decryption – SGBox Next Generation SIEM & SOAR https://www.sgbox.eu Next Generation SIEM & SOAR Tue, 05 Nov 2024 10:51:14 +0000 en-US hourly 1 https://wordpress.org/?v=6.7.1 https://www.sgbox.eu/wp-content/uploads/2020/09/cropped-Logo-SGBox-Trasparente-NO-SCRITTA-150x150.webp decryption – SGBox Next Generation SIEM & SOAR https://www.sgbox.eu 32 32 log decryption test https://www.sgbox.eu/en/knowledge-base/log-decryption-test/ Wed, 24 May 2023 13:41:54 +0000 https://www.sgbox.it/sgbox/EN/?post_type=epkb_post_type_1&p=8784 Log decryption test

This article explain where encrypted logs are stored in SGBox and how to perform some decryption test.

First of all you need to know that after SGBox receives the logs it store the them in the Online Database in order to allows to do some searchs with Historical Search tool (LM > Analysis > Historical Seach).
Meanwhile SGBox also analyze the logs in order to produce the events you can see in Class/Pattern Analysis, Templates, Dashboards, Reports, ecc..
Here you can find some more information on how logs are stored and their retention: data retention

The raw logs are also stored on the filesystem in encrypted format using GPG. You can see them in LM > Configuration > Encryption
In this page you are also able to download a specific log file and check it can’t be read without the SGBox GPG keys

log decryption test

In order to read it you need to download the GPG keys and store the in a file (read this article to know how to do it: Export GPG key)

WINDOWS
Download & Install a GPG program like GPG4WIN (https://www.gpg4win.org/).Run the progrma and choose Import botton. Select the previuosly exported GPG keys file.log decryption test

log decryption test

Choose Decrypt/Verify and select your file.

log decryption test

Click on Save All to save the unencrypted file

log decryption test

log decryption test

LINUX
  • Import your keys:
    gpg --import < sgbox_pub.key
    gpg --import < sgbox_priv.key
  • Run following command:
    gpg -d -q data_20200202050000_20200202055959_757.log.gpg
]]>