Repository to query live or offline Windows eventlogs and output sigma rules. As we already parse EventLog file you can show a timeline instead.
Search script for easy Evtx lookup and SIGMA rule generation.
With this script you will be able to get informations from evtx files. You can query a Log for a single or more EventId(s). You can list all EventIds from a specific Log. You can search for an EventId and a specific value for another field. You can generate a SIGMA rule from your search.
Switch to list all logs available on the system. Result : gives RecordCount per LogName
Gives the scope of the search. Must be a valid Logname. Defaults to the Security log.
None. You cannot pipe objects.
Screen output or file output as json or sigma rule.
List all Logs with corresponding number of events.
EvtxFilter -ListLog
Get the EventId list from Events in the current Application
log.
EvtxFilter -LogSearch Application -ListEventId
Search Security
log and shows all the events corresponding to selected EventId.
EvtxFilter -LogSearch 'Security' -EventId 4627
Search Security
log and shows all the events corresponding to selected EventId that match a specific Field and a specific FieldValue.
EvtxFilter -LogSearch 'Security' -EventId 4627 -Field 'LogonType' -FieldValue 2
Search Security
log and shows only one event corresponding to selected EventId.
EvtxFilter -LogSearch 'Security' -EventId 4624 -OnlyOne
Search Security
log for an event corresponding to selected EventId and shows only one event as a SIGMA rule.
EvtxFilter -LogSearch 'Security' -EventId 4624 -OnlyOne -ConvertToSigma
Search Security
log for an event corresponding to selected EventId and outputs only one event as a SIGMA rule writen in the OutDir ./results/
.
EvtxFilter -LogSearch 'Security' -EventId 4624 -OnlyOne -ConvertToSigma -OutDir ./results/
Search Security
log for all events corresponding to selected EventId and outputs all events as SIGMA rules writen in the OutDir ./results/
.
EvtxFilter -LogSearch 'Security' -EventId 4624 -ConvertToSigma -OutDir ./results/
Search Microsoft-Windows-Sysmon/Operational
log for all events corresponding to the last 30 minutes TimeFrame.
EvtxFilter -LogSearch "Microsoft-Windows-Sysmon/Operational" -TimeFrame 30m
Possible values exemples : 15s / 30m / 12h / 7d / 3M
Search Microsoft-Windows-Sysmon/Operational
log for all events corresponding to the specified Period between -Begin datetime and -End datetime.
EvtxFilter -LogSearch "Microsoft-Windows-Sysmon/Operational" -Period -Begin "2021-12-20T10:00:00.000" -End "2021-12-20T11:00:00.000"
Search Microsoft-Windows-Sysmon/Operational
log for all events corresponding to the last 1 hour and outputs on screen as a timeline.
EvtxFilter -LogSearch "Microsoft-Windows-Sysmon/Operational" -TimeFrame 1h -ConvertToTimeLine
Search Microsoft-Windows-Sysmon/Operational
log for all events and outputs a GriView with the timeline.
EvtxFilter -LogSearch "Microsoft-Windows-Sysmon/Operational" -ConvertToTimeLine | Out-GridView
Online version: https://www.github.com/croko-fr/Evtx2Sigma
- Find a way to handle options better
- Split project in mutliple one ?
- Add security log results in TimeLine class format
- Add more logs for Timeline
- Add more EventID for Security logs => Most of them are here
- Find a way to speed the request => Powershell 7 with ForEach optimisation
- Fix Search with Evtx files input
- Rewrite all search with XPath ( faster )
- Write all examples
- Florian Roth and Thomas Patzke : for this awesome project --> SIGMA