In the past few cases I’ve worked on, I’ve used the Extensions for Plaso and Hayabusa, which are great for retrieving artifacts and processing them automatically. However, I’ve run into an issue where I need to match the Extension’s output to the original host from which the data originated.
The challenge is that these Extentions only give you the original GUID of the LC Artifact without details of the original hostname. It’s usually the tool used to collect the item from the host, for example, Velociraptor, that has the hostname you can match the LC Artifact GUID with.
The second challenge is that if the data has aged out of the Artifacts view, then you can’t do this type (image above) of Browser search either.
I spent some time locating the logs for these and developed an LCQL that I thought would be useful to share with everyone else.
Using the same example above, this is the Query:
* | LOG_GET_REP | event/PAYLOAD_ID == “a6810761-d82d-4f1b-95ee-3311xxxxxxxx”
This will get you back to an event of the Artifact being collected from the endpoint and show you the hostname from which the Artifact GUID originated. Essentially, the event log of the bottom entry in the screenshot above
Enjoy!