[pull] master from kevoreilly:master#439
Merged
pull[bot] merged 7 commits intothreatcode:masterfrom Mar 12, 2026
Merged
Conversation
… logs The Windows analyzer logs the package selection as: INFO: analysis package selected: "pkg" but get_package() only searched for the Linux format: INFO: Automatically selected analysis package "pkg" This caused the package field to remain empty in reports for Windows analyses where no package was explicitly specified. Now searches for both log formats using len(marker) instead of a hardcoded offset.
Enhanced evtx.py auxiliary module: - Collect 20+ additional Windows event log channels (PowerShell, Defender, BITS, Firewall, NTLM, AppLocker, WMI, Task Scheduler, etc.) - Enable command line logging (ProcessCreationIncludeCmdLine_Enabled) - Configure log sizes (100MB per channel) - Use audit policy GUIDs instead of English names (non-English support) - Quote channel names in wevtutil calls New event logs web UI: - Three-tab layout: Sigma Detections, Sysmon Events, EVTX Events - Sigma tab shows rule title, severity, ID, description, matched events - Sigma query shown on expand (not cluttering collapsed view) - Severity badge coloring (critical/high/medium/low/informational) - MITRE ATT&CK technique display per detection Systemd units for daily Sigma rule updates via Zircolite. Companion to CAPESandbox/community#544 which adds the sigma processing module and behavioral signature.
Event IDs from untrusted guest Sysmon logs were concatenated into HTML without escaping. Apply escapeHtml() to all eid insertions.
Remove warning log for suspicious EVTX archive members.
feat: enhanced EVTX collection and event logs web UI with Sigma support
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
See Commits and Changes for more details.
Created by
pull[bot] (v2.0.0-alpha.4)
Can you help keep this open source service alive? 💖 Please sponsor : )