├── LICENSE.txt ├── README.md ├── docker ├── docker-compose.yml ├── es │ └── elasticsearch.yml ├── kibana │ ├── conf.js │ └── kibana.yml ├── setup.sh ├── stixioc-import-server │ ├── Dockerfile │ └── server.conf └── sysmonsearch_collection ├── images ├── SysmonSearch-search.png ├── SysmonSearch.png ├── alert.png ├── dashboard.png ├── dns.png ├── event_correlation.png ├── event_list.png ├── event_statistics.png ├── event_summary.png ├── network_graph.png ├── parent_and_child.png ├── process_details.png ├── process_list.png ├── search.png └── sysmon_search_r.png ├── script ├── collection_alert_data.py ├── collection_alert_data_setting.py ├── collection_alert_data_setting.py.sample ├── collection_statistical_data.py ├── collection_statistical_data_setting.py ├── exec_collection_statistical_data.sh ├── requirements.txt └── rule_files │ └── 1.sample ├── stixioc-import-server ├── common.py ├── data │ ├── sample.ioc.xml │ ├── sample.stixv2.json │ ├── stixv2.json │ ├── stuxnet.ioc.xml │ └── stuxnet.stix.xml ├── handlers │ ├── __init__.py │ ├── base.py │ ├── ioc.py │ ├── stixv1.py │ └── stixv2.py ├── requirements.txt ├── server.conf ├── server.py ├── tests │ ├── ioc2stix.py │ ├── req_ioc.py │ ├── req_stixv1.py │ ├── req_stixv2.py │ └── stix2to1.py └── urls.py ├── sysmon_search_plugin ├── README.md ├── TRANSLATION.md ├── conf.js ├── gather-info.js ├── index.js ├── package.json ├── public │ ├── __tests__ │ │ └── index.js │ ├── app.js │ ├── assets │ │ └── i18n │ │ │ ├── locale-en.json │ │ │ └── locale-ja.json │ ├── css │ │ └── common.css │ ├── data │ │ ├── detail_list.js │ │ ├── detail_map.js │ │ ├── pc_info.js │ │ ├── proc_info.js │ │ ├── process_list.js │ │ └── process_map.js │ ├── dist │ │ ├── d3.v3.min.js │ │ ├── d3.v5.min.js │ │ ├── img │ │ │ └── network │ │ │ │ ├── acceptDeleteIcon.png │ │ │ │ ├── addNodeIcon.png │ │ │ │ ├── backIcon.png │ │ │ │ ├── connectIcon.png │ │ │ │ ├── cross.png │ │ │ │ ├── cross2.png │ │ │ │ ├── deleteIcon.png │ │ │ │ ├── downArrow.png │ │ │ │ ├── editIcon.png │ │ │ │ ├── leftArrow.png │ │ │ │ ├── minus.png │ │ │ │ ├── plus.png │ │ │ │ ├── rightArrow.png │ │ │ │ ├── upArrow.png │ │ │ │ └── zoomExtends.png │ │ ├── jquery-3.3.1.min.js │ │ ├── vis-graph3d.min.js │ │ ├── vis-network.min.css │ │ ├── vis-network.min.js │ │ ├── vis-timeline-graph2d.min.css │ │ ├── vis-timeline-graph2d.min.js │ │ ├── vis.css │ │ ├── vis.js │ │ ├── vis.js.map │ │ ├── vis.map │ │ ├── vis.min.css │ │ ├── vis.min.js │ │ └── visual.css │ ├── images │ │ ├── arrow01.png │ │ ├── file.png │ │ ├── file_create_time.png │ │ ├── image_loaded.png │ │ ├── net.png │ │ ├── program.png │ │ ├── reg.png │ │ ├── reg_category.png │ │ ├── rthread.png │ │ ├── search_icon.png │ │ └── wmi.png │ ├── less │ │ └── main.less │ ├── routes.js │ └── templates │ │ ├── alert.html │ │ ├── dashboard.html │ │ ├── detail.html │ │ ├── event.html │ │ ├── host_statistic.html │ │ ├── hosts.html │ │ ├── overview.html │ │ ├── process_list.html │ │ ├── process_tree.html │ │ └── search.html ├── server │ ├── __tests__ │ │ └── index.js │ └── routes │ │ ├── search │ │ ├── Utils.js │ │ ├── alert_data.js │ │ ├── alert_host.js │ │ ├── alert_rule.js │ │ ├── dashboard.js │ │ ├── events.js │ │ ├── hosts.js │ │ ├── import_search.js │ │ ├── make_query.js │ │ ├── process.js │ │ ├── process_detail.js │ │ ├── process_list.js │ │ ├── process_overview.js │ │ ├── sm_search.js │ │ └── sm_unique_hosts.js │ │ ├── sysmon_search.js │ │ └── test.js └── winlogbeat.yml └── sysmon_search_r ├── .kibana-plugin-helpers.json ├── conf.js ├── dashboard-export.ndjson ├── index.js ├── package.json ├── public ├── app.js ├── app.scss └── components │ └── main │ ├── dist │ ├── d3.min.js │ ├── img │ │ └── network │ │ │ ├── acceptDeleteIcon.png │ │ │ ├── addNodeIcon.png │ │ │ ├── backIcon.png │ │ │ ├── connectIcon.png │ │ │ ├── cross.png │ │ │ ├── cross2.png │ │ │ ├── deleteIcon.png │ │ │ ├── downArrow.png │ │ │ ├── editIcon.png │ │ │ ├── leftArrow.png │ │ │ ├── minus.png │ │ │ ├── plus.png │ │ │ ├── rightArrow.png │ │ │ ├── upArrow.png │ │ │ └── zoomExtends.png │ ├── vis-network.css │ ├── vis-network.js │ ├── vis-network.min.css │ ├── vis-network.min.js │ └── vis-timeline │ │ ├── standalone │ │ ├── esm │ │ │ ├── index.d.ts │ │ │ ├── index.js │ │ │ ├── vis-timeline-graph2d.d.ts │ │ │ ├── vis-timeline-graph2d.js │ │ │ ├── vis-timeline-graph2d.js.map │ │ │ ├── vis-timeline-graph2d.min.d.ts │ │ │ ├── vis-timeline-graph2d.min.js │ │ │ └── vis-timeline-graph2d.min.js.map │ │ ├── index.d.ts │ │ ├── index.js │ │ └── umd │ │ │ ├── index.d.ts │ │ │ ├── index.js │ │ │ ├── vis-timeline-graph2d.d.ts │ │ │ ├── vis-timeline-graph2d.js │ │ │ ├── vis-timeline-graph2d.js.map │ │ │ ├── vis-timeline-graph2d.min.d.ts │ │ │ ├── vis-timeline-graph2d.min.js │ │ │ └── vis-timeline-graph2d.min.js.map │ │ └── styles │ │ ├── vis-timeline-graph2d.css │ │ ├── vis-timeline-graph2d.css.map │ │ ├── vis-timeline-graph2d.min.css │ │ └── vis-timeline-graph2d.min.css.map │ ├── images │ ├── arrow01.png │ ├── file.png │ ├── file_create_time.png │ ├── image_loaded.png │ ├── net.png │ ├── program.png │ ├── reg.png │ ├── reg_category.png │ ├── rthread.png │ ├── search_icon.png │ └── wmi.png │ ├── index.js │ ├── main.js │ ├── network.css │ ├── overview_network.js │ ├── pie_chart.js │ ├── process_network.js │ ├── react-graph-vis.js │ ├── react-visjs-timeline.js │ ├── search_rules.js │ ├── ss_alert.js │ ├── ss_detail.css │ ├── ss_detail.js │ ├── ss_events.js │ ├── ss_overview.js │ ├── ss_process.js │ ├── ss_processlist.js │ ├── ss_search.js │ ├── ss_stats.css │ ├── ss_stats.js │ ├── ss_summary.js │ ├── ss_tabs.js │ ├── ss_utils.js │ └── ss_visualize.js └── winlogbeat.yml /LICENSE.txt: -------------------------------------------------------------------------------- 1 | The 3-Clause BSD License 2 | 3 | SPDX short identifier: BSD-3-Clause 4 | Note: This license has also been called the "New BSD License" or "Modified BSD License". See also the 2-clause BSD License. 5 | 6 | --- 7 | 8 | Copyright 2023 JPCERT Coordination Center 9 | 10 | Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 11 | 12 | 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 13 | 14 | 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 15 | 16 | 3. Neither JPCERT Coordination Center nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. 17 | 18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 19 | 20 | IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 21 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # SysmonSearch 2 | 3 | SysmonSearch make event log analysis more effective and less time consuming, by aggregating event logs generated by Microsoft's Sysmon. 4 | 5 | ![SysmonSearch system](images/SysmonSearch.png) 6 | 7 | ## System Overview 8 | SysmonSearch uses Elasticserach and Kibana (and Kibana plugin). 9 | * **Elasticserach** 10 | Elasticsearch collects/stores Sysmon's event log. 11 | * **Kibana** 12 | Kibana provides user interface for your Sysmon's event log analysis. The following functions are implemented as Kibana plugin. 13 | * Visualizes Function 14 | This function visualizes Sysmon's event logs to illustrate correlation of processes and networks. 15 | * Statistical Function 16 | This function collects the statistics of each device or Sysmon's event ID. 17 | * Monitor Function 18 | This function monitor incoming logs based on the preconfigured rules, and trigers alert. 19 | * **StixIoC server** 20 | You can add search/monitor condition by uploading STIX/IOC file. From StixIoC server Web UI, you can upload STIXv1, STIXv2 and OpenIOC format files. 