Windows.EventLogs.Zircolite

Zircolite is a standalone tool that can be used to apply Sigma rules to EVTX files on endpoints in an effort to quickly parse large datasets and surface detections.

You can read more about Zircolite below:

https://github.com/wagga40/Zircolite

NOTE: This artifact may take several minutes to run, depending on the size of EVTX files being analyzed.


name: Windows.EventLogs.Zircolite
description: |
    Zircolite is a standalone tool that can be used to apply Sigma rules to EVTX files on endpoints in an effort to quickly parse large datasets and surface detections.
                
    You can read more about Zircolite below:
        
    https://github.com/wagga40/Zircolite
        
    NOTE: This artifact may take several minutes to run, depending on the size of EVTX files being analyzed.
    
author: Wes Lambert -- @therealwlambert
tools:
  - name: Zircolite
    url: https://github.com/wagga40/Zircolite/releases/download/2.8.1/zircolite_win10.exe
parameters:
  - name: EVTXPath
    default: 'C:\Windows\System32\winevt\Logs'
  - name: Rules
    type: upload
    description: Ruleset to be used (defaults to Zircolite generic ruleset)
    default: https://raw.githubusercontent.com/wagga40/Zircolite/master/rules/rules_windows_generic.json
  - name: Mappings
    type: upload
    default: https://raw.githubusercontent.com/wagga40/Zircolite/master/config/fieldMappings.json
    description: Mappings for ruleset (defaults to Zircolite field mappings)
    
sources:
  - query: |
        LET TmpResults <= tempfile(remove_last=True)
        LET Results =  SELECT * FROM read_file(filenames=TmpResults)
        LET Zlite <= SELECT FullPath FROM Artifact.Generic.Utils.FetchBinary(ToolName="Zircolite", IsExecutable=FALSE)
        LET RulesFile <= tempfile(data=Rules, remove_last=True, extension=".json")
        Let MappingsFile <= tempfile(data=Mappings, remove_last=True, extension=".json")
        LET ExecZlite <= SELECT * FROM execve(argv=[
                        Zlite.FullPath[0], 
                        "--evtx", EVTXPath, 
                        "--ruleset", RulesFile,
                        "--config", MappingsFile,
                        "--noexternal",
                        "--outfile", TmpResults])
        LET Data = SELECT * FROM foreach(row=Results, query={SELECT parse_json_array(data=Data) AS Content FROM scope()})
        SELECT * FROM foreach(row=Data, query={
            SELECT
                get(member="title") AS Detection,
                get(member="description") AS Description, 
                get(member="rule_level") AS Severity,
                get(member="count") AS Count,
                get(member="tags") AS Tags,
                get(member="matches") AS Matches,
                get(member="sigma") AS _Sigma
            FROM Content    
        })