Speed up EVTX Parsing #42
Comments
|
@yampelo let me know if you need a hand with this :) |
|
@omerbenamram It's mainly a question of do i change the output of your tool to match what i was working off of before, or do i change all the functions to match the output of your tool. For example: proc = SysMonProc(
host=event["Computer"],
user=event["EventData_User"],
process_guid=event["EventData_ProcessGuid"],
process_id=int(event["EventData_ProcessId"]),
process_image=process_image,
process_image_path=process_path,
)
proc_file = proc.get_file_node()
proc_file.file_of[proc]
dest_addr = IPAddress(ip_address=event["EventData_DestinationIp"])
proc.connected_to[dest_addr].append(
timestamp=event["EventData_UtcTime"],
port=event["EventData_DestinationPort"],
protocol=event["EventData_Protocol"],
)
if event.get("EventData_DestinationHostname"):
hostname = Domain(event["EventData_DestinationHostname"])
hostname.resolves_to[dest_addr].append(timestamp=event["EventData_UtcTime"])
return (proc, proc_file, dest_addr, hostname)
return (proc, proc_file, dest_addr)Works off of this: |
|
@yampelo The nice thing is that my package already produces valid JSON in rust, so most of the code that is currently here https://github.com/yampelo/beagle/blob/master/beagle/datasources/win_evtx.py#L78 will go away (replaced with As for these snippets - to be compatible with my output, it's merely changing You could use a snippet that flattens the data (eg https://stackoverflow.com/questions/6027558/flatten-nested-dictionaries-compressing-keys) to basically make this drop in. So it's really up to you :) But if I could help in any ways id be willing to see this go through, you'd be very surprised with the performance difference if you haven't tried this already. |
Move over to https://github.com/omerbenamram/pyevtx-rs
The text was updated successfully, but these errors were encountered: