feat: enhanced EVTX collection and event logs web UI with Sigma support

[wmetcalf]

Summary

• Enhanced evtx.py auxiliary module with 20+ additional Windows event log channels (PowerShell, Defender, BITS, Firewall, NTLM, AppLocker, WMI, Task Scheduler, etc.), command line logging, configurable log sizes, audit policy GUIDs for non-English Windows support
• New event logs web UI with three-tab layout: Sigma Detections, Sysmon Events, EVTX Events
• Sigma tab shows rule title, severity badges, ID, description, MITRE ATT&CK techniques, and matched events with expandable sigma query
• Systemd timer for daily Sigma rule updates via Zircolite

Dependencies

• Companion PR: feat: Sigma detection processing via Zircolite CAPESandbox/community#544 (sigma processing module, behavioral signature, filters, docs)

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances the platform's capability to collect and analyze Windows event logs, providing deeper insights into system activities. It introduces a comprehensive set of new event log channels for collection and a user-friendly web interface to visualize and interact with these logs, including Sigma detections and Sysmon events. These changes aim to improve threat detection and analysis by offering more granular data and a streamlined review process.

Highlights

• Enhanced EVTX Collection: Expanded Windows event log collection in evtx.py to include over 20 new channels (e.g., PowerShell, Defender, NTLM, AppLocker, WMI, Task Scheduler), implemented command line logging, and configurable log sizes.
• Language-Agnostic Audit Policies: Updated advanced audit policy configuration to use language-agnostic GUIDs for broader Windows support, ensuring consistent logging across different OS languages.
• New Event Logs Web UI: Introduced a new web UI for event logs, featuring dedicated tabs for Sigma Detections, Sysmon Events, and detailed EVTX Events, providing a centralized view for security analysis.
• Sigma Tab Enhancements: Enhanced the Sigma tab to display rule details such as title, severity, ID, description, MITRE ATT&CK techniques, and matched events with expandable queries.
• Automated Sigma Rule Updates: Enabled daily automatic updates for Sigma rules via a new systemd service and timer, leveraging Zircolite to keep detection capabilities current.

Changelog

• analyzer/windows/modules/auxiliary/evtx.py
  • Expanded the list of windows_logs to include over 20 new event log channels.
  • Added LOG_MAX_SIZE constant and log_sizes list to configure maximum sizes for event logs.
  • Introduced logs_to_enable list for logs that require explicit activation.
  • Implemented enable_cmdline_logging function to capture command line details in process creation events.
  • Implemented configure_log_sizes function to set max log sizes and enable disabled logs.
  • Refactored enable_advanced_logging to use audit policy GUIDs for language-independent configuration.
  • Modified wipe_windows_logs to use quoted channel names for wevtutil.
  • Integrated enable_cmdline_logging and configure_log_sizes into the run method.
• modules/processing/analysisinfo.py
  • Modified get_package to check for both Windows and Linux analyzer log formats when identifying the analysis package.
• systemd/cape-sigma-update.service
  • Added a new systemd service definition for updating CAPE Sigma rules using Zircolite.
• systemd/cape-sigma-update.timer
  • Added a new systemd timer definition to schedule daily updates of CAPE Sigma rules.
• web/analysis/urls.py
  • Added URL patterns for load_evtx_channel and load_evtx_channel_count views.
• web/analysis/views.py
  • Imported lru_cache and JsonResponse.
  • Added PyEvtxParser import and HAVE_EVTX flag for EVTX parsing.
  • Defined EVTX_LEVEL_MAP and EVTX_PAGE_SIZE constants.
  • Added helper functions _evtx_member_display_name, _flatten_evtx_detail, and _list_evtx_members for EVTX processing.
  • Implemented cached functions _load_evtx_channel_page_cached and _count_evtx_channel_events_cached for efficient EVTX data retrieval.
  • Created _load_evtx_channel_page to handle EVTX channel page loading.
  • Extended load_files to include "eventlogs" category, fetching Sigma, Sysmon, and EVTX channel data.
  • Added decrypted_pcap_exists check to load_files AJAX response.
  • Updated report to check for has_evtx and include it in the report context.
  • Implemented load_evtx_channel view to serve EVTX channel data for the web UI.
  • Implemented load_evtx_channel_count view to provide event counts for EVTX channels.
  • Added "decrypted_pcap" category to file view for downloading decrypted PCAP files.
• web/templates/analysis/eventlogs/_evtx_channel.html
  • Created a new template to display paginated EVTX events for a specific channel, including event details and level badges.
• web/templates/analysis/eventlogs/index.html
  • Created a new template for the event logs section, featuring tabbed navigation for Sigma Detections, Sysmon Events, and EVTX Events.
  • Includes JavaScript for dynamic loading and pagination of Sysmon and EVTX events.
• web/templates/analysis/report.html
  • Modified AJAX tab loading logic to prevent redundant loading and handle loading states.
  • Added a new "Event Logs" navigation tab, conditionally displayed based on the presence of Sigma, Sysmon, or EVTX data.
  • Included the analysis/eventlogs/index.html template in the report's tab content.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request significantly enhances the EVTX log collection capabilities and introduces a new web UI for viewing event logs, including Sysmon events and Sigma detections, with improvements like using GUIDs for audit policies and on-demand UI loading. However, a significant DOM-based Cross-Site Scripting (XSS) vulnerability was identified in the Sysmon Events tab of the new web UI, stemming from the direct concatenation of unescaped Event IDs into the HTML structure via JavaScript. Additionally, feedback includes reducing code duplication in the evtx.py module and making the systemd service for Sigma updates more robust by not ignoring restart failures.

