EventID qualifiers are throwing off ID inclusion/exclusion
mark-hallman opened this issue · 4 comments
In the process of creating evtxcmd maps I found this
<EventID Qualifiers="32768">4105</EventID>
when I searched for 4105. I normally search for <EventID>4105</EventID>. evtxecmd does not see this string as an event id 410. I used --inc 4105 in the cli.
Is this expected behavior?
Logging this without the example files just so it does not slip through the cracks. I will get you a sample file(s).
-Mark
what log is this from? like, romanoff, security, or ?
ill try to track it down but if you have a sample file, perfect.
hmm, in nromanoff new data, application log, you see things like this:
without --exc, i get Records included: 20,134 including 17506 1001 eventIDs
if i do --exc 1001, i get back Records included: 2,628 Errors: 0 Events dropped: 17,506
--inc 1001 works the same:
Records included: 17,506 Errors: 0 Events dropped: 2,628
Metrics (including dropped events)
Event Id Count
1001 17,506
this is with v0.5.0.0, so please verify your version and let me know how to reproduce this.
Eric,
I have just run through these tests again. I must have been mistaken about the --inc not finding the event ID when the <EventID Qualifiers= string precedes the actual event ID.
Here is the event log samples of what I was looking at in case you want to take a look yourself. You may not have these evtx's
The condition I thought I was seeing was was found in two event logs from the SRL data (base-wkstn-05-triage, base-wkstn-06-triage). base-wkstn-05-triage has several instances of the string. They are all entries for the Application.evtx
Here is a link to the following:
- The two Application.evtx logs that have the condition (base-wkstn-05-triage, base-wkstn-06-triage)
- The xml created by evtxecmd that I was using to create the maps.
-Mark
files_for_evtxecmd.7z
Password: sent via Slack
https://sansorg.egnyte.com/dl/wkNFrYlYCr
Closing Issue. I can not reproduce.