fibratus icon indicating copy to clipboard operation
fibratus copied to clipboard
verified publisher icon rabbitstack

New `encode` transformer

Open rabbitstack opened this issue 5 years ago • 0 comments

This transformer should be in charge of encoding the event params by using the specific data encoding algorithm. Users should be able to choose between hex, base64, and maybe asn1 encoders. The encode transformer should have the ability to filter out unwanted events and thus minimize the impact on performance in case of high event throughput.

Example config:

transformers:
     encode:
         encoder: base64
         enabled: true
         condition: kevt.name = 'RegSetValue' and registry.value.type = 'REG_BINARY'
         kparams:
            - registry.value

rabbitstack avatar Jan 11 '21 15:01 rabbitstack