Updating event log parsing to use json - Githubissues

MicrosoftDocs / WDAC-Toolkit

Documentation and tools to access Windows Defender Application Control (WDAC) technology.

Creative Commons Attribution 4.0 International

201 stars 43 forks source link

Updating event log parsing to use json #383

Closed jgeurten closed 5 months ago

jgeurten commented 5 months ago

Issue:

In relation to Issue #382, it was discovered that Windows event log forwarding converts every field to strings. This caused parsing to fail where all hash fields (SHA1, SHA256 and file hashes) are encoded as byte arrays
Additionally, I recognized that the existing parsing logic drops fields with empty strings (e.g. OriginalFilename, InteralName, etc.). This caused many out of bounds parsing errors

Fix:

Updated event log parsing to use JSON string parsing which addresses both issues above. JSON string parsing allows for indexing all fields, regardless if they are null or empty

Testing:

Tested against all EVTX files in test bank and the ForwardedEvent.evtx file added in the issue