Lets get started by importing the python libraries we need

In [39]:
import pandas as pd
from datetime import datetime, timezone, timedelta, time, date

Next we can read in the JSON file containing the events of interest. Obviously this is a cleaner situation for easier analysis, and sometimes the Pandas Dataframe stage can be a difficult one if the data source isn't normalised

In [81]:
df = pd.read_json('cmd_psexec_lsa_secrets_dump_2020-10-1903305471.json', lines=True)

We can get an idea of the data we've imported using the shape below, we can see it's 286 rows, by 119 columns

In [179]:
df.shape

(286, 119)

Using the head function we can see the top 5 rows:

In [83]:
df.head(5)

Unnamed: 0,SourceName,TimeCreated,Hostname,Task,Channel,Message,EventID,FilterRTID,SourcePort,SourceAddress,...,DestinationPort,SourceIsIpv6,SourceHostname,Initiated,QueryName,QueryStatus,QueryResults,StartType,AccountName,ImagePath
0,Microsoft-Windows-Eventlog,2020-10-19 03:30:41.104,WORKSTATION5,104,Security,The audit log was cleared.\r\nSubject:\r\n\tSe...,1102,,,,...,,,,,,,,,,
1,Microsoft-Windows-Security-Auditing,2020-10-19 03:30:45.323,WORKSTATION5,12810,Security,The Windows Filtering Platform has permitted a...,5158,0.0,58390.0,0.0.0.0,...,,,,,,,,,,
2,Microsoft-Windows-Security-Auditing,2020-10-19 03:30:45.324,WORKSTATION5,12810,Security,The Windows Filtering Platform has permitted a...,5156,69895.0,58390.0,192.168.2.5,...,,,,,,,,,,
3,Microsoft-Windows-Security-Auditing,2020-10-19 03:30:46.251,WORKSTATION5,13312,Security,A new process has been created.\r\n\r\nCreator...,4688,,,,...,,,,,,,,,,
4,Microsoft-Windows-Security-Auditing,2020-10-19 03:30:46.330,WORKSTATION5,12807,Security,An attempt was made to duplicate a handle to a...,4690,,,,...,,,,,,,,,,


If we examine the `TimeCreated` field specifically, we can see that it's of type `O` - indicating it's an object

In [84]:
df.TimeCreated.dtype

dtype('O')

We can have a look at the specific column of the top 5 rows:

In [85]:
df['TimeCreated'].head(5)

0    2020-10-19 03:30:41.104
1    2020-10-19 03:30:45.323
2    2020-10-19 03:30:45.324
3    2020-10-19 03:30:46.251
4    2020-10-19 03:30:46.330
Name: TimeCreated, dtype: object

We can manually select a specific time to show the rows on

In [93]:
df[df['TimeCreated'] == '2020-10-19 03:30:41.104']

Unnamed: 0,SourceName,TimeCreated,Hostname,Task,Channel,Message,EventID,FilterRTID,SourcePort,SourceAddress,...,DestinationPort,SourceIsIpv6,SourceHostname,Initiated,QueryName,QueryStatus,QueryResults,StartType,AccountName,ImagePath
0,Microsoft-Windows-Eventlog,2020-10-19 03:30:41.104,WORKSTATION5,104,Security,The audit log was cleared.\r\nSubject:\r\n\tSe...,1102,,,,...,,,,,,,,,,


And we can filter further, selecting all rows where between the range of values

In [181]:
df[(df['TimeCreated'] >= '2020-10-19 03:30:40') & (df['TimeCreated'] <= '2020-10-19 03:30:42')]

