Queries to parse sysmon event log file with Microsoft logparser.
Sysmon Event Format
These queries allow the use of the logparser tool to extract the individual values from inside the sysmon data field. This will export the results to a variety of formats for further analysis.
They can also be used with log parser lizard to view the data in the GUI
I created different queries because the fields are different between the different event IDs generated.
###process-create-terminate Query to combine the records which are process start(1) and process terminate(5).
Query to display all processes started(1) by a specified user logon. Also in the results are terminate records(5) that have matching PID to a process matching the user logon. There will be extra terminate records(5) since there are no logons associated with it, but the first terminate(5) should be the matching record for the displayed start record(5).
###file-create-time Query to display all file create date change records(2).
Query to display all date records(2) that have a new date that is older than the previous date. Essential, detection of actions consistent with timestomp/filetouch/setmace activity. This query excludes records that have 'chrome.exe' in the ImagePath property because Google Chrome makes a ton of date changes for some reason. I also found ExFil type artifacts from files I was copying to an external USB drive.
###file-create-file-count Query to get a unique list of files that have had their date changed(2) and the program that made the change. Plus a count of the number of times that file's date has been changed.
###file-create-file-count-no-chrome Same as file-create-file-count only this removes any records made by 'chrome.exe' since it makes a huge number of changes.
###driver-load Query to display all driver load records(6)
###image-load Query to display all image load records(7)
###network-connection Query to display all records for network connections(4).
###network-socket-count Query to display a unique list of network sockets (IP and port) from the connection records(4). Plus a count of the number of records for each socket.
###network-connection-count Query to display unique list of network connections from the connection records(4). Plus a count of the number of records for each connection.