← All instantiators
INST-004 · Instantiator · Security.evtx
Windows Event Log (EVTX) Instantiator
Contributed by @ioi-framework · 2025-01-01
Note
Designed for Security.evtx but the template generalises to any EVTX channel by changing the ioi-ext:channel value.
Dependencies
rdflib>=6.0·pandas>=1.3
Overview
Maps EvtxECmd CSV output to CASE/UCO-compliant JSON-LD using observable:EventRecordFacet for standard event fields and ioi-ext:EventLogFacet for channel metadata. Used by IoI rule IOI-007.
Input fields consumed
| CSV field (EvtxECmd) | Mapped to | Notes |
|---|---|---|
EventId |
observable:eventID |
Stored as string for SPARQL string-match |
TimeCreated |
observable:startTime |
ISO-8601 |
Payload |
observable:eventRecordText |
|
Channel |
ioi-ext:channel |
e.g. Security |
Computer |
ioi-ext:computer |
Optional |
Usage
python3 instantiators/evtx_instantiator.py cases/data/AF-NNN/post-manipulation/security_post.jsonl cases/data/AF-NNN/graphs/security_case.jsonld