You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently, the Windows EVTX parser pulls out the 'xml_string' field, but does not parse the items within this field. Is it possible to have this field parsed such that the XML content, at least the key:value pairs, are available as field/values? e.g. TargetUserName from a 4625 event.
Reason: Many entities rely on regex'ing through the xml_string field. Yet regex'ing through XML data not only adds processing overhead, but just seems daffy given the structured nature of the format. While regex'ing the field can work, the processing impact on this can be great, especially when users are running Elastic on a laptop (i.e. not on a beautiful, kick-butt cluster).
If the community could get some additional parsing of the 'xml_string' field, this would make everyone's life that much easier. And better. And cooler.
Thanks!
The text was updated successfully, but these errors were encountered:
Currently, the Windows EVTX parser pulls out the 'xml_string' field, but does not parse the items within this field. Is it possible to have this field parsed such that the XML content, at least the key:value pairs, are available as field/values? e.g. TargetUserName from a 4625 event.
Reason: Many entities rely on regex'ing through the
xml_stringfield. Yet regex'ing through XML data not only adds processing overhead, but just seems daffy given the structured nature of the format. While regex'ing the field can work, the processing impact on this can be great, especially when users are running Elastic on a laptop (i.e. not on a beautiful, kick-butt cluster).If the community could get some additional parsing of the 'xml_string' field, this would make everyone's life that much easier. And better. And cooler.
Thanks!
The text was updated successfully, but these errors were encountered: