SysmonTools: tracking and visualizing Sysmon logs
Utilities for Sysmon
This repository contains the following:
- Sysmon View: an off-line Sysmon log visualization tool.
- Sysmon Shell: a Sysmon configuration utility.
Sysmon View helps in tracking and visualizing Sysmon logs by logically grouping and correlating the various Sysmon events together, using existing events data, such as executables names, session GUIDs, event creation time, etc., the tool then re-arranges this data for display into multiple views.
To get started, export Sysmon events to XML file using the built-in WEVTUtil, this file will be imported later by Sysmon View:
WEVTUtil query-events “Microsoft-Windows-Sysmon/Operational” /format:xml /e:sysmonview > eventlog.xml
Once exported, run Sysmon View and import the generated file “eventlog.xml” (or the name you selected), please note that this might take some time, depending on the size of the log file (the file needs to be imported once, subsequent runs of Sysmon View do not require importing the data again, just use the file menu
File -> Load existing data to load previously imported data again).
All data will be imported to an SQLite database file named SysmonViewDB that resides in the same location as Sysmon View executable. This file can be shared with others if required, just place the file in the same location as Sysmon View and use the command File -> Load existing data.
Each time a new XML file is imported, the database file will be deleted and re-created. To preserve any previously imported data, copy the database file to another location or simply rename it.
The database can be used directly in your own applications too, the database contains summaries of hashes, executables, IP addresses, geo mappings and all are logically linked through a file name or a session (executable GUID).
Hint: You can query the database file directly using any SQLite management software without the need for Sysmon View, for example, to generate reports or analyze data
Experimental – Sysmon View and Elasticsearch
Sysmon View version 1.5 can import Sysmon events from Elasticsearch. To get started, configure Winlogbeat to log Sysmon events to an Elasticsearch instance and create an index for “winlogbeats-*”, then use the new Elasticsearch import command from the “File” menu. Good reference to this setup can be found here.
This feature is currently in testing for several reasons:
- The previous setup might be different than what is being adopted by others
- Importing logs from Elasticsearch might impact the performance of the logs “visualization”, this is still being tested
- Connectivity to Elasticsearch needs to be “securely” improved (for example add support to SSL, X-Pack, etc…)
Process View this view simply helps focus on a summary of “run sessions”, for example, the analyst can start with executable name (such as cmd.exe) or event type (such as Network event), from there, further filtering can be applied, for example, finding running sessions originating for the same binary, but from different locations. This view utilizes the process GUID to filter events per session “run”, selecting any running session (from the list of GUIDs) will show all other related (correlated) events in a simple data-flow-like view, sorted using the time of the event. Note: in case data is being imported from an Elasticsearch instance instead of single machine, events can be arranged per executable per machine – check previous section “Experimental – Sysmon View and Elasticsearch”).
Access to Sysmon event details is provided by simply double-clicking any event in the view, for example, the previous screen capture shows the details of the Process Creation event (event ID 1), the tool also can integrate with VirusTotal upon demand for further hash and IP lookup (Needs an API key registration).
Map View : During the events import process, there is an option to geo-locate IP addresses, if set, Sysmon View will try to geo-map Network Destinations using https://ipstack.com/ service.
In map view, it is easy to navigate between correlated (related) events by using a network event as a starting point, again, the tool is able to achieve this using the running process session GUID. To explore related events, use the hyperlinks for the session GUID, a new view similar to process view will show up in a new window with all related session events:
All Events View can also be used to do a full search through all Sysmon collected events data, it also helps in viewing events that do not relate to other events, such as the “Driver Loaded” event type. Navigation between related events is still provided using the process GUID in addition to event details by clicking on FID link
Additionally, The All Events View supports pivot-like (grouping) arrangement of events, by machine name, event type or GUID, as shown below
Multiple grouping levels are also possible
Copyright 2018 Nader Shalabi. All rights reserved.