Unnamed: 0_level_0,SourceName,TimeCreated,Hostname,Task,Channel,Message,EventID,FilterRTID,SourcePort,SourceAddress,...,SourceIsIpv6,SourceHostname,Initiated,QueryName,QueryStatus,QueryResults,StartType,AccountName,ImagePath,interesting
timestamp,Unnamed: 1_level_1,Unnamed: 2_level_1,Unnamed: 3_level_1,Unnamed: 4_level_1,Unnamed: 5_level_1,Unnamed: 6_level_1,Unnamed: 7_level_1,Unnamed: 8_level_1,Unnamed: 9_level_1,Unnamed: 10_level_1,Unnamed: 11_level_1,Unnamed: 12_level_1,Unnamed: 13_level_1,Unnamed: 14_level_1,Unnamed: 15_level_1,Unnamed: 16_level_1,Unnamed: 17_level_1,Unnamed: 18_level_1,Unnamed: 19_level_1,Unnamed: 20_level_1,Unnamed: 21_level_1
2020-10-19 03:30:41.104000+00:00,Microsoft-Windows-Eventlog,2020-10-19 03:30:41.104,WORKSTATION5,104,Security,The audit log was cleared.\r\nSubject:\r\n\tSe...,1102,,,,...,,,,,,,,,,True
2020-10-19 03:30:41.150000+00:00,Microsoft-Windows-Eventlog,2020-10-19 03:30:41.150,WORKSTATION5,104,System,The System log file was cleared.,104,,,,...,,,,,,,,,,True


The problem with the `TimeCreated` column though is it's an `object`, they have special operations they can do on the objects, but they're a little larger. Dataframes have a special type called `datetime64` which recognises that it's a timestamp and can let us do more time based operations.

We can convert the object to a `datetime64` type and set it as the index, sorting it at the same time below:

In [162]:
df.index = pd.to_datetime(df['TimeCreated'],format="%Y-%m-%d %H:%M:%S.%f").dt.tz_localize('UTC')
df.index.names = ['timestamp']
df.sort_index(inplace=True)
df.head(5)

Unnamed: 0_level_0,SourceName,TimeCreated,Hostname,Task,Channel,Message,EventID,FilterRTID,SourcePort,SourceAddress,...,SourceIsIpv6,SourceHostname,Initiated,QueryName,QueryStatus,QueryResults,StartType,AccountName,ImagePath,interesting
timestamp,Unnamed: 1_level_1,Unnamed: 2_level_1,Unnamed: 3_level_1,Unnamed: 4_level_1,Unnamed: 5_level_1,Unnamed: 6_level_1,Unnamed: 7_level_1,Unnamed: 8_level_1,Unnamed: 9_level_1,Unnamed: 10_level_1,Unnamed: 11_level_1,Unnamed: 12_level_1,Unnamed: 13_level_1,Unnamed: 14_level_1,Unnamed: 15_level_1,Unnamed: 16_level_1,Unnamed: 17_level_1,Unnamed: 18_level_1,Unnamed: 19_level_1,Unnamed: 20_level_1,Unnamed: 21_level_1
2020-10-19 03:30:41.104000+00:00,Microsoft-Windows-Eventlog,2020-10-19 03:30:41.104,WORKSTATION5,104,Security,The audit log was cleared.\r\nSubject:\r\n\tSe...,1102,,,,...,,,,,,,,,,True
2020-10-19 03:30:41.150000+00:00,Microsoft-Windows-Eventlog,2020-10-19 03:30:41.150,WORKSTATION5,104,System,The System log file was cleared.,104,,,,...,,,,,,,,,,True
2020-10-19 03:30:42.058000+00:00,Microsoft-Windows-Sysmon,2020-10-19 03:30:42.058,WORKSTATION5,11,Microsoft-Windows-Sysmon/Operational,File created:\r\nRuleName: -\r\nUtcTime: 2020-...,11,,,,...,,,,,,,,,,True
2020-10-19 03:30:42.851000+00:00,Microsoft-Windows-Sysmon,2020-10-19 03:30:42.851,WORKSTATION5,12,Microsoft-Windows-Sysmon/Operational,Registry object added or deleted:\r\nRuleName:...,12,,,,...,,,,,,,,,,True
2020-10-19 03:30:42.851000+00:00,Microsoft-Windows-Sysmon,2020-10-19 03:30:42.851,WORKSTATION5,13,Microsoft-Windows-Sysmon/Operational,Registry value set:\r\nRuleName: -\r\nEventTyp...,13,,,,...,,,,,,,,,,True


We can confirm that the index is now the proper `datetime64` type below:

In [163]:
df.index.dtype

datetime64[ns, UTC]

And we can use built in `DateTime` functions to simplify or programmatically query the times like below:

