How It Works

Learn about the different ways to generate and send logs to your SIEM platform

Catalog
Browse and use pre-populated log samples from trusted sources

The Catalog provides access to a curated collection of real-world log samples, starting with samples from the Hayabusa project. These logs are pre-processed and ready to use for testing your SIEM detections.

How it works:

  1. Browse the catalog to find log samples by type, category, or search terms
  2. Select a log entry to view its metadata (event count, file size, description)
  3. Configure your target system (Splunk or Elasticsearch) settings
  4. Submit the log for processing - it will be sent directly to your SIEM
  5. Track the processing status and view results in your SIEM platform

Note

Catalog logs are stored in cloud storage and processed on-demand. No file upload is required - simply select a log and configure your target system.
Insert
Upload your own EVTX files for processing and analysis

The Insert feature allows you to upload your own Windows Event Log (EVTX) files for processing and sending to your SIEM platform. This is useful for testing detections with logs from your own environment.

How it works:

  1. Upload an EVTX file from your local system
  2. Configure your target system settings (Splunk or Elasticsearch)
  3. The file is securely uploaded and processed
  4. Events are extracted, normalized, and sent to your configured SIEM
  5. Monitor processing status and verify logs appear in your SIEM

Supported formats

Windows Event Log files (.evtx). Files are processed server-side and automatically converted to the appropriate format for your target system (XML for Splunk, JSON/ECS for Elasticsearch).
Synthetic Logs
Generate custom log events with specific field values for targeted testing

Synthetic Logs allow you to create custom log events by specifying event types and field values. This is perfect for testing specific detection scenarios without needing real log files or waiting for events to occur naturally.

How it works:

  1. Select an event type (e.g., Sysmon Event ID 1 for process creation)
  2. Specify field values you want to customize (e.g., process name, command line)
  3. Leave other fields empty to have them auto-generated with realistic synthetic values
  4. Configure your target system and submit
  5. The synthetic event is generated, normalized, and sent directly to your SIEM

Tip

Synthetic logs are generated in real-time and don't require file uploads. You can quickly test multiple scenarios by creating different synthetic events with varying field values.

Supported event types

Currently supports Sysmon events. More event types will be added in future updates. Field values you provide are merged with auto-generated synthetic data to create complete, realistic log events.
Common Workflow

Regardless of which method you use, the general workflow is the same:

  1. Configure your target system (Splunk or Elasticsearch) in Settings
  2. Select or create your log source (Catalog, Upload, or Synthetic)
  3. Submit for processing
  4. Monitor the job status
  5. Verify logs appear in your SIEM platform
  6. Test your detections and queries