dgunter
commented
5 years ago @joaociocca: I'm going to try to run this down this week. If you do have any more context you can share or are hitting any other issues, let me know.
Open joaociocca opened 5 years ago
dgunter
commented
5 years ago @joaociocca: I'm going to try to run this down this week. If you do have any more context you can share or are hitting any other issues, let me know.
dgunter
commented
5 years ago Checking to see if I can recreate the issue with any of the system logs from: https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES
joaociocca
commented
5 years ago I remember the EVTX weren't enhanced by Sysmon, and they came from Application.evtx, Security.evtx and System.evtx. Sadly, since my investigation ended, I no longer have access to those files.
Also, dunno if you or anyone else would find it useful, but I made a little bulk loader! My first attempt at a Python script: https://github.com/joaociocca/evtxtoelk/blob/master/bulkevtx.py
Hi there! Great tool, I got it to ingest Security.evtx and Application.evtx, but when I try to ingest System.evtx I always get a parsing error. I have a very basic understanding of programming logic, not nearly that about Python - I got most of it to work with your step-by-step on Dragos' blog and some Google-fu. How can I help diagnose, maybe even help correct, this parsing error?
oh! Found one on Elasticsearch's logs:
And rolling up the log, it seems every parsing error is caused because of this error.