Some more logparser & eventcomb stuff for IR work

Counting and sorting by unique text in the strings section:

As a follow on to a previous article https://blogs.technet.com/kfalde/archive/2009/01/28/using-logparser-eventcomb-to-find-malware.aspx I found some other useful queries that I figured I would post as well that came in helpful on some recent cases.

We were basically looking for unique instances of event text from eventcomb logs so the same process applied gather eventcomb builtin account lockout search data.

Once you have the txt files you can run the following against them:

logparser -i:textline -o:csv "select substr(text,INDEX_OF(Text,'SYSTEM,'),NULL) into timestampremoved.txt from *LOG.txt"

This basically cuts off all the text on the line in front of the data that has the timestamp info which allows finding lines that are the same and counting those up.

Next run the following:

logparser -i:textline -o:csv "select COUNT(*), Text into uniques.txt from timestampremoved.txt group by TEXT order by COUNT(*) DESC"

This groups together unique lines and gives you a count of how many times that line occurred within all the logs.

This works for quite a few different things and would actually work well against event logs in general to just find out what your top offenders were in the log.