        P1[Chainsaw Processor]
11
        P2[ETW Converters]
12
        P3[Timeline Builders]
13
        P4[Format Normalizers]
14
    end
15

16
    subgraph "Wazuh Integration"
17
        W1[Historical Ingestion]
18
        W2[Custom Decoders]
19
        W3[Forensic Rules]
20
        W4[IOC Detection]
21
    end
22

23
    subgraph "Analysis & Output"
24
        O1[Forensic Dashboard]
25
        O2[Timeline Reports]
26
        O3[IOC Reports]
27
        O4[Evidence Packages]
28
    end
29

30
    E1 --> P1
31
    E2 --> P2
32
    E3 --> P3
33
    E4 --> P3
34

35
    P1 --> W1
36
    P2 --> W1
37
    P3 --> W1
38
    P4 --> W1
39

40
    W1 --> W2
41
    W2 --> W3
42
    W3 --> W4
43

44
    W4 --> O1
45
    W4 --> O2
46
    W4 --> O3
47
    W4 --> O4
48

49
    style P1 fill:#ff6b6b
50
    style W3 fill:#51cf66
51
    style O1 fill:#4dabf7

Method 1: EVTX Analysis with Chainsaw Integration#

Phase 1: Chainsaw Installation and Configuration#

Chainsaw is a powerful tool for EVTX analysis that can output in formats compatible with Wazuh.

Installation:

1
# Download latest Chainsaw release
2
$version = "v2.7.0"
3
$url = "https://github.com/WithSecureLabs/chainsaw/releases/download/$version/chainsaw_x86_64-pc-windows-msvc.exe"
4
Invoke-WebRequest -Uri $url -OutFile "C:\Tools\chainsaw.exe"
5

6
# Download Sigma rules for detection
7
git clone https://github.com/SigmaHQ/sigma.git C:\Tools\sigma-rules
8

9
# Download EVTX samples for testing
10
git clone https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES.git C:\Tools\evtx-samples

Linux Installation:

1
# Download Chainsaw for Linux
2
wget https://github.com/WithSecureLabs/chainsaw/releases/download/v2.7.0/chainsaw_x86_64-unknown-linux-gnu -O /usr/local/bin/chainsaw
3
chmod +x /usr/local/bin/chainsaw
4

5
# Download Sigma rules
6
git clone https://github.com/SigmaHQ/sigma.git /opt/sigma-rules
7

8
# Download EVTX samples
9
git clone https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES.git /opt/evtx-samples

Phase 2: Advanced Chainsaw Analysis Pipeline#

Comprehensive EVTX Analysis Script:

1
#!/usr/bin/env python3
2
# evtx_forensic_analyzer.py - Advanced EVTX analysis for Wazuh integration
3

4
import json
5
import subprocess
6
import os
7
import argparse
8
import logging
9
from datetime import datetime
10
from pathlib import Path
11
from concurrent.futures import ThreadPoolExecutor
12
import csv
13

14
class EVTXForensicAnalyzer:
15
    def __init__(self, chainsaw_path, sigma_rules_path, output_dir):
16
        self.chainsaw_path = chainsaw_path
17
        self.sigma_rules_path = sigma_rules_path
18
        self.output_dir = Path(output_dir)
19
        self.setup_logging()
20

21
        # Ensure output directory exists
22
        self.output_dir.mkdir(parents=True, exist_ok=True)
23

24
    def setup_logging(self):
25
        """Setup logging configuration"""
26
        logging.basicConfig(
27
            level=logging.INFO,
28
            format='%(asctime)s - %(levelname)s - %(message)s',
29
            handlers=[
30
                logging.FileHandler(self.output_dir / 'forensic_analysis.log'),
31
                logging.StreamHandler()
32
            ]
33
        )
34
        self.logger = logging.getLogger(__name__)
35

36
    def run_chainsaw_analysis(self, evtx_path, analysis_type="hunt"):
37
        """Run Chainsaw analysis on EVTX files"""
38

39
        evtx_file = Path(evtx_path)
40
        if not evtx_file.exists():
41
            self.logger.error(f"EVTX file not found: {evtx_path}")
42
            return None
43

44
        # Prepare output file
45
        output_file = self.output_dir / f"{evtx_file.stem}_{analysis_type}.json"
46

47
        try:
48
            if analysis_type == "hunt":
49
                # Hunt for suspicious activities using Sigma rules
50
                cmd = [
51
                    self.chainsaw_path, "hunt",
52
                    str(evtx_file),
53
                    "--rules", self.sigma_rules_path,
54
                    "--json",
55
                    "--output", str(output_file)
56
                ]
57

58
            elif analysis_type == "search":
59
                # Search for specific IOCs
60
                cmd = [
61
                    self.chainsaw_path, "search",
62
                    str(evtx_file),
63
                    "--json",
64
                    "--output", str(output_file)
65
                ]
66

67
            elif analysis_type == "dump":
68
                # Dump all events in structured format
69
                cmd = [
70
                    self.chainsaw_path, "dump",
71
                    str(evtx_file),
72
                    "--json",
73
                    "--output", str(output_file)
74
                ]
75

76
            self.logger.info(f"Running Chainsaw {analysis_type} analysis on {evtx_file.name}")
77

78
            result = subprocess.run(
79
                cmd,
80
                capture_output=True,
81
                text=True,
82
                timeout=3600  # 1 hour timeout
83
            )
84

85
            if result.returncode == 0:
86
                self.logger.info(f"Successfully completed {analysis_type} analysis: {output_file}")
87
                return output_file
88
            else:
89
                self.logger.error(f"Chainsaw failed: {result.stderr}")
90
                return None
91

92
        except subprocess.TimeoutExpired:
93
            self.logger.error(f"Chainsaw analysis timed out for {evtx_file.name}")
94
            return None
95
        except Exception as e:
96
            self.logger.error(f"Error running Chainsaw analysis: {str(e)}")
97
            return None
98