In [164]:
df.loc[time(3,30,40):time(3,30,42)]

Unnamed: 0_level_0,SourceName,TimeCreated,Hostname,Task,Channel,Message,EventID,FilterRTID,SourcePort,SourceAddress,...,SourceIsIpv6,SourceHostname,Initiated,QueryName,QueryStatus,QueryResults,StartType,AccountName,ImagePath,interesting
timestamp,Unnamed: 1_level_1,Unnamed: 2_level_1,Unnamed: 3_level_1,Unnamed: 4_level_1,Unnamed: 5_level_1,Unnamed: 6_level_1,Unnamed: 7_level_1,Unnamed: 8_level_1,Unnamed: 9_level_1,Unnamed: 10_level_1,Unnamed: 11_level_1,Unnamed: 12_level_1,Unnamed: 13_level_1,Unnamed: 14_level_1,Unnamed: 15_level_1,Unnamed: 16_level_1,Unnamed: 17_level_1,Unnamed: 18_level_1,Unnamed: 19_level_1,Unnamed: 20_level_1,Unnamed: 21_level_1
2020-10-19 03:30:41.104000+00:00,Microsoft-Windows-Eventlog,2020-10-19 03:30:41.104,WORKSTATION5,104,Security,The audit log was cleared.\r\nSubject:\r\n\tSe...,1102,,,,...,,,,,,,,,,True
2020-10-19 03:30:41.150000+00:00,Microsoft-Windows-Eventlog,2020-10-19 03:30:41.150,WORKSTATION5,104,System,The System log file was cleared.,104,,,,...,,,,,,,,,,True


Because our index is the times and it's sorted, we can see the starting and end time below

In [165]:
df.iloc[[0,-1]]

Unnamed: 0_level_0,SourceName,TimeCreated,Hostname,Task,Channel,Message,EventID,FilterRTID,SourcePort,SourceAddress,...,SourceIsIpv6,SourceHostname,Initiated,QueryName,QueryStatus,QueryResults,StartType,AccountName,ImagePath,interesting
timestamp,Unnamed: 1_level_1,Unnamed: 2_level_1,Unnamed: 3_level_1,Unnamed: 4_level_1,Unnamed: 5_level_1,Unnamed: 6_level_1,Unnamed: 7_level_1,Unnamed: 8_level_1,Unnamed: 9_level_1,Unnamed: 10_level_1,Unnamed: 11_level_1,Unnamed: 12_level_1,Unnamed: 13_level_1,Unnamed: 14_level_1,Unnamed: 15_level_1,Unnamed: 16_level_1,Unnamed: 17_level_1,Unnamed: 18_level_1,Unnamed: 19_level_1,Unnamed: 20_level_1,Unnamed: 21_level_1
2020-10-19 03:30:41.104000+00:00,Microsoft-Windows-Eventlog,2020-10-19 03:30:41.104,WORKSTATION5,104,Security,The audit log was cleared.\r\nSubject:\r\n\tSe...,1102,,,,...,,,,,,,,,,True
2020-10-19 03:30:53.402000+00:00,Microsoft-Windows-Sysmon,2020-10-19 03:30:53.402,WORKSTATION5,13,Microsoft-Windows-Sysmon/Operational,Registry value set:\r\nRuleName: -\r\nEventTyp...,13,,,,...,,,,,,,,,,


The advantage to doing this is programmatically being able to filter things. If we had a bigger data set that could span over multiple days we could filter down working hours, or other things. 

Below we're highlighting a 7 second window, indicating that these events are of interest, while the rest are not

In [182]:
day = date(2020,10,19)
starting_time = time(3,30,40)
ending_time = time(3,30,47)
start_time = datetime.combine(day, starting_time).replace(tzinfo=timezone.utc)
end_time = datetime.combine(day, ending_time).replace(tzinfo=timezone.utc)

df_interesting_events = (df.index > start_time) & (df.index <= end_time)
df.loc[df_interesting_events,'interesting'] = True
df.loc[~df_interesting_events,'interesting'] = False

We can then quickly see how many items appear to be 'of interest'

