feat(evtx): implement EVTX input adapter for eval command#85
Merged
Conversation
Add support for evaluating Sigma rules directly against Windows Event Log (.evtx) files via `rsigma eval -e @security.evtx`, bypassing the line-oriented parsing layer since EVTX is a binary format. Changes: - rsigma-runtime: add EvtxFileReader in input/evtx.rs behind the `evtx` feature flag, wrapping evtx::EvtxParser with single-threaded ParserSettings and yielding serde_json::Value per record - rsigma-runtime: set default-features = false on evtx dep to avoid pulling in evtx_dump CLI dependencies - rsigma-cli: add EvtxFile variant to EventSource, auto-detect .evtx extension in resolve_event_source, handle in both correlation and detection-only eval paths - rsigma-cli: update --event help text to mention .evtx support - Add integration test with a real security.evtx fixture validating record iteration and EventID 4624 detection
Update root README, rsigma-cli README, rsigma-runtime README, and the Mermaid architecture diagram to cover the new EVTX input adapter: format lists, usage examples, feature flag descriptions, event input modes table, and architecture diagrams.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
EvtxFileReaderinrsigma-runtimebehind theevtxfeature flag, wrappingevtx::EvtxParserto iterate.evtxrecords asserde_json::Valuersigma eval -e @file.evtxto auto-detect the.evtxextension and route through the binary parser instead of line-oriented NDJSONdefault-features = falseon theevtxdependency to avoid pulling inevtx_dumpCLI depsTest plan
cargo check --workspace --all-featurespassescargo clippy --workspace --all-targets --all-features -- -D warningspassescargo fmt --all -- --checkpassescargo test --workspacepasses (no regressions)cargo test -p rsigma-runtime --features evtx --test evtx_integrationpasses (2 new tests)cargo deny checkpasses