99
    def convert_to_wazuh_format(self, chainsaw_output_file):
100
        """Convert Chainsaw output to Wazuh-compatible format"""
101

102
        if not chainsaw_output_file or not Path(chainsaw_output_file).exists():
103
            return None
104

105
        wazuh_output_file = chainsaw_output_file.with_suffix('.wazuh.json')
106

107
        try:
108
            with open(chainsaw_output_file, 'r', encoding='utf-8') as infile, \
109
                 open(wazuh_output_file, 'w', encoding='utf-8') as outfile:
110

111
                for line in infile:
112
                    try:
113
                        chainsaw_event = json.loads(line.strip())
114
                        wazuh_event = self.transform_chainsaw_event(chainsaw_event)
115

116
                        if wazuh_event:
117
                            json.dump(wazuh_event, outfile, separators=(',', ':'))
118
                            outfile.write('\n')
119

120
                    except json.JSONDecodeError:
121
                        continue
122
                    except Exception as e:
123
                        self.logger.warning(f"Error transforming event: {str(e)}")
124
                        continue
125

126
            self.logger.info(f"Converted to Wazuh format: {wazuh_output_file}")
127
            return wazuh_output_file
128

129
        except Exception as e:
130
            self.logger.error(f"Error converting to Wazuh format: {str(e)}")
131
            return None
132

133
    def transform_chainsaw_event(self, chainsaw_event):
134
        """Transform Chainsaw event to Wazuh format"""
135

136
        try:
137
            # Base Wazuh event structure
138
            wazuh_event = {
139
                "timestamp": datetime.now().isoformat(),
140
                "agent": {
141
                    "name": "forensic-analysis",
142
                    "id": "000"
143
                },
144
                "manager": {
145
                    "name": "wazuh-manager"
146
                },
147
                "rule": {},
148
                "data": {}
149
            }
150

151
            # Extract Chainsaw detection information
152
            if "detections" in chainsaw_event:
153
                detection = chainsaw_event["detections"][0] if chainsaw_event["detections"] else {}
154

155
                wazuh_event["rule"] = {
156
                    "description": detection.get("title", "Chainsaw Detection"),
157
                    "level": self.map_severity_to_level(detection.get("level", "medium")),
158
                    "id": detection.get("id", "100000"),
159
                    "groups": ["chainsaw", "forensic", detection.get("status", "")]
160
                }
161

162
                # Add MITRE ATT&CK information
163
                if "tags" in detection:
164
                    attack_tags = [tag for tag in detection["tags"] if tag.startswith("attack.")]
165
                    if attack_tags:
166
                        wazuh_event["rule"]["mitre"] = {
167
                            "tactic": [tag.replace("attack.", "") for tag in attack_tags]
168
                        }
169

170
            # Extract Windows event data
171
            if "Event" in chainsaw_event:
172
                event_data = chainsaw_event["Event"]
173

174
                wazuh_event["data"]["win"] = {
175
                    "eventdata": {},
176
                    "system": {}
177
                }
178

179
                # System information
180
                if "System" in event_data:
181
                    system = event_data["System"]
182
                    wazuh_event["data"]["win"]["system"] = {
183
                        "eventID": str(system.get("EventID", "")),
184
                        "computer": system.get("Computer", ""),
185
                        "channel": system.get("Channel", ""),
186
                        "level": system.get("Level", ""),
187
                        "processID": str(system.get("Execution", {}).get("ProcessID", "")),
188
                        "threadID": str(system.get("Execution", {}).get("ThreadID", "")),
189
                        "providerName": system.get("Provider", {}).get("Name", "")
190
                    }
191

192
                    # Preserve original timestamp
193
                    if "TimeCreated" in system:
194
                        wazuh_event["timestamp"] = system["TimeCreated"].get("SystemTime", "")
195

196
                # Event data
197
                if "EventData" in event_data:
198
                    event_data_dict = event_data["EventData"]
199
                    if isinstance(event_data_dict, dict):
200
                        wazuh_event["data"]["win"]["eventdata"] = event_data_dict
201

202
            # Add forensic metadata
203
            wazuh_event["data"]["forensic"] = {
204
                "analysis_tool": "chainsaw",
205
                "analysis_time": datetime.now().isoformat(),
206
                "original_source": chainsaw_event.get("source", "unknown")
207
            }
208

209
            return wazuh_event
210

211
        except Exception as e:
212
            self.logger.error(f"Error transforming event: {str(e)}")
213
            return None
214

215
    def map_severity_to_level(self, chainsaw_level):
216
        """Map Chainsaw severity to Wazuh level"""
217
        mapping = {
218
            "low": 3,
219
            "medium": 6,
220
            "high": 9,
221
            "critical": 12
222
        }
223
        return mapping.get(chainsaw_level.lower(), 6)
224

225
    def process_multiple_evtx_files(self, evtx_directory, max_workers=4):
226
        """Process multiple EVTX files in parallel"""
227

228
        evtx_files = list(Path(evtx_directory).glob("*.evtx"))
229

230
        if not evtx_files:
231
            self.logger.warning(f"No EVTX files found in {evtx_directory}")
232
            return []
233

234
        self.logger.info(f"Processing {len(evtx_files)} EVTX files")
235

236
        results = []
237
        with ThreadPoolExecutor(max_workers=max_workers) as executor:
238
            futures = []
239

240
            for evtx_file in evtx_files:
241
                # Submit multiple analysis types
242
                for analysis_type in ["hunt", "dump"]:
243
                    future = executor.submit(self.run_chainsaw_analysis, str(evtx_file), analysis_type)
244
                    futures.append((future, evtx_file, analysis_type))
245

246
            # Collect results
247
            for future, evtx_file, analysis_type in futures:
248
                try:
249
                    result = future.result(timeout=3600)
250
                    if result:
251
                        # Convert to Wazuh format
252
                        wazuh_file = self.convert_to_wazuh_format(result)
253
                        if wazuh_file:
254
                            results.append({
255
                                "evtx_file": str(evtx_file),
256
                                "analysis_type": analysis_type,
257
                                "wazuh_output": str(wazuh_file)
258
                            })
259
                except Exception as e:
260
                    self.logger.error(f"Error processing {evtx_file} ({analysis_type}): {str(e)}")
261

262
        return results
263

264
    def generate_forensic_summary(self, results):
265
        """Generate forensic analysis summary"""
266

267
        summary = {
268
            "analysis_timestamp": datetime.now().isoformat(),
269
            "total_files_processed": len(set(r["evtx_file"] for r in results)),
270
            "analysis_types": list(set(r["analysis_type"] for r in results)),
271
            "output_files": len(results),
272
            "key_findings": [],
273
            "recommendations": []
274
        }
275

276
        # Analyze results for key findings
277
        for result in results:
278
            if result["analysis_type"] == "hunt":
279
                # Count detections in hunt results
280
                try:
281
                    with open(result["wazuh_output"], 'r') as f:
282
                        detection_count = sum(1 for line in f)
283

284
                    if detection_count > 0:
285
                        summary["key_findings"].append({
286
                            "file": Path(result["evtx_file"]).name,
287
                            "detections": detection_count,
288
                            "type": "sigma_detections"
289
                        })
290

291
                except Exception:
292
                    pass
293

294
        # Add recommendations
295
        if summary["key_findings"]:
296
            summary["recommendations"].extend([
297
                "Review high-severity detections first",
298
                "Correlate findings with timeline analysis",
299
                "Investigate process execution chains",
300
                "Check for lateral movement indicators"
301
            ])
302

303
        # Save summary
304
        summary_file = self.output_dir / "forensic_summary.json"
305
        with open(summary_file, 'w') as f:
306
            json.dump(summary, f, indent=2)
307

308
        self.logger.info(f"Forensic summary saved: {summary_file}")
309
        return summary
310

311
def main():
312
    parser = argparse.ArgumentParser(description="EVTX Forensic Analyzer for Wazuh")
313
    parser.add_argument("--evtx-dir", required=True, help="Directory containing EVTX files")
314
    parser.add_argument("--chainsaw", default="chainsaw", help="Path to Chainsaw executable")
315
    parser.add_argument("--sigma-rules", default="/opt/sigma-rules", help="Path to Sigma rules directory")
316
    parser.add_argument("--output", default="./forensic_output", help="Output directory")
317
    parser.add_argument("--workers", type=int, default=4, help="Number of parallel workers")
318

319
    args = parser.parse_args()
320

321
    analyzer = EVTXForensicAnalyzer(
322
        chainsaw_path=args.chainsaw,
323
        sigma_rules_path=args.sigma_rules,
324
        output_dir=args.output
325
    )
326

327
    # Process all EVTX files
328
    results = analyzer.process_multiple_evtx_files(args.evtx_dir, args.workers)
329

330
    # Generate summary
331
    summary = analyzer.generate_forensic_summary(results)
332

333
    print(f"\nForensic Analysis Complete!")
334
    print(f"Files processed: {summary['total_files_processed']}")
335
    print(f"Output files: {summary['output_files']}")
336
    print(f"Key findings: {len(summary['key_findings'])}")
337

338
if __name__ == "__main__":
339
    main()

Phase 3: Wazuh Integration Configuration#

Forensic Log Collection Configuration:

1
<!-- /var/ossec/etc/ossec.conf on Wazuh Manager -->
2
<ossec_config>
3
  <!-- Monitor forensic analysis output -->
4
  <localfile>
5
    <location>/var/forensic/chainsaw/*.wazuh.json</location>
6
    <log_format>json</log_format>
7
  </localfile>
8

9
  <!-- Monitor forensic summaries -->
10
  <localfile>
11
    <location>/var/forensic/summaries/*.json</location>
12
    <log_format>json</log_format>
13
  </localfile>
14
</ossec_config>

Advanced Forensic Decoders:

1
<!-- Chainsaw Forensic Decoder -->
2
<decoder name="chainsaw-forensic">
3
  <prematch>"analysis_tool":"chainsaw"</prematch>
4
</decoder>
5

6
<decoder name="chainsaw-detection">
7
  <parent>chainsaw-forensic</parent>
8
  <regex>"title":"([^"]+)".*"level":"([^"]+)"</regex>
9
  <order>detection_title, severity_level</order>
10
</decoder>
11

12
<!-- Windows Forensic Event Decoder -->
13
<decoder name="windows-forensic-event">
14
  <parent>chainsaw-forensic</parent>
15
  <regex>"eventID":"(\d+)".*"computer":"([^"]+)"</regex>
16
  <order>event_id, computer_name</order>
17
</decoder>
18

19
<!-- MITRE ATT&CK Decoder -->
20
<decoder name="mitre-attack">
21
  <parent>chainsaw-forensic</parent>
22
  <regex>"tactic":\["([^"]+)"\]</regex>
23
  <order>mitre_tactic</order>
24
</decoder>
25

26
<!-- Process Activity Decoder -->
27
<decoder name="process-activity">
28
  <parent>chainsaw-forensic</parent>
29
  <regex>"ProcessName":"([^"]+)".*"CommandLine":"([^"]+)"</regex>
30
  <order>process_name, command_line</order>
31
</decoder>
32

33
<!-- Network Activity Decoder -->
34
<decoder name="network-forensic">
35
  <parent>chainsaw-forensic</parent>
36
  <regex>"DestinationIp":"([^"]+)".*"DestinationPort":"([^"]+)"</regex>
37
  <order>dest_ip, dest_port</order>
38
</decoder>
39

40
<!-- Authentication Events Decoder -->
41
<decoder name="auth-forensic">
42
  <parent>chainsaw-forensic</parent>
43
  <regex>"TargetUserName":"([^"]+)".*"LogonType":"([^"]+)"</regex>
44
  <order>target_user, logon_type</order>
45
</decoder>

Comprehensive Forensic Detection Rules:

1
<group name="forensic,chainsaw,">
2
  <!-- Base Forensic Rules -->
3
  <rule id="300000" level="0">
4
    <decoded_as>chainsaw-forensic</decoded_as>
5
    <description>Chainsaw forensic analysis events</description>
6
    <group>forensic,</group>
7
  </rule>
8

9
  <!-- High-Severity Detections -->
10
  <rule id="300001" level="12">
11
    <if_sid>300000</if_sid>
12
    <field name="severity_level">high|critical</field>
13
    <description>High-severity forensic detection: $(detection_title)</description>
14
    <group>high_severity,critical_finding,</group>
15
  </rule>
16

17
  <!-- MITRE ATT&CK Techniques -->
18
  <rule id="300010" level="8">
19
    <if_sid>300000</if_sid>
20
    <field name="mitre_tactic">execution|persistence|privilege_escalation</field>
21
    <description>MITRE ATT&CK technique detected: $(mitre_tactic) - $(detection_title)</description>
22
    <group>mitre_attack,$(mitre_tactic),</group>
23
  </rule>
24

25
  <!-- Process Execution Analysis -->
26
  <rule id="300020" level="6">
27
    <if_sid>300000</if_sid>
28
    <field name="process_name">powershell.exe|cmd.exe|rundll32.exe</field>
29
    <description>Suspicious process execution: $(process_name)</description>
30
    <group>process_execution,suspicious_process,</group>
31
  </rule>
32

33
  <rule id="300021" level="9">
34
    <if_sid>300020</if_sid>
35
    <field name="command_line" type="pcre2">-enc|-encoded|bypass|unrestricted|downloadstring</field>
36
    <description>Malicious PowerShell execution: $(command_line)</description>
37
    <group>powershell_attack,malicious_command,</group>
38
  </rule>
39

40
  <!-- Authentication Analysis -->
41
  <rule id="300030" level="5">
42
    <if_sid>300000</if_sid>
43
    <field name="event_id">4624</field>
44
    <description>Successful logon: $(target_user) - Type $(logon_type)</description>
45
    <group>authentication,successful_logon,</group>
46
  </rule>
47

48
  <rule id="300031" level="8">
49
    <if_sid>300000</if_sid>
50
    <field name="event_id">4625</field>
51
    <description>Failed logon attempt: $(target_user)</description>
52
    <group>authentication,failed_logon,</group>
53
  </rule>
54

55
  <rule id="300032" level="10" frequency="5" timeframe="300">
56
    <if_sid>300031</if_sid>
57
    <same_field>target_user</same_field>
58
    <description>Multiple failed logon attempts: $(target_user)</description>
59
    <group>brute_force,authentication_attack,</group>
60
  </rule>
61

62
  <!-- Network Connection Analysis -->
63
  <rule id="300040" level="4">
64
    <if_sid>300000</if_sid>
65
    <field name="event_id">5156</field>
66
    <description>Network connection allowed: $(dest_ip):$(dest_port)</description>
67
    <group>network_connection,allowed_connection,</group>
68
  </rule>
69

70
  <rule id="300041" level="7">
71
    <if_sid>300040</if_sid>
72
    <field name="dest_port">22|23|135|139|445|3389</field>
73
    <description>Connection to administrative port: $(dest_ip):$(dest_port)</description>
74
    <group>admin_port,lateral_movement,</group>
75
  </rule>
76

77
  <!-- File System Activity -->
78
  <rule id="300050" level="4">
79
    <if_sid>300000</if_sid>
80
    <field name="event_id">4656|4658|4663</field>
81
    <description>File system access: $(process_name)</description>
82
    <group>file_access,</group>
83
  </rule>
84

85
  <rule id="300051" level="8">
86
    <if_sid>300050</if_sid>
87
    <match>\.exe|\.dll|\.bat|\.ps1|\.vbs</match>
88
    <description>Executable file access: $(process_name)</description>
89
    <group>executable_access,potential_malware,</group>
90
  </rule>
91

92
  <!-- Registry Modification -->
93
  <rule id="300060" level="6">
94
    <if_sid>300000</if_sid>
95
    <field name="event_id">4657</field>
96
    <description>Registry value modified</description>
97
    <group>registry_modification,</group>
98
  </rule>
99

100
  <rule id="300061" level="9">
101
    <if_sid>300060</if_sid>
102
    <match>\\Run\\|\\RunOnce\\|\\Image File Execution Options\\</match>
103
    <description>Critical registry key modified: persistence mechanism</description>
104
    <group>persistence,registry_persistence,</group>
105
  </rule>
106

107
  <!-- Correlation Rules -->
108
  <rule id="300100" level="12">
109
    <if_matched_sid>300021</if_matched_sid>
110
    <if_matched_sid>300041</if_matched_sid>
111
    <same_field>computer_name</same_field>
112
    <timeframe>600</timeframe>
113
    <description>Malicious PowerShell followed by network connection</description>
114
    <group>correlation,multi_stage_attack,</group>
115
  </rule>
116

117
  <rule id="300101" level="13">
118
    <if_matched_sid>300032</if_matched_sid>
119
    <if_matched_sid>300030</if_matched_sid>
120
    <same_field>target_user</same_field>
121
    <timeframe>300</timeframe>
122
    <description>Successful logon after multiple failed attempts</description>
123
    <group>correlation,successful_brute_force,</group>
124
  </rule>
125

126
  <!-- Timeline Analysis -->
127
  <rule id="300200" level="0">
128
    <if_sid>300000</if_sid>
129
    <description>Timeline event: $(detection_title) at $(timestamp)</description>
130
    <group>timeline,forensic_timeline,</group>
131
  </rule>
132
</group>

Method 2: ETW Trace Analysis#

Phase 1: ETW Trace Processing#

ETW Forensic Processor:

1
#!/usr/bin/env python3
2
# etw_forensic_processor.py - Process historical ETW traces
3

4
import json
5
import subprocess
6
import xml.etree.ElementTree as ET
7
from pathlib import Path
8
import logging
9
from datetime import datetime
10

11
class ETWForensicProcessor:
12
    def __init__(self, output_dir):
13
        self.output_dir = Path(output_dir)
14
        self.output_dir.mkdir(parents=True, exist_ok=True)
15
        self.setup_logging()
16

17
    def setup_logging(self):
18
        """Setup logging configuration"""
19
        logging.basicConfig(
20
            level=logging.INFO,
21
            format='%(asctime)s - %(levelname)s - %(message)s',
22
            handlers=[
23
                logging.FileHandler(self.output_dir / 'etw_forensic.log'),
24
                logging.StreamHandler()
25
            ]
26
        )
27
        self.logger = logging.getLogger(__name__)
28

29
    def process_etl_file(self, etl_file_path):
30
        """Process ETL file and convert to Wazuh format"""
31

32
        etl_path = Path(etl_file_path)
33
        if not etl_path.exists():
34
            self.logger.error(f"ETL file not found: {etl_file_path}")
35
            return None
36

37
        # Convert ETL to XML using tracerpt
38
        xml_output = self.output_dir / f"{etl_path.stem}.xml"
39
        csv_output = self.output_dir / f"{etl_path.stem}.csv"
40

41
        try:
42
            # Run tracerpt to convert ETL to XML and CSV
43
            cmd = [
44
                "tracerpt", str(etl_path),
45
                "-o", str(xml_output),
46
                "-of", "XML",
47
                "-report", str(csv_output),
48
                "-summary", str(self.output_dir / f"{etl_path.stem}_summary.txt")
49
            ]
50

51
            result = subprocess.run(cmd, capture_output=True, text=True, timeout=1800)
52

53
            if result.returncode == 0:
54
                self.logger.info(f"Successfully converted {etl_path.name} to XML")
55
                return self.parse_etw_xml(xml_output)
56
            else:
57
                self.logger.error(f"tracerpt failed: {result.stderr}")
58
                return None
59

60
        except subprocess.TimeoutExpired:
61
            self.logger.error(f"ETL processing timed out: {etl_path.name}")
62
            return None
63
        except Exception as e:
64
            self.logger.error(f"Error processing ETL file: {str(e)}")
65
            return None
66

67
    def parse_etw_xml(self, xml_file_path):
68
        """Parse ETW XML and convert to Wazuh events"""
69

70
        wazuh_events = []
71

72
        try:
73
            tree = ET.parse(xml_file_path)
74
            root = tree.getroot()
75

76
            for event in root.findall('.//Event'):
77
                wazuh_event = self.convert_etw_event_to_wazuh(event)
78
                if wazuh_event:
79
                    wazuh_events.append(wazuh_event)
80

81
            # Save Wazuh events
82
            wazuh_output = xml_file_path.with_suffix('.wazuh.json')
83
            with open(wazuh_output, 'w') as f:
84
                for event in wazuh_events:
85
                    json.dump(event, f, separators=(',', ':'))
86
                    f.write('\n')
87

88
            self.logger.info(f"Converted {len(wazuh_events)} ETW events to Wazuh format")
89
            return wazuh_output
90

91
        except Exception as e:
92
            self.logger.error(f"Error parsing ETW XML: {str(e)}")
93
            return None
94

95
    def convert_etw_event_to_wazuh(self, etw_event):
96
        """Convert ETW event to Wazuh format"""
97

98
        try:
99
            # Base Wazuh event structure
100
            wazuh_event = {
101
                "timestamp": datetime.now().isoformat(),
102
                "agent": {"name": "etw-forensic", "id": "000"},
103
                "data": {"etw": {}}
104
            }
105

106
            # Extract system information
107
            system = etw_event.find('.//System')
108
            if system is not None:
109
                provider = system.find('.//Provider')
110
                if provider is not None:
111
                    wazuh_event["data"]["etw"]["provider_name"] = provider.get('Name', '')
112
                    wazuh_event["data"]["etw"]["provider_guid"] = provider.get('Guid', '')
113

114
                # Event details
115
                event_id = system.find('.//EventID')
116
                if event_id is not None:
117
                    wazuh_event["data"]["etw"]["event_id"] = event_id.text
118

119
                level = system.find('.//Level')
120
                if level is not None:
121
                    wazuh_event["data"]["etw"]["level"] = level.text
122

123
                # Timestamp
124
                time_created = system.find('.//TimeCreated')
125
                if time_created is not None:
126
                    wazuh_event["timestamp"] = time_created.get('SystemTime', '')
127

128
                # Process information
129
                execution = system.find('.//Execution')
130
                if execution is not None:
131
                    wazuh_event["data"]["etw"]["process_id"] = execution.get('ProcessID', '')
132
                    wazuh_event["data"]["etw"]["thread_id"] = execution.get('ThreadID', '')
133

134
            # Extract event data
135
            event_data = etw_event.find('.//EventData')
136
            if event_data is not None:
137
                data_fields = {}
138
                for data in event_data.findall('.//Data'):
139
                    name = data.get('Name')
140
                    value = data.text
141
                    if name and value:
142
                        data_fields[name] = value
143

144
                if data_fields:
145
                    wazuh_event["data"]["etw"]["event_data"] = data_fields
146

147
            # Add forensic metadata
148
            wazuh_event["data"]["etw"]["forensic_analysis"] = {
149
                "analysis_tool": "tracerpt",
150
                "analysis_time": datetime.now().isoformat(),
151
                "data_source": "etw_trace"
152
            }
153

154
            return wazuh_event
155

156
        except Exception as e:
157
            self.logger.error(f"Error converting ETW event: {str(e)}")
158
            return None
159

160
def main():
161
    import argparse
162

163
    parser = argparse.ArgumentParser(description="ETW Forensic Processor")
164
    parser.add_argument("--etl-file", required=True, help="Path to ETL file")
165
    parser.add_argument("--output", default="./etw_forensic_output", help="Output directory")
166