In [184]:
df[['interesting']].value_counts()

interesting
True           260
False           26
dtype: int64

We can also group and count different fields, which can be a useful mechanism for identifying rare items, or highlighting common items that might not be useful in your analysis

In [168]:
df[['EventID','SourceName']].value_counts()

EventID  SourceName                         
7        Microsoft-Windows-Sysmon               130
10       Microsoft-Windows-Sysmon                38
13       Microsoft-Windows-Sysmon                23
12       Microsoft-Windows-Sysmon                14
4658     Microsoft-Windows-Security-Auditing      8
11       Microsoft-Windows-Sysmon                 7
17       Microsoft-Windows-Sysmon                 7
18       Microsoft-Windows-Sysmon                 7
1        Microsoft-Windows-Sysmon                 4
5156     Microsoft-Windows-Security-Auditing      4
4690     Microsoft-Windows-Security-Auditing      4
4689     Microsoft-Windows-Security-Auditing      4
4688     Microsoft-Windows-Security-Auditing      4
4663     Microsoft-Windows-Security-Auditing      4
4703     Microsoft-Windows-Security-Auditing      4
4656     Microsoft-Windows-Security-Auditing      4
5        Microsoft-Windows-Sysmon                 4
5158     Microsoft-Windows-Security-Auditing      3
9        Microsoft-

We can also identify fields that may not have any values or content

In [170]:
df[df['SourceHostname'].notnull()]

Unnamed: 0_level_0,SourceName,TimeCreated,Hostname,Task,Channel,Message,EventID,FilterRTID,SourcePort,SourceAddress,...,SourceIsIpv6,SourceHostname,Initiated,QueryName,QueryStatus,QueryResults,StartType,AccountName,ImagePath,interesting
timestamp,Unnamed: 1_level_1,Unnamed: 2_level_1,Unnamed: 3_level_1,Unnamed: 4_level_1,Unnamed: 5_level_1,Unnamed: 6_level_1,Unnamed: 7_level_1,Unnamed: 8_level_1,Unnamed: 9_level_1,Unnamed: 10_level_1,Unnamed: 11_level_1,Unnamed: 12_level_1,Unnamed: 13_level_1,Unnamed: 14_level_1,Unnamed: 15_level_1,Unnamed: 16_level_1,Unnamed: 17_level_1,Unnamed: 18_level_1,Unnamed: 19_level_1,Unnamed: 20_level_1,Unnamed: 21_level_1
2020-10-19 03:30:47.681000+00:00,Microsoft-Windows-Sysmon,2020-10-19 03:30:47.681,WORKSTATION5,3,Microsoft-Windows-Sysmon/Operational,Network connection detected:\r\nRuleName: -\r\...,3,,58391.0,,...,True,-,True,,,,,,,
2020-10-19 03:30:47.681000+00:00,Microsoft-Windows-Sysmon,2020-10-19 03:30:47.681,WORKSTATION5,3,Microsoft-Windows-Sysmon/Operational,Network connection detected:\r\nRuleName: -\r\...,3,,58391.0,,...,True,-,False,,,,,,,


It's possible to create complex filters, looking for different values in different rows

In [169]:
mask_operational_log_event_id_1 = (df['Channel'] == 'Microsoft-Windows-Sysmon/Operational') & (df['EventID'] == 1)
df[mask_operational_log_event_id_1]

