No header output in when evtx files in LogDirectory in EventIDStatistics mode #55

hitenkoku · 2021-09-30T04:01:39Z

LogDirectoryで複数のevtxファイルを読み込ませた際位にEventIDStatisticsの表示がカスタムオブジェクトのヘッダが見えなくなり、表示が省略されてしまっている

PS > .\WELA.ps1 -LogDirectory ..\DeepBlueCLI\evtx\ -UseDetectRules 0 -EventIDStatistics
██╗    ██╗███████╗██╗      █████╗
██║    ██║██╔════╝██║     ██╔══██╗
██║ █╗ ██║█████╗  ██║     ███████║
██║███╗██║██╔══╝  ██║     ██╔══██║
╚███╔███╔╝███████╗███████╗██║  ██║
 ╚══╝╚══╝ ╚══════╝╚══════╝╚═╝  ╚═╝
New Era of Windows Event Log Analyzer!
                              by Yamato Security

イベントIDを集計します。
少々お待ちください。

ファイル名 = \DeepBlueCLI\evtx\many-events-application.evtx
注意:Get-WinEventでエラーが発生しました。エラーが発生したイベントレコードは読み込まれません。
イベントの合計: 2216
ファイルサイズ: 2.07 MB
最初のイベント: 2013-10-24 01:16:29.00
最後のイベント: 2016-09-20 22:15:31.00

処理時間：0時0分5秒
154 (6.9%) 1001  不明
136 (6.1%) 1000  不明
126 (5.7%) 1004  不明
94 (4.2%)  1003  不明
66 (3%)    10001 不明
66 (3%)    10000 不明
60 (2.7%)  1002  不明
52 (2.3%)  1130  不明
52 (2.3%)  1042  不明
52 (2.3%)  1040  不明
49 (2.2%)  1066  不明
49 (2.2%)  900   不明
49 (2.2%)  902   不明
44 (2%)    1035  不明
43 (1.9%)  11728 不明
43 (1.9%)  1036  不明
42 (1.9%)  1022  不明
39 (1.8%)  301   不明
38 (1.7%)  5615  不明
38 (1.7%)  1531  不明
38 (1.7%)  4625  ログ...  Yes
38 (1.7%)  5617  不明
37 (1.7%)  1532  不明
37 (1.7%)  8224  不明
36 (1.6%)  102   不明
35 (1.6%)  1033  不明
34 (1.5%)  9009  不明
32 (1.4%)  1     不明
31 (1.4%)  302   不明
31 (1.4%)  300   不明
28 (1.3%)  8219  不明
26 (1.2%)  4097  不明
24 (1.1%)  4101  不明
22 (1%)    1101  監査...
22 (1%)    6000  不明
20 (0.9%)  9004  不明
17 (0.8%)  1037  不明
16 (0.7%)  903   不明
16 (0.7%)  16384 不明
15 (0.7%)  4202  不明
15 (0.7%)  50    不明
14 (0.6%)  1107  イベ...
14 (0.6%)  105   不明
14 (0.6%)  781   不明
13 (0.6%)  260   不明
13 (0.6%)  271   不明
13 (0.6%)  100   不明
13 (0.6%)  272   不明
13 (0.6%)  1025  不明
13 (0.6%)  258   不明
13 (0.6%)  108   不明
12 (0.5%)  4105  不明
12 (0.5%)  1530  不明
11 (0.5%)  8194  不明
11 (0.5%)  4104  不明
10 (0.5%)  10005 不明
10 (0.5%)  10010 不明
9 (0.4%)   4100  不明
8 (0.4%)   11707 不明
8 (0.4%)   9016  不明
7 (0.3%)   270   不明
7 (0.3%)   280   不明
6 (0.3%)   1019  不明
6 (0.3%)   1020  不明
6 (0.3%)   4121  不明
6 (0.3%)   4109  不明
6 (0.3%)   1017  不明
5 (0.2%)   0     不明
5 (0.2%)   1038  不明
4 (0.2%)   8212  不明
4 (0.2%)   6004  不明
4 (0.2%)   1005  不明
4 (0.2%)   4111  不明
3 (0.1%)   609   不明
3 (0.1%)   4112  不明
3 (0.1%)   1010  不明
3 (0.1%)   1008  不明
3 (0.1%)   1029  不明
3 (0.1%)   612   不明
2 (0.1%)   1034  不明
2 (0.1%)   8220  不明
2 (0.1%)   11708 不明
2 (0.1%)   4004  不明
2 (0.1%)   103   不明
2 (0.1%)   101   不明
1 (0%)     11729 不明
1 (0%)     4108  不明
1 (0%)     12305 不明
1 (0%)     6003  不明
1 (0%)     15    不明
1 (0%)     18    不明
1 (0%)     11    不明
1 (0%)     1009  不明
1 (0%)     225   不明
1 (0%)     13    不明
1 (0%)     10024 不明
1 (0%)     10002 不明
1 (0%)     12306 不明
1 (0%)     1007  不明
1 (0%)     10    不明
1 (0%)     33    不明
1 (0%)     1016  不明
1 (0%)     1013  不明
1 (0%)     213   不明
1 (0%)     2     不明
1 (0%)     223   不明
1 (0%)     8196  不明
1 (0%)     221   不明
1 (0%)     9007  不明
1 (0%)     12304 不明
1 (0%)     210   不明
1 (0%)     9003  不明
1 (0%)     8195  不明
1 (0%)     220   不明
1 (0%)     1011  不明

