From 78f34dc12e2b8861d116a10e2a394fd16cb874be Mon Sep 17 00:00:00 2001 From: Will Metcalf Date: Wed, 10 Jun 2026 16:37:37 -0500 Subject: [PATCH] network_etw: accept evtx-rs for sysmon parsing (fix empty pid->image) _parse_sysmon_evtx gated solely on HAVE_EVTX (python-evtx), but the inner _iter_sysmon_records prefers evtx-rs and only falls back to python-evtx. On images that ship only evtx-rs, the guard short-circuited to empty before opening evtx.zip, so the Sysmon EID 1 pid->image map was always empty and every network flow rendered without a process name. Gate on (HAVE_EVTX or HAVE_EVTX_RS) so either parser satisfies it. --- modules/processing/network_etw.py | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/modules/processing/network_etw.py b/modules/processing/network_etw.py index 39f557e43a1..ffb466dfcf9 100644 --- a/modules/processing/network_etw.py +++ b/modules/processing/network_etw.py @@ -453,7 +453,12 @@ def _parse_sysmon_evtx(self): pid_to_image = {} dns_queries = [] evtx_path = os.path.join(self.analysis_path, "evtx", "evtx.zip") - if not HAVE_EVTX or not os.path.exists(evtx_path): + # Either parser can read the snapshot; _iter_sysmon_records prefers + # evtx-rs and only falls back to python-evtx. Gating solely on + # HAVE_EVTX (python-evtx) silently returned empty on images that ship + # only evtx-rs, zeroing out the pid->image map and leaving every + # network flow without a process name. + if not (HAVE_EVTX or HAVE_EVTX_RS) or not os.path.exists(evtx_path): return connections, pid_to_image, dns_queries tmpdir = tempfile.mkdtemp()