EVTX

Overview

This Adapter allows you to ingest and convert a .evtx file into LimaCharlie. The .evtx files are the binary format used by Microsoft for Windows Event Logs. This is useful to ingest historical Windows Event Logs, for example during an Incident Response (IR) engagement.

For real-time collection of Windows Event Logs, see the Windows Event Logs documentation.

Configurations

Adapter Type: evtx

• client_options: common configuration for adapter as defined here.

• file_path: path to the .evtx file to ingest.

Infrastructure as Code Deployment

# EVTX Specific Docs: https://docs.limacharlie.io/docs/adapter-types-evtx

sensor_type: "file"
evtx:
  write_timeout_sec: 10 # (optional) Timeout in seconds for writing data. e.g., 10 or null.
  file_path: "/mnt/forensic_exports/evtx_logs/System.evtx" # (required) Path to the EVTX file or a directory containing EVTX files.
  client_options:
    identity:
      oid: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" # (required) Organization ID from LimaCharlie.
      installation_key: "YOUR_LC_INSTALLATION_KEY_EVTX" # (required) Installation key associated with the OID.
    # Hostname representing the source of the EVTX files or the analysis machine.
    hostname: "forensic-analysis-vm.internal" # (required)
    # Platform can be used to signify the origin of the EVTX data.
    platform: "windows_evtx_import" # (required) A platform name indicating EVTX data source.
    architecture: null # (optional) Not directly relevant for file import unless specifying original system arch.
    mapping:
      # EVTX files are binary structured; the adapter parses them into JSON. parsing_re is null.
      parsing_re: null
      # (optional) LimaCharlie typically creates a unique ID like 'winlog.event_id_record_id_pair'.
      sensor_key_path: "winlog.event_id_record_id_pair"
      # (optional) Can extract original computer name from EVTX record if desired, otherwise uses client_options.hostname.
      sensor_hostname_path: "winlog.computer_name"
      # (optional) Example: "EVTX_SECURITY_4624", "EVTX_SYSTEM_7045".
      event_type_path: "EVTX_{{ .winlog.channel | token | upper }}_{{ .winlog.event_id }}"
      # (optional) LimaCharlie standard field for EVTX event timestamp.
      event_time_path: "winlog.timestamp"
      # (optional) JSON path for a field to populate LimaCharlie's investigation_id.
      investigation_id_path: "winlog.event_data.RelatedActivityID" # Example for some event types.
      # (optional) Use +/- syntax for transforms.
      transform:
        "+data_source_description": "Imported_Windows_EVTX_File"
        "+evtx_original_computer_name": "{{ .winlog.computer_name }}"
        "+evtx_provider_name": "{{ .winlog.provider_name }}"
        "-winlog.original_xml_payload": null # If the full XML is too verbose after JSON conversion.
      # (optional) A list of field paths to drop.
      drop_fields:
      - "winlog.keywords_displaynames" # Can be verbose
      - "winlog.user_data_raw"
      # (optional) JSON path to a field containing a Windows SID to replicate to other SID fields in LimaCharlie.
      sid_replication_path: "winlog.event_data.TargetUserSid" # Common for many security events.
    # mappings: null
    indexing:
      enabled: true
      # Example: index by original EVTX channel and org
      default_index: "evtx-{{ .winlog.channel | lower | default \"data\" }}-{{ .identity.oid | substr 0 8 }}"
    is_compressed: false # (optional) The adapter reads EVTX files directly; they are binary, not typically gzipped in a way this adapter would decompress.
    sensor_seed_key: "SEED_KEY_EVTX_ADAPTER_001" # (required)
    dest_url: "https://input.limacharlie.io" # (optional) The destination URL. Usually defaults correctly.

API Doc

See the unofficial documentation on EVTX.