The text was updated successfully, but these errors were encountered:

…#55

hitenkoku · 2021-09-30T04:05:57Z

ced41b5 で対応完了。

以下のようにテーブルのフォーマットで出力されることを確認した。

PS > .\WELA.ps1 -LogDirectory ..\DeepBlueCLI\evtx\ -UseDetectRules 0 -EventIDStatistics
██╗    ██╗███████╗██╗      █████╗
██║    ██║██╔════╝██║     ██╔══██╗
██║ █╗ ██║█████╗  ██║     ███████║
██║███╗██║██╔══╝  ██║     ██╔══██║
╚███╔███╔╝███████╗███████╗██║  ██║
 ╚══╝╚══╝ ╚══════╝╚══════╝╚═╝  ╚═╝
New Era of Windows Event Log Analyzer!
                              by Yamato Security

イベントIDを集計します。
少々お待ちください。

(...)

ファイル名 = \DeepBlueCLI\evtx\eventlog-dac.evtx
注意:Get-WinEventでエラーが発生しました。エラーが発生したイベントレコードは読み込まれません。
イベントの合計: 19
ファイルサイズ: 68.00 kB
最初のイベント: 2020-09-14 23:44:04.87
最後のイベント: 2020-09-14 23:50:55.90

処理時間：0時0分1秒

カウント   ID   イベント                                           タイムライン出力
--------   --   --------                                           ----------------
14 (73.7%) 4673 不明
3 (15.8%)  4674 不明
1 (5.3%)   1102 イベントログがクリアされた                         Yes
1 (5.3%)   4798 ユーザーのローカルグループメンバシップが列挙された



イベントIDを集計します。
少々お待ちください。

ファイル名 = \DeepBlueCLI\evtx\many-events-application.evtx
注意:Get-WinEventでエラーが発生しました。エラーが発生したイベントレコードは読み込まれません。
イベントの合計: 2216
ファイルサイズ: 2.07 MB
最初のイベント: 2013-10-24 01:16:29.00
最後のイベント: 2016-09-20 22:15:31.00

処理時間：0時0分4秒

カウント   ID    イベント                                       タイムライン出力
--------   --    --------                                       ----------------
154 (6.9%) 1001  不明
136 (6.1%) 1000  不明
126 (5.7%) 1004  不明
94 (4.2%)  1003  不明
(...)
1 (0%)     8195  不明
1 (0%)     220   不明
1 (0%)     1011  不明

