-
Notifications
You must be signed in to change notification settings - Fork 145
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fixed failure to display the names of parent process nodes for evtx #59
Comments
The reason for this is that sometimes, the information about the parent process doesn't actually exist in a windows security event log file. For example this event: {
'data_name_commandline': '"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" '
'-s -NoLogo -NoProfile',
'data_name_newprocessid': '0x00000c50',
'data_name_newprocessname': 'C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe',
'data_name_processid': '0x0000011c',
'data_name_subjectdomainname': 'IE10WIN7',
'data_name_subjectlogonid': '0x000000000006793c',
'data_name_subjectusername': 'IEUser',
'data_name_subjectusersid': 'S-1-5-21-3463664321-2923530833-3546627382-1000',
'data_name_tokenelevationtype': '%%1937',
'eventid_qualifiers': '4688',
} This event shows process Since this is the first event in this EVTX file, there's no way to get more information about the parent process ( I chose to not drop it and give it an empty value as it makes the graph more complete, in your case, you still have the two outgoing edges from the 'empty' process. If I had dropped it, you wouldn't know the those two nodes are related/spawned by the same parent. If you click on it and view it in the side window, you'll actually see the information Beagle found on it (hashes/pid/etc) I hope this explains why, this is only the case with WindowsEVTX files, because they do not give info about the parent in each event |
Hi, As a potential update, would it be possible to change the color of the 'NO_DISPLAY_VALUE' bubbles modified, or make it so that whenever a node doesn't have value, to replace it with the 'process ID instead? |
Hi,
When providing an evtx to the software, the nodes of the parent processes do not necessarily have a name because it is not specified in the transformer. This patch is used to display it.
The text was updated successfully, but these errors were encountered: