Windows Event Logs Message Fields Extraction

google / timesketch

Collaborative forensic timeline analysis

Apache License 2.0

2.58k stars 589 forks source link

Windows Event Logs Message Fields Extraction #2911

Closed roshanmaskey closed 11 months ago

roshanmaskey commented 1 year ago

Windows event log contains details about the event in the message field (EventData XML attribute). Extracting the information in the EventData would enable analysts to query/filter event logs based on the attributes in EventData.

The figure below shows the high-level schema.

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
  </System>
  <EventData>
  </EventData>
</Event>

joachimmetz commented 1 year ago

FYI EventData does not need to be present there are other "schemas" as well e.g. "UserData"

joachimmetz commented 1 year ago

the "manifests" are stored in PE/COFF file see: https://github.com/libyal/libexe/blob/4b74c91226e7d174bdff74315129bc17b956d564/documentation/Executable%20(EXE)%20file%20format.asciidoc#68-windows-event-template-resource-data