[gemini-code-assist]

The eid (Event ID) variable, which is extracted from attacker-controlled Sysmon logs, is concatenated directly into HTML strings without proper escaping. This allows for DOM-based Cross-Site Scripting (XSS). An attacker can craft a malicious EVTX file or trigger malware to generate a Sysmon event with a specially crafted EventID containing HTML/JavaScript, which will be executed in the context of the user's browser when they view the Sysmon Events tab.

To remediate this, use the escapeHtml() function to sanitize the eid variable and the return value of getEventName(eid) before concatenating them into HTML strings.

                tabsHtml += '<li class="nav-item"><a class="nav-link' + active + '" data-bs-toggle="tab" href="#sysmon_eid_' + escapeHtml(eid) + '" role="tab">' +
                    escapeHtml(getEventName(eid)) + ' (' + grouped[eid].length + ')</a></li>';

[wmetcalf]

Fixed in f9988b8 — applied escapeHtml() to all eid insertions and getEventName(eid) return value.

[gemini-code-assist]

The eid variable is used here without escaping, contributing to the DOM XSS vulnerability.

                    contentHtml += '<div class="tab-pane fade' + showActive + '" id="sysmon_eid_' + escapeHtml(eid) + '">';

[wmetcalf]

Fixed in f9988b8 — applied escapeHtml() to all eid insertions and getEventName(eid) return value.

[gemini-code-assist]

The eid variable is used here without escaping, contributing to the DOM XSS vulnerability.

                        contentHtml += '<tr class="sysmon-row" data-page="' + pageNum + '" data-eid="' + escapeHtml(eid) + '"' + hidden + '>';

[wmetcalf]

Fixed in f9988b8 — applied escapeHtml() to all eid insertions and getEventName(eid) return value.

[gemini-code-assist]

The eid variable is used here without escaping, contributing to the DOM XSS vulnerability.

                        contentHtml += '<nav aria-label="Sysmon pagination"><ul class="pagination justify-content-center eventlogs-pagination" data-eid="' + escapeHtml(eid) + '">';

[wmetcalf]

Fixed in f9988b8 — applied escapeHtml() to all eid insertions and getEventName(eid) return value.

[gemini-code-assist]

There is significant duplication between the log_sizes list and the windows_logs list defined earlier in this file. This makes the code harder to maintain, as adding a new log channel to be collected might require adding it in two places.

To improve maintainability, consider defining log_sizes by filtering windows_logs instead of duplicating the entries. For example:

# Logs that should not have their size configured
logs_to_exclude_from_sizing = {
    "HardwareEvents",
    "Internet Explorer",
    "Key Management Service",
    "OAlerts",
    "Setup",
    "Microsoft-Windows-Sysmon/Operational",
}

# All channels get the same max size for sandbox use
log_sizes = [log for log in windows_logs if log not in logs_to_exclude_from_sizing]

[wmetcalf]

Won't fix — log_sizes is intentionally a subset of windows_logs. Not all channels need size configuration (e.g. some are low-volume and the default size is fine). Merging the two would either over-configure small channels or require a more complex data structure for no real benefit.

[gemini-code-assist]

The + prefix on this ExecStartPost command causes systemd to ignore any failures when restarting the cape-processor.service. If the service fails to restart, the new Sigma rules won't be loaded, but this update job will still be marked as successful. This can lead to a silent failure. For better operational robustness, it's recommended to remove the + so that a restart failure causes this service unit to enter a failed state, which can then be detected by monitoring systems.

ExecStartPost=/bin/systemctl restart cape-processor.service

[wmetcalf]

The + prefix is not for ignoring errors — it causes systemd to run that specific ExecStartPost command with full root privileges regardless of the User=cape directive. This is necessary because an unprivileged user cannot restart system services. See systemd.exec(5): "If the executable path is prefixed with '+', the process is executed with full privileges."