Closed jball77-git closed 2 years ago
EricZimmerman
commented
2 years ago this should not be a surprise at all. the xpath is just wrong for the first ProcessId, as that attribute is in the Execution element under Event\System, vs EventData
what am i missing?
EricZimmerman
commented
2 years ago the processid column proper, containing 4 in this case, IS the correct one tho, because its coming from the Execution element. you are doing things the right way and things are behaving as intended, as you are pulling the processid from the eventdata and storing it.
AndrewRathbun
commented
2 years ago This is a Map issue, it seems, not EVTXECmd. If you want it to pull Event/System vs Event/Data, then adjust the Map.
ProcessID is not a property currently. It's throwing a validation error because it's not a valid property. It seems like what you are trying to accomplish is just to have a dedicated column for a process ID. When really that could be placed in one of the payload data columns. Most events struggle to fill all of the payload data columns as it is. Also, given the thousands of events that are out there, do we know how many actually record a process ID for each event?
Also, in your graphic I'm not sure how you got different values when the XPath is the exact same and all you did was change the Property value (basically which column it's stored in). I would expect Event/System/Execution [@Name=\"Process ID\" or something like that as the XPath value.
EvtxECmd version # 0.6.5.0
Describe the bug 'Process Id' pulls incorrect process id from 'System/Execution ProcessID="4" ' values, instead of EventData. I believe this field can not be edited manually.
To Reproduce Steps to reproduce the behavior:
Expected behavior Allow maps to properly parse process id and populate 'Process Id' field in csv output. This would remove the need to use an additional 'Payload Data' field, which has a limit.
Screenshots
Additional context I am working on the map for 5152 events, but this is similar to 5156, which exists and has similar behavior.