Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ingest XML events #52

Closed
Blaapje opened this issue Feb 16, 2023 · 8 comments
Closed

Ingest XML events #52

Blaapje opened this issue Feb 16, 2023 · 8 comments

Comments

@Blaapje
Copy link

Blaapje commented Feb 16, 2023

How much work would it take to ingest xml data rather than evtx files?

The XML data is generated by: https://github.com/williballenthin/EVTXtract. The tools recovers (partial) xml records from corrupted partitions.

Could you indicate if this is feasible and give some pointers towards ingesting xml data? I'd be happy to submit a PR if I get this to work.
@wagga40
Copy link
Owner

wagga40 commented Feb 16, 2023

As a quick response I can say that Zircolite already handles XML formatted logs because it is the native format of sysmon for linux logs (--sysmon4linux).
I haven’t tested with logs coming from EVTXtract.

@wagga40
Copy link
Owner

wagga40 commented Feb 16, 2023

Ok forgot what I've said, I took a look to the output of EVTXtract and it is a little bit more difficult than that...

@Blaapje
Copy link
Author

Blaapje commented Feb 16, 2023
edited
Loading

It's rather interesting that both EVTXtract and evtx_dump are both maintained by @williballenthin. I will see if I can get this working.

Edit: I don't know how I came to this conclusion but this is obviously not the case.

@wagga40
Copy link
Owner

wagga40 commented Feb 16, 2023

In Zircolite everything (EVTX, Auditd, Sysmon For Linux) is converted to JSON lines format.
These operations are handled by the evtxExtractor class. For each log file the Logs2JSON function is called for each line in the log file to convert it to JSON.

Since the XML output of EVTXtract is not in the "1 event per line" format, the first thing is to handle this. The easiest way to to it would be to modify EVTXtract (check here) (but I guess that's not what you want to do) and use XML to JSON conversion logic like the one used here.

If you have samples I can help...

@Blaapje
Copy link
Author

Blaapje commented Feb 16, 2023

I've made a small sample available here: https://gist.github.com/Blaapje/23e378748db737960a90c723c2dc8676

@wagga40
Copy link
Owner

wagga40 commented Feb 17, 2023

Thanks, I will try this week end.

@wagga40
Copy link
Owner

wagga40 commented Feb 20, 2023

Hi @Blaapje, worked on it ! I currently only handle events beginning with <event> and not the other ones (i.e <record>) since they don’t contains the fields that allows to apply sigma on them. I will push something today.

@wagga40
Copy link
Owner

wagga40 commented Feb 20, 2023
edited
Loading

You can try with this branch : https://github.com/wagga40/Zircolite/tree/evtxtract.
Please provide some feedback.

@wagga40 wagga40 closed this as completed Mar 4, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Blaapje @wagga40