- examples/inputs/evtx-samples/event_logs.txt
- examples/inputs/evtx-samples/sample_security.evtx
# Windows Event Log Parsing Example
# This demonstrates parsing real Windows Event Log (.evtx) files
# The sample_security.evtx file contains a minimal valid EVTX structure
# Use --parse-evtx CLI flag to parse the event log files
decode = []
tag = "evtx"
# Security event patterns
[[patterns]]
name = "Logon Event 4624"
pattern = "4624"
type = "string"
[[patterns]]
name = "Failed Logon 4625"
pattern = "4625"
type = "string"
[[patterns]]
name = "Account Lockout 4740"
pattern = "4740"
type = "string"
[[patterns]]
name = "New Process 4688"
pattern = "4688"
type = "string"
[[patterns]]
name = "Scheduled Task 4698"
pattern = "4698"
type = "string"
# PowerShell logging
[[patterns]]
name = "PowerShell Event"
pattern = "Microsoft-Windows-PowerShell"
type = "string"
case-insensitive = true
[[patterns]]
name = "Script Block"
pattern = "ScriptBlockText"
type = "string"
# Suspicious commands in events
[[patterns]]
name = "Encoded Command"
pattern = "-encodedcommand|-enc"
type = "regex"
case-insensitive = true
[[patterns]]
name = "Download Cradle"
pattern = "DownloadString|Invoke-WebRequest|IEX"
type = "regex"
case-insensitive = true
# Sysmon events
[[patterns]]
name = "Process Create (Sysmon 1)"
pattern = "EventID.*1.*ProcessCreate"
type = "regex"
[[patterns]]
name = "Network Connection (Sysmon 3)"
pattern = "EventID.*3.*NetworkConnect"
type = "regex"
# EVTX file header pattern (hex for "ElfFile")
[[patterns]]
name = "EVTX Header"
pattern = "45:6C:66:46:69:6C:65"
type = "bytes"
| total_files | 2 |
|---|
| critical_count | 0 |
|---|
| high_count | 0 |
|---|
| medium_count | 0 |
|---|
| low_count | 1 |
|---|
| minimal_count | 1 |
|---|
| must_investigate_count | 0 |
|---|
| all_scores | None |
|---|
| generated_at | 2025-12-03T09:19:44.307018600+00:00 |
|---|
| characteristics_score | file_type | file_type_score | must_investigate | path | pattern_count_score | pattern_matches | pattern_severity_score | reasons | risk_level | score | sha256 |
|---|
| 0 | EventLog | 35 | False | /sample_security.evtx | 5 | 1 | 0 | ["High-value artifact type: Event Log", "1 suspicious patterns detected"] | Low | 40 | 81154e8ee0307f4d2865da14957e6b6928dd89b51e1985840d166948481ac136 |
| 0 | Other | 0 | False | /event_logs.txt | 15 | 11 | 11 | ["11 suspicious patterns detected"] | Minimal | 26 | 95def1ae00f1f2aa96662fe9bf5082456259f378e436b7f9a57f996abba9ab8b |
Empty CSV
| path | file_name | sha256 | file_created | file_modified | file_accessed | mime_types_from_file_extension | is_symbolic_link | is_extracted_file | is_decoded_file | is_deobfuscated_file | tag |
|---|
| /event_logs.txt | event_logs.txt | 95def1ae00f1f2aa96662fe9bf5082456259f378e436b7f9a57f996abba9ab8b | 2025-12-03T08:56:20.495889189Z | 2025-12-03T08:56:20.495889189Z | 2025-12-03T09:19:34.645985218Z | ["text/plain"] | 0 | 0 | 0 | 0 | |
| /sample_security.evtx | sample_security.evtx | 81154e8ee0307f4d2865da14957e6b6928dd89b51e1985840d166948481ac136 | 2025-12-03T09:16:08.041585051Z | 2025-12-03T09:16:08.041585051Z | 2025-12-03T09:19:34.644985217Z | [] | 0 | 0 | 0 | 0 | |
| id | sha256 | pattern_name | match_type | match | location | length |
|---|
| 1 | 81154e8ee0307f4d2865da14957e6b6928dd89b51e1985840d166948481ac136 | EVTX Header | bytes | ElfFile | 0 | 7 |
| 2 | 95def1ae00f1f2aa96662fe9bf5082456259f378e436b7f9a57f996abba9ab8b | Encoded Command | regex | -encodedcommand | 46:17 | 15 |
| 3 | 95def1ae00f1f2aa96662fe9bf5082456259f378e436b7f9a57f996abba9ab8b | Download Cradle | regex | Invoke-WebRequest | 45:2 | 17 |
| 4 | 95def1ae00f1f2aa96662fe9bf5082456259f378e436b7f9a57f996abba9ab8b | Download Cradle | regex | IEX | 45:57 | 3 |
| 5 | 95def1ae00f1f2aa96662fe9bf5082456259f378e436b7f9a57f996abba9ab8b | Logon Event 4624 | string | 4624 | 5:10 | 4 |
| 6 | 95def1ae00f1f2aa96662fe9bf5082456259f378e436b7f9a57f996abba9ab8b | Failed Logon 4625 | string | 4625 | 12:10 | 4 |
| 7 | 95def1ae00f1f2aa96662fe9bf5082456259f378e436b7f9a57f996abba9ab8b | Failed Logon 4625 | string | 4625 | 19:10 | 4 |
| 8 | 95def1ae00f1f2aa96662fe9bf5082456259f378e436b7f9a57f996abba9ab8b | Account Lockout 4740 | string | 4740 | 25:10 | 4 |
| 9 | 95def1ae00f1f2aa96662fe9bf5082456259f378e436b7f9a57f996abba9ab8b | New Process 4688 | string | 4688 | 30:10 | 4 |
| 10 | 95def1ae00f1f2aa96662fe9bf5082456259f378e436b7f9a57f996abba9ab8b | Scheduled Task 4698 | string | 4698 | 36:10 | 4 |
| 11 | 95def1ae00f1f2aa96662fe9bf5082456259f378e436b7f9a57f996abba9ab8b | Script Block | string | ScriptBlockText | 43:1 | 15 |
| 12 | 95def1ae00f1f2aa96662fe9bf5082456259f378e436b7f9a57f996abba9ab8b | PowerShell Event | string | Microsoft-Windows-PowerShell | 42:9 | 28 |
Empty CSV
| sha256 | sha1 | md5 | file_size | mime_type_for_content | shannon_entropy |
|---|
| 95def1ae00f1f2aa96662fe9bf5082456259f378e436b7f9a57f996abba9ab8b | 1525a63af21b321526717c020ea814cad7afbe04 | f17445a5491a3e777d7bc9ce1d80c644 | 1334 | text/plain | 5.34833938232107 |
| 81154e8ee0307f4d2865da14957e6b6928dd89b51e1985840d166948481ac136 | c59f06b8df6ff692114b8b80a1a0164e7ee3dc9e | b37b49735487f1ecfb9713839aeaf903 | 69632 | application/octet-stream | 0.0063210226671861 |