Update Dump Json and jq Implementation

[ajread4]

New commits address missing data within Event XML so that all necessary information is pulled from log data. Prior commits only pulled EventRecordID from within System section. New upgrades pull things like EventID, TimeCreated, Channel, etc. Also, proper usage with jq added so that output can be piped to jq for ease of analysis. New dataset added to tests folder as well!

[ajread4]

looks like all checks passed too!

[ajread4]

Checking to see if you can merge! Let me know if there are any other issues

[ajread4]

program logic looks reasonable. see inline comment about formatting.

would you be up for adding a test case? if not, i can add it after the merge.

thanks!

I can definitely try to add a test case, I will admit it is my first time adding one

[williballenthin]

Oh, cool! I'm happy to help out, either explaining ideas or answering questions. Thanks for everything you've done so far!

[ajread4]

Oh, cool! I'm happy to help out, either explaining ideas or answering questions. Thanks for everything you've done so far!

I want to create a test that runs the evtx_dump_json with the evtx data located within the data folder. However, I am having trouble calling the main function. I tried to import scripts but it was never able to import the module even after I added a init.py to the scripts directory. Any thoughts?

[ajread4]

This is how I am trying to set it up. But, I keep getting errors of the below.

[ajread4]

I wasn't able to figure it out, apologies!

[ajread4]

fixed issues with EventData missing key and added a UserData loop to cover newly discovered evtx data fields

[williballenthin]

(sorry I wasn't able to get this merged before I left for a little PTO. i have an explicit TODO item to merge this when i return. i hope that's ok. )

[ajread4]

No worries! Was just working on some other tasks and found something I needed to address here.

Didn't mean to come across as pressuring!