Skip to content
This repository has been archived by the owner on Feb 12, 2022. It is now read-only.

Autogenerate scripts (WIP) #1

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Autogenerate scripts (WIP) #1

wants to merge 1 commit into from

Conversation

mavam
Copy link
Collaborator

@mavam mavam commented Dec 12, 2018

This PR is still work in progress. The idea is to parse the sysmon XML file and convert it to JSON, which can then be used to create Zeek and Broker Python scripts as needed.

Please don't merge yet, I'll remove the WIP tag in the title when it's ready for review.

@salesforce-cla
Copy link

Thanks for the contribution! Before we can merge this, we need @mavam to sign the Salesforce.com Contributor License Agreement.

@mavam
Copy link
Collaborator Author

mavam commented Dec 12, 2018
edited

For example, the script generates the following output:

{
  "1": {
    "name": "ProcessCreate",
    "desc": "PROCESS CREATION",
    "args": [
      "UtcTime",
      "ProcessGuid",
      "ProcessID",
      "Image",
      "FileVersion",
      "Description",
      "Product",
      "Company",
      "CommandLine",
      "CurrentDirectory",
      "User",
      "LogonGuid",
      "LogonId",
      "TerminalSessionId",
      "IntegrityLevel",
      "Hashes",
      "ParentProcessGuid",
      "ParentProcessId",
      "ParentImage",
      "ParentCommandLine"
    ]
  },
  "2": {
    "name": "FileCreateTime",
    "desc": "FILE CREATION TIME RETROACTIVELY CHANGED IN THE FILESYSTEM",
    "...": "..."
  }
}

For testing, I've been using https://github.com/SwiftOnSecurity/sysmon-config, which has a complete annotation of SYSMON EVENT comments (e.g., including the crucial DATA section).

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
cla:missing
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@mavam