evtx-file

Retrieves information such as the event channel, event provider, event ID, and event operation and the like in the EVTX Windows event log file.

Syntax

evtx-file [zippath=ZIPFILE_PATH] FILE_PATH
Required Parameters
FILE_PATH
Path to Windows event log file. If you provided the zippath option, input the file path in the zip file.
Optional Parameters
zippath
Path to the ZIP file.

Description

After running the evtx-file command, the output fields are as follows:

FieldTypeDescription
_timeDateTime at which the event occurred
computerStringComputer name
channelStringEvent channel
providerStringEvent provider
event_idIntegerEvent ID
taskIntegerEvent task
levelIntegerEvent level
record_idIntegerRecored ID
msgStringEvent message
event_dataMapEvent data

Usage

  1. Retrieve information by providing the file path.

    evtx-file /testdata/evtx/System.evtx
    
  2. Retrieve information when the zippath option is provided.

    evtx-file zippath=/testdata/evtx.zip evtx/System.evtx
    
  3. Retrieve an event whose event provider is MySQL.

    evtx-file /testdata/evtx/application.evtx
    | search provider=="MySQL"
    
  4. Replace the event message (msg field) with lookup.

    evtx-file /testdata/evtx/application.evtx
    | mpsearch msg [ lookuptable EVTX_WHITE ]
    | search len(_mp_result) == 0