167
    args = parser.parse_args()
168

169
    processor = ETWForensicProcessor(args.output)
170
    result = processor.process_etl_file(args.etl_file)
171

172
    if result:
173
        print(f"ETW forensic analysis completed: {result}")
174
    else:
175
        print("ETW forensic analysis failed")
176

177
if __name__ == "__main__":
178
    main()

Method 3: Timeline Reconstruction#

Advanced Timeline Analysis#

Timeline Builder:

1
#!/usr/bin/env python3
2
# timeline_builder.py - Build forensic timelines from Wazuh events
3

4
import json
5
import pandas as pd
6
from datetime import datetime, timedelta
7
import plotly.graph_objects as go
8
import plotly.express as px
9
from pathlib import Path
10

11
class ForensicTimelineBuilder:
12
    def __init__(self, wazuh_events_file, output_dir):
13
        self.events_file = Path(wazuh_events_file)
14
        self.output_dir = Path(output_dir)
15
        self.output_dir.mkdir(parents=True, exist_ok=True)
16
        self.events_df = None
17

18
    def load_events(self):
19
        """Load Wazuh forensic events"""
20

21
        events = []
22
        try:
23
            with open(self.events_file, 'r') as f:
24
                for line in f:
25
                    event = json.loads(line.strip())
26
                    events.append(event)
27

28
            self.events_df = pd.DataFrame(events)
29
            self.events_df['timestamp'] = pd.to_datetime(self.events_df['timestamp'])
30

31
            print(f"Loaded {len(events)} forensic events")
32
            return True
33

34
        except Exception as e:
35
            print(f"Error loading events: {str(e)}")
36
            return False
37

38
    def build_attack_timeline(self):
39
        """Build attack timeline with key events"""
40

41
        if self.events_df is None or self.events_df.empty:
42
            print("No events loaded")
43
            return None
44

45
        # Define key event types for timeline
46
        key_events = {
47
            "Authentication": ["successful_logon", "failed_logon", "brute_force"],
48
            "Process Execution": ["process_execution", "powershell_attack"],
49
            "Network Activity": ["network_connection", "lateral_movement"],
50
            "File System": ["file_access", "executable_access"],
51
            "Persistence": ["registry_persistence", "persistence"],
52
            "Privilege Escalation": ["privilege_escalation"],
53
            "Defense Evasion": ["defense_evasion"]
54
        }
55

56
        timeline_events = []
57

58
        for index, event in self.events_df.iterrows():
59
            # Extract relevant information
60
            timestamp = event['timestamp']
61
            description = event.get('rule', {}).get('description', 'Unknown event')
62
            level = event.get('rule', {}).get('level', 0)
63
            groups = event.get('rule', {}).get('groups', [])
64

65
            # Categorize event
66
            category = "Other"
67
            for cat, group_list in key_events.items():
68
                if any(group in groups for group in group_list):
69
                    category = cat
70
                    break
71

72
            timeline_events.append({
73
                'timestamp': timestamp,
74
                'description': description,
75
                'category': category,
76
                'level': level,
77
                'groups': ', '.join(groups) if isinstance(groups, list) else str(groups)
78
            })
79

80
        timeline_df = pd.DataFrame(timeline_events)
81
        timeline_df = timeline_df.sort_values('timestamp')
82

83
        # Save timeline as CSV
84
        timeline_file = self.output_dir / "attack_timeline.csv"
85
        timeline_df.to_csv(timeline_file, index=False)
86

87
        print(f"Attack timeline saved: {timeline_file}")
88
        return timeline_df
89

90
    def create_interactive_timeline(self, timeline_df):
91
        """Create interactive timeline visualization"""
92

93
        if timeline_df is None or timeline_df.empty:
94
            return None
95

96
        # Create timeline chart
97
        fig = px.scatter(
98
            timeline_df,
99
            x='timestamp',
100
            y='category',
101
            color='level',
102
            size='level',
103
            hover_data=['description', 'groups'],
104
            title="Forensic Attack Timeline",
105
            color_continuous_scale="Reds"
106
        )
107

108
        fig.update_layout(
109
            xaxis_title="Time",
110
            yaxis_title="Event Category",
111
            height=600,
112
            hovermode='closest'
113
        )
114

115
        # Save interactive timeline
116
        timeline_html = self.output_dir / "interactive_timeline.html"
117
        fig.write_html(str(timeline_html))
118

119
        print(f"Interactive timeline saved: {timeline_html}")
120
        return timeline_html
121

122
    def generate_timeline_report(self, timeline_df):
123
        """Generate comprehensive timeline report"""
124

125
        if timeline_df is None or timeline_df.empty:
126
            return None
127

128
        # Calculate timeline statistics
129
        stats = {
130
            "total_events": len(timeline_df),
131
            "time_range": {
132
                "start": timeline_df['timestamp'].min().isoformat(),
133
                "end": timeline_df['timestamp'].max().isoformat(),
134
                "duration_hours": (timeline_df['timestamp'].max() - timeline_df['timestamp'].min()).total_seconds() / 3600
135
            },
136
            "event_categories": timeline_df['category'].value_counts().to_dict(),
137
            "severity_distribution": timeline_df['level'].value_counts().to_dict(),
138
            "critical_events": timeline_df[timeline_df['level'] >= 10].to_dict('records'),
139
            "attack_phases": []
140
        }
141

142
        # Identify attack phases
143
        high_severity_events = timeline_df[timeline_df['level'] >= 8].sort_values('timestamp')
144

145
        if not high_severity_events.empty:
146
            phases = []
147
            current_phase = []
148
            last_timestamp = None
149

150
            for _, event in high_severity_events.iterrows():
151
                if last_timestamp is None or (event['timestamp'] - last_timestamp).total_seconds() <= 3600:  # Within 1 hour
152
                    current_phase.append({
153
                        "timestamp": event['timestamp'].isoformat(),
154
                        "description": event['description'],
155
                        "category": event['category']
156
                    })
157
                else:
158
                    if current_phase:
159
                        phases.append({
160
                            "phase": len(phases) + 1,
161
                            "start_time": current_phase[0]['timestamp'],
162
                            "end_time": current_phase[-1]['timestamp'],
163
                            "events": current_phase
164
                        })
165
                    current_phase = [{
166
                        "timestamp": event['timestamp'].isoformat(),
167
                        "description": event['description'],
168
                        "category": event['category']
169
                    }]
170

171
                last_timestamp = event['timestamp']
172

173
            # Add final phase
174
            if current_phase:
175
                phases.append({
176
                    "phase": len(phases) + 1,
177
                    "start_time": current_phase[0]['timestamp'],
178
                    "end_time": current_phase[-1]['timestamp'],
179
                    "events": current_phase
180
                })
181

182
            stats["attack_phases"] = phases
183

184
        # Save report
185
        report_file = self.output_dir / "timeline_report.json"
186
        with open(report_file, 'w') as f:
187
            json.dump(stats, f, indent=2, default=str)
188

189
        print(f"Timeline report saved: {report_file}")
190
        return stats
191

192
def main():
193
    import argparse
194

195
    parser = argparse.ArgumentParser(description="Forensic Timeline Builder")
196
    parser.add_argument("--events", required=True, help="Wazuh forensic events file")
197
    parser.add_argument("--output", default="./timeline_output", help="Output directory")
198

199
    args = parser.parse_args()
200

201
    builder = ForensicTimelineBuilder(args.events, args.output)
202

203
    if builder.load_events():
204
        timeline_df = builder.build_attack_timeline()
205
        if timeline_df is not None:
206
            builder.create_interactive_timeline(timeline_df)
207
            builder.generate_timeline_report(timeline_df)
208
            print("Timeline analysis completed successfully")
209
    else:
210
        print("Failed to load events")
211

212
if __name__ == "__main__":
213
    main()

Complete Forensic Workflow#

Phase 1: Automated Forensic Pipeline#

Master Forensic Analysis Script:

1
#!/bin/bash
2
# forensic_pipeline.sh - Complete forensic analysis pipeline
3

4
set -e
5

6
# Configuration
7
EVIDENCE_DIR="$1"
8
OUTPUT_DIR="$2"
9
CHAINSAW_PATH="/usr/local/bin/chainsaw"
10
SIGMA_RULES_PATH="/opt/sigma-rules"
11

12
# Validate inputs
13
if [ -z "$EVIDENCE_DIR" ] || [ -z "$OUTPUT_DIR" ]; then
14
    echo "Usage: $0 <evidence_directory> <output_directory>"
15
    echo "Example: $0 /forensic_evidence /forensic_analysis"
16
    exit 1
17
fi
18

19
if [ ! -d "$EVIDENCE_DIR" ]; then
20
    echo "Error: Evidence directory not found: $EVIDENCE_DIR"
21
    exit 1
22
fi
23

24
# Create output structure
25
mkdir -p "$OUTPUT_DIR"/{evtx,etw,timeline,reports}
26

27
echo "Starting forensic analysis pipeline..."
28
echo "Evidence directory: $EVIDENCE_DIR"
29
echo "Output directory: $OUTPUT_DIR"
30

31
# Phase 1: Process EVTX files
32
echo "Phase 1: Processing EVTX files..."
33
EVTX_FILES=$(find "$EVIDENCE_DIR" -name "*.evtx" -type f | wc -l)
34

35
if [ "$EVTX_FILES" -gt 0 ]; then
36
    echo "Found $EVTX_FILES EVTX files"
37

38
    python3 evtx_forensic_analyzer.py \
39
        --evtx-dir "$EVIDENCE_DIR" \
40
        --chainsaw "$CHAINSAW_PATH" \
41
        --sigma-rules "$SIGMA_RULES_PATH" \
42
        --output "$OUTPUT_DIR/evtx" \
43
        --workers 4
44

45
    echo "EVTX processing completed"
46
else
47
    echo "No EVTX files found"
48
fi
49

50
# Phase 2: Process ETW traces
51
echo "Phase 2: Processing ETW traces..."
52
ETL_FILES=$(find "$EVIDENCE_DIR" -name "*.etl" -type f | wc -l)
53

54
if [ "$ETL_FILES" -gt 0 ]; then
55
    echo "Found $ETL_FILES ETL files"
56

57
    for etl_file in $(find "$EVIDENCE_DIR" -name "*.etl" -type f); do
58
        echo "Processing: $(basename "$etl_file")"
59

60
        python3 etw_forensic_processor.py \
61
            --etl-file "$etl_file" \
62
            --output "$OUTPUT_DIR/etw"
63
    done
64

65
    echo "ETW processing completed"
66
else
67
    echo "No ETL files found"
68
fi
69

70
# Phase 3: Consolidate events for timeline
71
echo "Phase 3: Building timeline..."
72
WAZUH_EVENTS="$OUTPUT_DIR/timeline/consolidated_events.json"
73

74
# Consolidate all Wazuh-formatted events
75
cat "$OUTPUT_DIR"/evtx/*.wazuh.json "$OUTPUT_DIR"/etw/*.wazuh.json 2>/dev/null > "$WAZUH_EVENTS" || touch "$WAZUH_EVENTS"
76

77
if [ -s "$WAZUH_EVENTS" ]; then
78
    python3 timeline_builder.py \
79
        --events "$WAZUH_EVENTS" \
80
        --output "$OUTPUT_DIR/timeline"
81

82
    echo "Timeline analysis completed"
83
else
84
    echo "No events available for timeline analysis"
85
fi
86

87
# Phase 4: Generate comprehensive report
88
echo "Phase 4: Generating forensic report..."
89

90
python3 -c "
91
import json
92
import os
93
from pathlib import Path
94
from datetime import datetime
95