* create framework separate util function #28 * create SIGMA Rule Read Framework #28 * create framework add ntlm logon sigma rule test Fixes #28 * fix rule stack #28 * add detection call fix other script call #28 * erase duplicate proceess * fix add-rule template & erase debug print #28 * add SIGMA Powershell Code(not adjust WELA) * add SIGMA rule adjust WELA Framwork #28 * add SIGMA rule translated WELA Framework #28 * add SIGMA rule translated WELA Framework #28 * moved categorize folder * adjust multi rule * fix detected message * checked powershell category rules #28 * fix error * moved dir checked process creation category #28 * checked rules and adjust multi rules #28 * moved SIGMA rule to category directory #28 * fixed lacked rule copy #28 * fixed lacked rule copy #28 * fixed lacked rule copy #28 * fixed head comment out * fixed head comment out * fixed lacked if case * fixed lacked rule copy #28 * fixed lacked rule copy #28 * replace sigmac powershell convert result * fixed lacked rule copy #28 * fixed lackedrule copy #28 * fixed sigmac translate error #28 * fix lacked copy rule #28 * fixed lacked copy rule #28 * fixed lacked copy rule#28 * fixed lacked copy rule #28 * unification detectedMessage variable expresstion * unification detectedMessage variable expression * change format to multi detect rules #28 * fixed syntax error #28 * add param and help #28 * erased duplicate file to not execute same detection check * fix output detail to Rules/SIGMA #21 #28 * erase unnecessary liveanalysys parameter #28 * erase unnecessary liveanalysys param #28 * due to remove liveanalysys argument from add-rule * added DeepBlueCLI Util Function #30 * add DeepBlueCLI Rule(4688-ProcessCreate) #30 * add DeepBlueCLI Rule(4672-AdminAccountAccessAllAlert)#30 * add DeepBlueCLI Rule(4720-ProcessCreate) #30 * add providename condition and fix error #30 * fix index to creator and fix func check-command argumentation #30 * fixed multi record process #30 * fixed adjust multi record #30 * fixed adjust multi record in 4688DeepblueRule #30 * add DeepBlueCLI RULE(4728_4732_4756) #30 * remove unnecessary foreach * add DeepBlueCLI Rule(4625) * rename 4625 * fixed lacked extension 4625 * erased unnecessary if * add DeepBlueCLI Rule(4673 Security) #30 * add DeepBlueCLI Rule(4674 Security) #30 * add 4624 and 4628 password spray attack WELA Rule * fix file name * fix filename and event ID in passwordsprayattack * adjust argument dateformat * add DeepBlueCLI Rule(1102 Security) #30 * fix typo * fixed where object search providername #30 * add DeepBlueCLI Rule(7045 System) and add argument in util.ps1 #30 * add DeepBlueCLI Rule(104 System) #30 * add DeepBlueCLI Rule(7030 System) #30 * add DeepBlueCLI Rule(7036 System) #30 * add DeepBlueCLI Rule(7040 System) #30 * add DeepBlueCLI Rule(2 Application) #30 * erase omission of copied data * add DeepBlueCLI Rule(8003 Applocker) #30 * fix detected message * add DeepBlueCLI Rule(8004 Applocker) #30 * add DeepBlueCLI Rule(4103 PowerShell) #30 * add DeepBlueCLI Rule(4104 PowerShell) #30 * filename changed and add DeepBlueCLI Rule(4104 PowerShell) #30 * add DeepBlueCLI Rule(7 Sysmon) #30 * change scope when execute rule #21 #28 #30 * fix syntax error #21 #28 * erased unnecessary module load #21 #28 #30 * remove duplicate process when resolve conflict merge main merge log 17f4f13 * fix autoformatter change * fix autoformat * remove unnecessary global variable #28 * fix autoformatting * add parameter to scriptblock * fix single escape sequence * fix single escape sequence * fix single escape sequence * fix single escape sequence * fix single escape sequence * fix single escape sequence * fix single escape sequence * fix Wrong Filter WELA-Rules #30 change ProviderName to LogName * fix single escape sequence * fix single escape sequence in SIGMA:process_create/sysmon/wmi_event * fix detect output format * fix argumentation in detect function on Rules #21 #28 #30 * add contributors accounts * fix UseDetectRule output color * fix function call error * add Get-WinEvent exception warning output #48 * fix if statement condition * add DeepBlueCLI ResultObject and check-command function add servicecmd and obj #30 * erase test output * fix error when SaveOutput is Null #49 * fix rulename and detected message in 7045-servicecreated * comment out output executing rule name * change scope of detectedMessage and ruleName on WELA-Rule(DeepBlueCLI) and SIGMA #28 WELA-Rule:All Completed SIGMA :20 Completed * change scope detectedMessage SIGMA and duplicate detectedMessage on SIGMA and WELA-Rule #21 #28 #30 WELA-Rule:All Completed SIGMA: All Completed * lacked DeepBlueCLI Result object #30 * add recurse property to Logdirectory file search * add regexes and whitelites and error fix on utils.ps1 #30 - add regexes and whitelist - fix error check when commandline is null * fix event variable is wrong #30 * erase debug output * fix output format & add ruleName and detectedMessage multi detect pattern in rule #21 #28 #30 * fix error - lacked variable call to set_item method - lacked converting firstdetecttime to DateTime type * fixed for loop * Fixed saveoutput case #49 * changed no output executerule case of UseDetectRules is 0 #28 * removed debug output * changed no output executerule case of UseDetectRules is 0 #28 * fix LogonTimeline outputflag lacked initialize in WELA #51 * fix cmdlet is not verb * get rid of lint warn #37 * fix case of 0 divine in LogonTimeline #52 * output change no match logon record #53 - add output case of no match in get-winevent - removed output logon output when LogonEvents count is 0 * output filename in EventIDStatistics mode #54 * removed duplicate filesize output #54 * fix output header evtx files in LogDirectory in EventIDStatistics mode #55 * changed Output Format on DeepBlueCLI Rule #30 * fixed powershell invoke deepbluecli rule logname wrong #30 * fixed lacked count on DeepblueCLI Rule(4625) #30 * erase debug output * fixed error occuring module import error * commented converted powershell * fix rule import argument * fixed rule singlequote error * fix double quote lack error * commented converted powershell * fixed lacked get-winevent remove * fixed lack of convert escape sequence in match * fix result output write-host to write-output * fix output rule import errror to write-host * fix lacked arg in write-output when output empty row * adapt formatter * Feature/add remote computer live analysis #31 (#56) * Add_RDP_analysis_#14 * Add RemoteLiveAnalysis function * Add remote machine analysis * Add Help Messages * Update subtitle * Remove the process of checking the execution-policy. Co-authored-by: Tanaka Zakku <71482215+YamatoSecurity@users.noreply.github.com> * adapt formatter * fix rule condition change match to eq * used arraylist add method * remove unnecessary process * fixed check comand return * fixed error output condition case of logfile specified and not liveanalysys is false * fixed detection process due sorted difference from DeepBlueCLI * fixed lacked argument call check-command * adapt formatter * add DeepBlueCLI passspray detection logic * fixed passwordguess detection logic #28 * moved show-contributors to utils.ps1 * default servicecd value set * fixed lacked initialize * fixed null result output * fixed typo fixed * AV to read SIGMA mimikatz Rule * add IDs * fixed mimikatz detecion check script blocked by AMSI * fixed result is null exection case * fixed not exist registory value error * fixed read template ps1 file * fixed process view #28 * fixed null check * fixed match rule Co-authored-by: ogino <59769602+oginoPmP@users.noreply.github.com> Co-authored-by: Tanaka Zakku <71482215+YamatoSecurity@users.noreply.github.com>

