Dears
I have list of items [array] as attached and i need to create one logs in thehive for all of them.
but when run thehive’s log node it creates log for each line,
I want to add all lines in one log . any idea how to do that ?
I appreciate your continuous support .
Best Regards
I have sadly currently no easy way to test it. Can you please share the part of the workflow which does the log creation so that we can get a better understanding of what you currently do. Thanks a lot!
Thank you Jan for you reply , this is the workflow.
this data sample
[
{
"EventCode": "4625",
"src_ip": "10.10.10.60",
"dest": "DC1.dc.local",
"user": "PC1$",
"Status": "0xC0000133",
"Sub_Status": "0x0",
"userstatus": "unknown",
"Failure_Reason": "An Error occured during Logon.",
"Authentication_Package": "Kerberos",
"Logon_Type": "3",
"app": "win:remote",
"count": "80"
},
{
"EventCode": "4625",
"src_ip": "192.168.100.10",
"dest": "DC1.dc.local",
"user": "1050",
"Status": "0xC000006D",
"Sub_Status": "0xC0000064",
"userstatus": "invalid",
"Failure_Reason": "Unknown user name or bad password.",
"Authentication_Package": "NTLM",
"Logon_Type": "3",
"app": "win:remote",
"count": "24"
},
{
"EventCode": "4625",
"src_ip": "192.168.100.10",
"dest": "DC1.dc.local",
"user": "admin",
"Status": "0xC000006D",
"Sub_Status": "0xC0000064",
"userstatus": "invalid",
"Failure_Reason": "Unknown user name or bad password.",
"Authentication_Package": "NTLM",
"Logon_Type": "3",
"app": "win:remote",
"count": "414"
},
{
"EventCode": "4625",
"src_ip": "192.168.100.10",
"dest": "DC1.dc.local",
"user": "cisco",
"Status": "0xC000006D",
"Sub_Status": "0xC000006A",
"userstatus": "valid",
"Failure_Reason": "Unknown user name or bad password.",
"Authentication_Package": "NTLM",
"Logon_Type": "3",
"app": "win:remote",
"count": "15"
},
{
"EventCode": "4625",
"src_ip": "192.168.100.10",
"dest": "DC1.dc.local",
"user": "fg",
"Status": "0xC000006D",
"Sub_Status": "0xC000006A",
"userstatus": "valid",
"Failure_Reason": "Unknown user name or bad password.",
"Authentication_Package": "NTLM",
"Logon_Type": "3",
"app": "win:remote",
"count": "17"
},
{
"EventCode": "4625",
"src_ip": "192.168.100.10",
"dest": "DC1.dc.local",
"user": "hasanm",
"Status": "0xC000006D",
"Sub_Status": "0xC0000064",
"userstatus": "invalid",
"Failure_Reason": "Unknown user name or bad password.",
"Authentication_Package": "NTLM",
"Logon_Type": "3",
"app": "win:remote",
"count": "415"
},
{
"EventCode": "4625",
"src_ip": "192.168.100.10",
"dest": "DC1.dc.local",
"user": "man",
"Status": "0xC000006D",
"Sub_Status": "0xC0000064",
"userstatus": "invalid",
"Failure_Reason": "Unknown user name or bad password.",
"Authentication_Package": "NTLM",
"Logon_Type": "3",
"app": "win:remote",
"count": "384"
},
{
"EventCode": "4625",
"src_ip": "192.168.100.10",
"dest": "DC1.dc.local",
"user": "user",
"Status": "0xC000006D",
"Sub_Status": "0xC000006A",
"userstatus": "valid",
"Failure_Reason": "Unknown user name or bad password.",
"Authentication_Package": "NTLM",
"Logon_Type": "3",
"app": "win:remote",
"count": "399"
},
{
"EventCode": "4625",
"src_ip": "192.168.100.10",
"dest": "DC1.dc.local",
"user": "user2",
"Status": "0xC000006D",
"Sub_Status": "0xC0000064",
"userstatus": "invalid",
"Failure_Reason": "Unknown user name or bad password.",
"Authentication_Package": "NTLM",
"Logon_Type": "3",
"app": "win:remote",
"count": "24"
},
{
"EventCode": "4625",
"src_ip": "192.168.100.10",
"dest": "PC1.dc.local",
"user": "1050",
"Status": "0xC000006D",
"Sub_Status": "0xC0000064",
"userstatus": "invalid",
"Failure_Reason": "Unknown user name or bad password.",
"Authentication_Package": "NTLM",
"Logon_Type": "3",
"app": "win:remote",
"count": "16"
},
{
"EventCode": "4625",
"src_ip": "192.168.100.10",
"dest": "PC1.dc.local",
"user": "admin",
"Status": "0xC000006D",
"Sub_Status": "0xC0000064",
"userstatus": "invalid",
"Failure_Reason": "Unknown user name or bad password.",
"Authentication_Package": "NTLM",
"Logon_Type": "3",
"app": "win:remote",
"count": "62"
},
{
"EventCode": "4625",
"src_ip": "192.168.100.10",
"dest": "PC1.dc.local",
"user": "cisco",
"Status": "0xC000006D",
"Sub_Status": "0xC000006A",
"userstatus": "valid",
"Failure_Reason": "Unknown user name or bad password.",
"Authentication_Package": "NTLM",
"Logon_Type": "3",
"app": "win:remote",
"count": "12"
},
{
"EventCode": "4625",
"src_ip": "192.168.100.10",
"dest": "PC1.dc.local",
"user": "fg",
"Status": "0xC000006D",
"Sub_Status": "0xC000006A",
"userstatus": "valid",
"Failure_Reason": "Unknown user name or bad password.",
"Authentication_Package": "NTLM",
"Logon_Type": "3",
"app": "win:remote",
"count": "12"
},
{
"EventCode": "4625",
"src_ip": "192.168.100.10",
"dest": "PC1.dc.local",
"user": "hasanm",
"Status": "0xC000006D",
"Sub_Status": "0xC000006A",
"userstatus": "valid",
"Failure_Reason": "Unknown user name or bad password.",
"Authentication_Package": "NTLM",
"Logon_Type": "3",
"app": "win:remote",
"count": "60"
},
{
"EventCode": "4625",
"src_ip": "192.168.100.10",
"dest": "PC1.dc.local",
"user": "man",
"Status": "0xC000006D",
"Sub_Status": "0xC0000064",
"userstatus": "invalid",
"Failure_Reason": "Unknown user name or bad password.",
"Authentication_Package": "NTLM",
"Logon_Type": "3",
"app": "win:remote",
"count": "62"
},
{
"EventCode": "4625",
"src_ip": "192.168.100.10",
"dest": "PC1.dc.local",
"user": "user",
"Status": "0xC000006D",
"Sub_Status": "0xC000006A",
"userstatus": "valid",
"Failure_Reason": "Unknown user name or bad password.",
"Authentication_Package": "NTLM",
"Logon_Type": "3",
"app": "win:remote",
"count": "60"
},
{
"EventCode": "4625",
"src_ip": "192.168.100.10",
"dest": "PC1.dc.local",
"user": "user2",
"Status": "0xC000006D",
"Sub_Status": "0xC0000064",
"userstatus": "invalid",
"Failure_Reason": "Unknown user name or bad password.",
"Authentication_Package": "NTLM",
"Logon_Type": "3",
"app": "win:remote",
"count": "16"
}
]
This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.