Merge pull request #75 from wagga40/v2.20.0

V2.20.0 : 
Add conditional imports to limit error for functions not used
Add option groups to improve help readability
Correct typo in docs
Update some error messages
Bump version to 2.20.0
Add a simple mechanism to control external binaries
Add a requirement.full.txt
Update docs and rules
Correct a bug in output json results
Clean options and arguments

Makefile

@@ -3,7 +3,7 @@
 DOCKER?=docker
 DOCKER_BUILD_FLAGS?=
 DOCKER_REGISTRY?=docker.io
-DOCKER_TAG?=2.10
+DOCKER_TAG?=2.20.0
 GIT?=git
 PY3?=python3
 DATE=$(shell date +%s)

README.md

@@ -6,7 +6,7 @@
 [![python](https://img.shields.io/badge/python-3.8-blue)](https://www.python.org/)
 ![version](https://img.shields.io/badge/Architecture-64bit-red)
 
-> **Zircolite is a standalone tool written in Python 3. It allows to use SIGMA rules on : MS Windows EVTX (EVTX, XML and JSONL format), Auditd logs, Sysmon for Linux and EVTXtract logs**
+> **Zircolite is a standalone tool written in Python 3. It allows to use SIGMA rules on : MS Windows EVTX (EVTX, XML and JSONL format), Auditd logs, Sysmon for Linux, EVTXtract, CSV and XML logs**
 
 - **Zircolite** can be used directly on the investigated endpoint or in your forensic/detection lab
 - **Zircolite** is relatively fast and can parse large datasets in just seconds
@@ -19,7 +19,7 @@
 
 ## Requirements / Installation
 
-Python 3.8 minimum is required. You can install dependencies with : `pip3 install -r requirements.txt`
+Python 3.8 minimum is required. If you only want to use base functionnalities of Zircolite, you can install dependencies with : `pip3 install -r requirements.txt`. But `pip3 install -r requirements.full.txt` is strongly recommanded.
 
 The use of [evtx_dump](https://github.com/omerbenamram/evtx) is **optional but required by default (because it is -for now- much faster)**, If you do not want to use it you have to use the `--noexternal` option. The tool is provided if you clone the Zircolite repository (the official repository is [here](https://github.com/omerbenamram/evtx)).
 

docs/Advanced.md

@@ -7,7 +7,7 @@ Zircolite tries to be as fast as possible so a lot of data is stored in memory.
 - **Zircolite memory use oscillate between 2 or 3 times the size of the logs**
 - It is not a good idea to use it on very big EVTX files or a large number of EVTX **as is**
 
-The tool has been created to be used on very big datasets and there are a lot of ways to speed up Zircolite :
+There are a lot of ways to speed up Zircolite :
 
 - Using as much CPU core as possible : see below "[Using GNU Parallel](using-gnu-parallel)"
 - Using [Filtering](#filtering)
@@ -26,7 +26,7 @@ Except when `evtx_dump` is used, Zircolite only use one core. So if you have a l
 
 	```shell
 	find <CASE_DIRECTORY> -maxdepth 1 -mindepth 1 -type d | \
-		parallel --bar python3 zircolite.py --evtx {} \ 
+		parallel --bar python3 zircolite.py --evtx {} \
 		--ruleset rules/rules_windows_sysmon.json --outfile {/.}.json
 	```
 
@@ -179,7 +179,7 @@ As of v1.3.5, Zircolite can forward detections to a Splunk instance with Splunk
 
 ```shell
 python3 zircolite.py --evtx /sample.evtx  --ruleset rules/rules_windows_sysmon.json \
-	--remote "https://x.x.x.x:8088" --token "xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" \ 
+	--remote "https://x.x.x.x:8088" --token "xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" \
 	[--index myindex]
 ```
 
@@ -359,3 +359,10 @@ Basically, if you want to integrate Zircolite with **DFIR Orc** :
 
 - Now you need to generate the **DFIR Orc** binary by executing `.\configure.ps1` at the root of the repository
 - The final output will be in the `output` directory
+
+## Other tools 
+
+Some other tools (mostly untested) have included a way to run Zircolite : 
+
+- [Kape](https://www.kroll.com/en/services/cyber-risk/incident-response-litigation-support/kroll-artifact-parser-extractor-kape) has a module for Zircolite : [here](https://github.com/EricZimmerman/KapeFiles/tree/master/Modules/Apps/GitHub)
+- [Velociraptor](https://github.com/Velocidex/velociraptor) has an artifact for Zircolite : [here](https://docs.velociraptor.app/exchange/artifacts/pages/windows.eventlogs.zircolite/)