hitenkoku · 2021-11-02T12:31:08Z

マージ済みのため対応完了としてクローズ

* create framework separate util function #28 * create SIGMA Rule Read Framework #28 * create framework add ntlm logon sigma rule test Fixes #28 * fix rule stack #28 * add detection call fix other script call #28 * erase duplicate proceess * fix add-rule template & erase debug print #28 * add SIGMA Powershell Code(not adjust WELA) * add SIGMA rule adjust WELA Framwork #28 * add SIGMA rule translated WELA Framework #28 * add SIGMA rule translated WELA Framework #28 * moved categorize folder * adjust multi rule * fix detected message * checked powershell category rules #28 * fix error * moved dir checked process creation category #28 * checked rules and adjust multi rules #28 * moved SIGMA rule to category directory #28 * fixed lacked rule copy #28 * fixed lacked rule copy #28 * fixed lacked rule copy #28 * fixed head comment out * fixed head comment out * fixed lacked if case * fixed lacked rule copy #28 * fixed lacked rule copy #28 * replace sigmac powershell convert result * fixed lacked rule copy #28 * fixed lackedrule copy #28 * fixed sigmac translate error #28 * fix lacked copy rule #28 * fixed lacked copy rule #28 * fixed lacked copy rule#28 * fixed lacked copy rule #28 * unification detectedMessage variable expresstion * unification detectedMessage variable expression * change format to multi detect rules #28 * fixed syntax error #28 * add param and help #28 * erased duplicate file to not execute same detection check * fix output detail to Rules/SIGMA #21 #28 * erase unnecessary liveanalysys parameter #28 * erase unnecessary liveanalysys param #28 * due to remove liveanalysys argument from add-rule * added DeepBlueCLI Util Function #30 * add DeepBlueCLI Rule(4688-ProcessCreate) #30 * add DeepBlueCLI Rule(4672-AdminAccountAccessAllAlert)#30 * add DeepBlueCLI Rule(4720-ProcessCreate) #30 * add providename condition and fix error #30 * fix index to creator and fix func check-command argumentation #30 * fixed multi record process #30 * fixed adjust multi record #30 * fixed adjust multi record in 4688DeepblueRule #30 * add DeepBlueCLI RULE(4728_4732_4756) #30 * remove unnecessary foreach * add DeepBlueCLI Rule(4625) * rename 4625 * fixed lacked extension 4625 * erased unnecessary if * add DeepBlueCLI Rule(4673 Security) #30 * add DeepBlueCLI Rule(4674 Security) #30 * add 4624 and 4628 password spray attack WELA Rule * fix file name * fix filename and event ID in passwordsprayattack * adjust argument dateformat * add DeepBlueCLI Rule(1102 Security) #30 * fix typo * fixed where object search providername #30 * add DeepBlueCLI Rule(7045 System) and add argument in util.ps1 #30 * add DeepBlueCLI Rule(104 System) #30 * add DeepBlueCLI Rule(7030 System) #30 * add DeepBlueCLI Rule(7036 System) #30 * add DeepBlueCLI Rule(7040 System) #30 * add DeepBlueCLI Rule(2 Application) #30 * erase omission of copied data * add DeepBlueCLI Rule(8003 Applocker) #30 * fix detected message * add DeepBlueCLI Rule(8004 Applocker) #30 * add DeepBlueCLI Rule(4103 PowerShell) #30 * add DeepBlueCLI Rule(4104 PowerShell) #30 * filename changed and add DeepBlueCLI Rule(4104 PowerShell) #30 * add DeepBlueCLI Rule(7 Sysmon) #30 * change scope when execute rule #21 #28 #30 * fix syntax error #21 #28 * erased unnecessary module load #21 #28 #30 * remove duplicate process when resolve conflict merge main merge log 17f4f13 * fix autoformatter change * fix autoformat * remove unnecessary global variable #28 * fix autoformatting * add parameter to scriptblock * fix single escape sequence * fix single escape sequence * fix single escape sequence * fix single escape sequence * fix single escape sequence * fix single escape sequence * fix single escape sequence * fix Wrong Filter WELA-Rules #30 change ProviderName to LogName * fix single escape sequence * fix single escape sequence in SIGMA:process_create/sysmon/wmi_event * fix detect output format * fix argumentation in detect function on Rules #21 #28 #30 * add contributors accounts * fix UseDetectRule output color * fix function call error * add Get-WinEvent exception warning output #48 * fix if statement condition * add DeepBlueCLI ResultObject and check-command function add servicecmd and obj #30 * erase test output * fix error when SaveOutput is Null #49 * fix rulename and detected message in 7045-servicecreated * comment out output executing rule name * change scope