96
# Collect all analysis results
97
output_dir = Path('$OUTPUT_DIR')
98
report = {
99
    'analysis_timestamp': datetime.now().isoformat(),
100
    'evidence_directory': '$EVIDENCE_DIR',
101
    'analysis_summary': {
102
        'evtx_files_processed': 0,
103
        'etl_files_processed': 0,
104
        'total_events_analyzed': 0,
105
        'critical_findings': 0,
106
        'timeline_events': 0
107
    },
108
    'key_findings': [],
109
    'recommendations': [],
110
    'files_generated': []
111
}
112

113
# Count processed files
114
evtx_dir = output_dir / 'evtx'
115
if evtx_dir.exists():
116
    report['analysis_summary']['evtx_files_processed'] = len(list(evtx_dir.glob('*.evtx')))
117

118
etw_dir = output_dir / 'etw'
119
if etw_dir.exists():
120
    report['analysis_summary']['etl_files_processed'] = len(list(etw_dir.glob('*.etl')))
121

122
# Load forensic summary if available
123
summary_file = evtx_dir / 'forensic_summary.json' if evtx_dir.exists() else None
124
if summary_file and summary_file.exists():
125
    with open(summary_file) as f:
126
        evtx_summary = json.load(f)
127
        report['key_findings'].extend(evtx_summary.get('key_findings', []))
128

129
# Load timeline report if available
130
timeline_dir = output_dir / 'timeline'
131
timeline_report_file = timeline_dir / 'timeline_report.json' if timeline_dir.exists() else None
132
if timeline_report_file and timeline_report_file.exists():
133
    with open(timeline_report_file) as f:
134
        timeline_report = json.load(f)
135
        report['analysis_summary']['timeline_events'] = timeline_report.get('total_events', 0)
136
        report['analysis_summary']['critical_findings'] = len(timeline_report.get('critical_events', []))
137

138
# Add recommendations
139
report['recommendations'] = [
140
    'Review all critical findings immediately',
141
    'Correlate timeline events with network logs',
142
    'Investigate process execution chains',
143
    'Check for lateral movement indicators',
144
    'Validate findings with additional evidence sources',
145
    'Document all findings for legal proceedings'
146
]
147

148
# List generated files
149
for root, dirs, files in os.walk(output_dir):
150
    for file in files:
151
        file_path = os.path.join(root, file)
152
        relative_path = os.path.relpath(file_path, output_dir)
153
        report['files_generated'].append(relative_path)
154

155
# Save master report
156
report_file = output_dir / 'reports' / 'master_forensic_report.json'
157
with open(report_file, 'w') as f:
158
    json.dump(report, f, indent=2, default=str)
159

160
print(f'Master forensic report saved: {report_file}')
161
print(f'Total files analyzed: {report[\"analysis_summary\"][\"evtx_files_processed\"] + report[\"analysis_summary\"][\"etl_files_processed\"]}')
162
print(f'Critical findings: {report[\"analysis_summary\"][\"critical_findings\"]}')
163
print(f'Output files generated: {len(report[\"files_generated\"])}')
164
"
165

166
echo ""
167
echo "Forensic Analysis Pipeline Completed!"
168
echo "Results saved to: $OUTPUT_DIR"
169
echo ""
170
echo "Key files generated:"
171
echo "- EVTX Analysis: $OUTPUT_DIR/evtx/"
172
echo "- ETW Analysis: $OUTPUT_DIR/etw/"
173
echo "- Timeline: $OUTPUT_DIR/timeline/"
174
echo "- Reports: $OUTPUT_DIR/reports/"
175
echo ""
176
echo "Next steps:"
177
echo "1. Review master_forensic_report.json"
178
echo "2. Examine interactive_timeline.html"
179
echo "3. Import Wazuh events into SIEM for further analysis"

Phase 2: Wazuh Dashboard Integration#

Forensic Dashboard Configuration:

1
{
2
  "version": "7.14.0",
3
  "objects": [
4
    {
5
      "id": "forensic-analysis-dashboard",
6
      "type": "dashboard",
7
      "attributes": {
8
        "title": "Forensic Analysis Dashboard",
9
        "panels": [
10
          {
11
            "id": "critical-findings-timeline",
12
            "type": "visualization",
13
            "gridData": {
14
              "x": 0,
15
              "y": 0,
16
              "w": 48,
17
              "h": 15
18
            }
19
          },
20
          {
21
            "id": "attack-techniques-matrix",
22
            "type": "visualization",
23
            "gridData": {
24
              "x": 0,
25
              "y": 15,
26
              "w": 24,
27
              "h": 20
28
            }
29
          },
30
          {
31
            "id": "forensic-evidence-summary",
32
            "type": "visualization",
33
            "gridData": {
34
              "x": 24,
35
              "y": 15,
36
              "w": 24,
37
              "h": 20
38
            }
39
          }
40
        ]
41
      }
42
    }
43
  ]
44
}

Conclusion#

Analyzing historical Windows Event Logs and ETW traces with Wazuh provides powerful capabilities for digital forensics and incident response. By implementing the comprehensive workflows outlined in this guide, security teams can:

🔍 Uncover Hidden Threats: Analyze archived logs to discover previously undetected attacks
⏰ Reconstruct Attack Timelines: Build detailed chronologies of security incidents
📊 Generate Actionable Intelligence: Transform raw log data into structured threat intelligence
🎯 Improve Detection Capabilities: Enhance real-time monitoring based on forensic findings
📈 Support Legal Proceedings: Provide comprehensive evidence documentation

This approach bridges the gap between traditional forensic tools and modern SIEM capabilities, enabling organizations to leverage Wazuh’s powerful analytics engine for both real-time monitoring and historical analysis.

Key Takeaways#

Use Chainsaw for EVTX Processing: Most effective tool for Windows Event Log analysis
Implement Parallel Processing: Handle large datasets efficiently with concurrent analysis
Focus on Timeline Reconstruction: Temporal correlation reveals attack patterns
Integrate with Existing Workflows: Seamlessly incorporate into DFIR processes
Document Everything: Maintain comprehensive audit trails for legal requirements

Resources#

Transform your forensic investigations with advanced log analysis capabilities! 🔍📊