I'm trying to parse sysmon logs in Netwitness and I've updated the
winevent_nic parser to the latest one on github. The problem is mostly
with reference.id = '1'. The parent process is not getting parsed which
really reduces the value of the logs. An...
Apparently the parent process was being parsed but the metakey was not
enabled. I had to enable the process.src meta key using the
'findmissing' script and copied the ouput to the table-map-custom.xml
file on the log decoder.