of detectedMessage and ruleName on WELA-Rule(DeepBlueCLI) and SIGMA #28 WELA-Rule:All Completed SIGMA :20 Completed * change scope detectedMessage SIGMA and duplicate detectedMessage on SIGMA and WELA-Rule #21 #28 #30 WELA-Rule:All Completed SIGMA: All Completed * lacked DeepBlueCLI Result object #30 * add recurse property to Logdirectory file search * add regexes and whitelites and error fix on utils.ps1 #30 - add regexes and whitelist - fix error check when commandline is null * fix event variable is wrong #30 * erase debug output * fix output format & add ruleName and detectedMessage multi detect pattern in rule #21 #28 #30 * fix error - lacked variable call to set_item method - lacked converting firstdetecttime to DateTime type * fixed for loop * Fixed saveoutput case #49 * changed no output executerule case of UseDetectRules is 0 #28 * removed debug output * changed no output executerule case of UseDetectRules is 0 #28 * fix LogonTimeline outputflag lacked initialize in WELA #51 * fix cmdlet is not verb * get rid of lint warn #37 * fix case of 0 divine in LogonTimeline #52 * output change no match logon record #53 - add output case of no match in get-winevent - removed output logon output when LogonEvents count is 0 * output filename in EventIDStatistics mode #54 * removed duplicate filesize output #54 * fix output header evtx files in LogDirectory in EventIDStatistics mode #55 * changed Output Format on DeepBlueCLI Rule #30 * fixed powershell invoke deepbluecli rule logname wrong #30 * fixed lacked count on DeepblueCLI Rule(4625) #30 * erase debug output * fixed error occuring module import error * commented converted powershell * fix rule import argument * fixed rule singlequote error * fix double quote lack error * commented converted powershell * fixed lacked get-winevent remove * fixed lack of convert escape sequence in match * fix result output write-host to write-output * fix output rule import errror to write-host * fix lacked arg in write-output when output empty row * adapt formatter * Feature/add remote computer live analysis #31 (#56) * Add_RDP_analysis_#14 * Add RemoteLiveAnalysis function * Add remote machine analysis * Add Help Messages * Update subtitle * Remove the process of checking the execution-policy. Co-authored-by: Tanaka Zakku <71482215+YamatoSecurity@users.noreply.github.com> * adapt formatter * fix rule condition change match to eq * used arraylist add method * remove unnecessary process * fixed check comand return * fixed error output condition case of logfile specified and not liveanalysys is false * fixed detection process due sorted difference from DeepBlueCLI * fixed lacked argument call check-command * adapt formatter * add DeepBlueCLI passspray detection logic * fixed passwordguess detection logic #28 * moved show-contributors to utils.ps1 * default servicecd value set * fixed lacked initialize * fixed null result output * fixed typo fixed * AV to read SIGMA mimikatz Rule * add IDs * fixed mimikatz detecion check script blocked by AMSI * fixed result is null exection case * fixed not exist registory value error * fixed read template ps1 file * fixed process view #28 * fixed null check * fixed match rule * fixed match contents #21 * comment out debug write-out statement Co-authored-by: ogino <59769602+oginoPmP@users.noreply.github.com> Co-authored-by: Tanaka Zakku <71482215+YamatoSecurity@users.noreply.github.com>

hitenkoku added invalid This doesn't seem right priority:low labels Sep 30, 2021

hitenkoku self-assigned this Sep 30, 2021

hitenkoku added a commit that referenced this issue Sep 30, 2021

fix output header evtx files in LogDirectory in EventIDStatistics mode …

ced41b5

…#55

hitenkoku closed this as completed Nov 2, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

No header output in when evtx files in LogDirectory in EventIDStatistics mode #55

No header output in when evtx files in LogDirectory in EventIDStatistics mode #55

hitenkoku commented Sep 30, 2021

hitenkoku commented Sep 30, 2021 •

edited

Loading

hitenkoku commented Nov 2, 2021

No header output in when evtx files in LogDirectory in EventIDStatistics mode #55

No header output in when evtx files in LogDirectory in EventIDStatistics mode #55

Comments

hitenkoku commented Sep 30, 2021

hitenkoku commented Sep 30, 2021 • edited Loading

hitenkoku commented Nov 2, 2021

hitenkoku commented Sep 30, 2021 •

edited

Loading