Unnamed: 0_level_0,SourceName,TimeCreated,Hostname,Task,Channel,Message,EventID,FilterRTID,SourcePort,SourceAddress,...,SourceIsIpv6,SourceHostname,Initiated,QueryName,QueryStatus,QueryResults,StartType,AccountName,ImagePath,interesting
timestamp,Unnamed: 1_level_1,Unnamed: 2_level_1,Unnamed: 3_level_1,Unnamed: 4_level_1,Unnamed: 5_level_1,Unnamed: 6_level_1,Unnamed: 7_level_1,Unnamed: 8_level_1,Unnamed: 9_level_1,Unnamed: 10_level_1,Unnamed: 11_level_1,Unnamed: 12_level_1,Unnamed: 13_level_1,Unnamed: 14_level_1,Unnamed: 15_level_1,Unnamed: 16_level_1,Unnamed: 17_level_1,Unnamed: 18_level_1,Unnamed: 19_level_1,Unnamed: 20_level_1,Unnamed: 21_level_1
2020-10-19 03:30:46.257000+00:00,Microsoft-Windows-Sysmon,2020-10-19 03:30:46.257,WORKSTATION5,1,Microsoft-Windows-Sysmon/Operational,Process Create:\r\nRuleName: -\r\nUtcTime: 202...,1,,,,...,,,,,,,,,,True
2020-10-19 03:30:46.438000+00:00,Microsoft-Windows-Sysmon,2020-10-19 03:30:46.438,WORKSTATION5,1,Microsoft-Windows-Sysmon/Operational,Process Create:\r\nRuleName: -\r\nUtcTime: 202...,1,,,,...,,,,,,,,,,True
2020-10-19 03:30:46.663000+00:00,Microsoft-Windows-Sysmon,2020-10-19 03:30:46.663,WORKSTATION5,1,Microsoft-Windows-Sysmon/Operational,Process Create:\r\nRuleName: -\r\nUtcTime: 202...,1,,,,...,,,,,,,,,,True
2020-10-19 03:30:46.674000+00:00,Microsoft-Windows-Sysmon,2020-10-19 03:30:46.674,WORKSTATION5,1,Microsoft-Windows-Sysmon/Operational,Process Create:\r\nRuleName: -\r\nUtcTime: 202...,1,,,,...,,,,,,,,,,True


This can then be taken further, we can create a mask that is a Pandas series which returns the index values where a condition is met. We can then use boolean logic to combine them together to create more complex queries.

Below we're looking where `psexesvc` is in the `ImagePath` column, or `Interesting` is `True`, but not where `EventID` is set to 7.

In [171]:
mask_psexec = df['ImagePath'].str.contains('PSEXESVC', na=False, case=False)
mask_event_id_7 = df['EventID'].astype(str) == '7'
mask_interesting = df['AccountName'] == 'LocalSystem'
df[(mask_psexec|mask_interesting)&~mask_event_id_7]

Unnamed: 0_level_0,SourceName,TimeCreated,Hostname,Task,Channel,Message,EventID,FilterRTID,SourcePort,SourceAddress,...,SourceIsIpv6,SourceHostname,Initiated,QueryName,QueryStatus,QueryResults,StartType,AccountName,ImagePath,interesting
timestamp,Unnamed: 1_level_1,Unnamed: 2_level_1,Unnamed: 3_level_1,Unnamed: 4_level_1,Unnamed: 5_level_1,Unnamed: 6_level_1,Unnamed: 7_level_1,Unnamed: 8_level_1,Unnamed: 9_level_1,Unnamed: 10_level_1,Unnamed: 11_level_1,Unnamed: 12_level_1,Unnamed: 13_level_1,Unnamed: 14_level_1,Unnamed: 15_level_1,Unnamed: 16_level_1,Unnamed: 17_level_1,Unnamed: 18_level_1,Unnamed: 19_level_1,Unnamed: 20_level_1,Unnamed: 21_level_1
2020-10-19 03:30:46.416000+00:00,Service Control Manager,2020-10-19 03:30:46.416,WORKSTATION5,0,System,A service was installed in the system.\r\n\r\n...,7045,,,,...,,,,,,,demand start,LocalSystem,%SystemRoot%\PSEXESVC.exe,True


When looking at a timeline we may not necessarily know where to start because of the sheer volume of data. To help with that we can group data together based on a timeframe to try and provide an indicator of where we look. 

By grouping the `EventID` into a 3 second window, we can see that the majority of events happen around `03:30:45`

In [190]:
df['EventID'].groupby(pd.Grouper(freq='3S')).value_counts()

timestamp                  EventID
2020-10-19 03:30:39+00:00  104          1
                           1102         1
2020-10-19 03:30:42+00:00  10          14
                           13           5
                           11           1
                           12           1
2020-10-19 03:30:45+00:00  7          130
                           12          13
                           13          12
                           10          10
                           4658         8
                           17           7
                           18           7
                           11           6
                           1            4
                           5            4
                           4656         4
                           4663         4
                           4688         4
                           4689         4
                           4690         4
                           4703         4
                           5156         4