I have followed your guides, however phase_name is not being captured in Sentinel:
However the parser was installed successfully:
And I can clearly see the phase_name in the sysmon event on the server:
So I'm a little lost. Also, when querying the log, the column names do not seem to correspond with the data they contain, which suggests perhaps an issue with the parser (?):
I have followed your guides, however phase_name is not being captured in Sentinel:
However the parser was installed successfully:
And I can clearly see the phase_name in the sysmon event on the server:
So I'm a little lost. Also, when querying the log, the column names do not seem to correspond with the data they contain, which suggests perhaps an issue with the parser (?):
Originally posted by @srthomson in https://github.com/BlueTeamLabs/sentinel-attack/issues/15#issuecomment-532157466