userline: Query and report user logons relations from MS Windows Security Events

by do son · Published October 18, 2018 · Updated October 18, 2018

UserLine

This tool automates the process of creating logon relations from MS Windows Security Events by showing a graphical relation among users domains, source, and destination logons as well as session duration.

It has the following output modes:

Standard output
CSV file
JSON file
Neo4J graph
Graphviz dot file
Timesketch

Install

git clone https://github.com/THIBER-ORG/userline.git

cd userline/src

sudo pip3 install -U -r ../requirements.txt

Docker

Building a Docker image
Optionally you can build a Docker image as follows:

git clone https://github.com/THIBER-ORG/userline.git
cd userline
docker build . -t userline

Running from Docker
To work with UserLine when using the Docker image, use the following syntax:

docker run --rm -ti --net=host -v [YOUR_DATA_PATH]:/data userline userline [PARAMETERS]

Usage

$ ./userline.py -h



 /\ /\  ___  ___ _ __ / /(_)_ __   ___ 

/ / \ \/ __|/ _ \ '__/ / | | '_ \ / _ \

\ \_/ /\__ \  __/ | / /__| | | | |  __/

 \___/ |___/\___|_| \____/_|_| |_|\___|  v0.2.4b



Author: Chema Garcia (aka sch3m4)

        @sch3m4

        https://github.com/thiber-org/userline



usage: userline.py [-h] [-H ESHOSTS] [-S POOL_SIZE] -i INDEX [-r URL]

                   (-x | -L | -E | -l | -w DATE) [-c PATH] [-j PATH] [-n BOLT]

                   [-g PATH] [-K PATH] [-F] [-d] [-f] [-s] [-t MIN_DATE]

                   [-T MAX_DATE] [-p PATTERN] [-I] [-k] [-v] [-m DATETIME]



optional arguments:

  -h, --help            show this help message and exit



Required arguments:

  -H ESHOSTS, --eshosts ESHOSTS

                        Single or comma separated list of ElasticSearch hosts

                        to query (default: localhost)

  -S POOL_SIZE, --pool-size POOL_SIZE

                        Connection pool size (default: 5)

  -i INDEX, --index INDEX

                        Index name/pattern

  -r URL, --redis URL   Redis URL (format: redis://:pass@host:port/db)



Actions:

  -x, --inspect         Gets some statistics about the indexed data

  -L, --last-shutdown   Gets last shutdown data

  -E, --last-event      Gets last event data

  -l, --logons          Shows user logon activity

  -w DATE, --who-was-at DATE

                        Shows only logged on users at a given time



Output:

  -c PATH, --csv-output PATH

                        CSV Output file

  -j PATH, --json-output PATH

                        JSON Output file

  -n BOLT, --neo4j BOLT

                        Neo4j bolt with auth (format:

                        bolt://user:pass@host:port)

  -g PATH, --graphviz PATH

                        Graphviz .dot file

  -K PATH, --timesketch PATH

                        Timesketch CSV file



CSV options:

  -F, --disable-timeframe

                        Do not create timeframe entries



JSON options:

  -d, --duplicate-events

                        Duplicate events (logon & logoff)



Neo4J options:

  -f, --neo4j-full-info

                        Saves full logon/logoff info in Neo4j relations



Graph (Neo4J/Graphviz) options:

  -s, --unique-logon-rels

                        Sets unique logon relations



Optional filtering arguments:

  -t MIN_DATE, --min-date MIN_DATE

                        Searches since specified date (default: 2016-07-23)

  -T MAX_DATE, --max-date MAX_DATE

                        Searches up to specified date (default: 2017-07-23)

  -p PATTERN, --pattern PATTERN

                        Includes pattern in search

  -I, --include-local   Includes local services logons (default: Excluded)

  -k, --include-locks   Includes workstation/screensaver lock events (default:

                        Excluded)

  -v, --verbose         Enables verbose mode



Extra information:

  -m DATETIME, --mark-if-logged-at DATETIME

                        Marks logged in users at a given time