21 | 22 | ## Use SysmonSearch 23 | To try SysmonSearch, you can either 1)install softwares to your own linux enviroment with following instractions or 2)use docker image: 24 | 1. [Install to your own linux box](https://github.com/JPCERTCC/SysmonSearch/wiki/Install) 25 | 2. [Use docker image](https://github.com/JPCERTCC/SysmonSearch/wiki/Setup-with-Docker) 26 | 27 | ## Documentation 28 | For details, please check [the SysmonSearch wiki](https://github.com/JPCERTCC/SysmonSearch/wiki). 29 | -------------------------------------------------------------------------------- /docker/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '2.2' 2 | services: 3 | elasticsearch: 4 | image: docker.elastic.co/elasticsearch/elasticsearch:7.6.0 5 | volumes: 6 | - ./es/es-data:/usr/share/elasticsearch/data 7 | - ./es/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml 8 | container_name: docker-sysmonsearch-es 9 | environment: 10 | #- cluster.name=docker-cluster 11 | - bootstrap.memory_lock=true 12 | - "ES_JAVA_OPTS=-Xms512m -Xmx512m" 13 | ports: 14 | - 9200:9200 15 | expose: 16 | - 9300 17 | ulimits: 18 | memlock: 19 | soft: -1 20 | hard: -1 21 | nofile: 22 | soft: 65536 23 | hard: 65536 24 | kibana: 25 | #image: docker.elastic.co/kibana/kibana-oss:7.6.0 26 | image: docker.elastic.co/kibana/kibana:7.6.0 27 | volumes: 28 | - ./kibana/kibana.yml:/usr/share/kibana/config/kibana.yml 29 | - ../sysmon_search_plugin:/usr/share/kibana/plugins/sysmon_search_plugin 30 | - ../sysmon_search_r:/usr/share/kibana/plugins/sysmon_search_r 31 | - ./kibana/conf.js:/usr/share/kibana/plugins/sysmon_search_plugin/conf.js 32 | - ./kibana/conf.js:/usr/share/kibana/plugins/sysmon_search_r/conf.js 33 | - ./rule_files:/tmp/rule_files 34 | container_name: docker-sysmonsearch-kibana 35 | ports: 36 | - 5601:5601 37 | stixioc-import-server: 38 | build: 39 | context: stixioc-import-server 40 | # args: 41 | # - http_proxy=[proxy_server_URL] 42 | # - https_proxy=[proxy_server_URL] 43 | command: bash -c "cd /root/stixioc-import-server/ && python server.py" 44 | volumes: 45 | - ../stixioc-import-server:/root/stixioc-import-server 46 | - ./stixioc-import-server/server.conf:/root/stixioc-import-server/server.conf 47 | - ./logs:/root/stixioc-import-server/logs 48 | - ../script:/root/script 49 | - ./stixioc-import-server/winlogbeat.yml:/root/script/winlogbeat.yml 50 | - ./rule_files:/root/script/rule_files 51 | container_name: docker-stixioc-import-server 52 | ports: 53 | - 56020:56020 54 | -------------------------------------------------------------------------------- /docker/es/elasticsearch.yml: -------------------------------------------------------------------------------- 1 | node.name: node-1 2 | network.host: 0.0.0.0 3 | http.port: 9200 4 | cluster.initial_master_nodes: ["node-1"] 5 | xpack.ml.enabled: false 6 | xpack.security.enabled: false 7 | xpack.security.transport.ssl.enabled: true 8 | xpack.security.audit.enabled: true -------------------------------------------------------------------------------- /docker/kibana/conf.js: -------------------------------------------------------------------------------- 1 | var conf = { 2 | //elasticsearch server URL 3 | "elasticsearch_url": "elasticsearch", 4 | //elasticsearch server Port 5 | "elasticsearch_port": "9200", 6 | //monitor rule file path 7 | "savepath": "/tmp/rule_files", 8 | //stixioc import server URL 9 | "import_server_url": "stixioc-import-server", 10 | //stixioc import server port 11 | "import_server_port": "56020", 12 | //internal time (hour) 13 | "refine_time_range": "1", 14 | //maximum object number 15 | "max_object_num": "30", 16 | "elasticsearch_user": "elastic", 17 | "elasticsearch_password": "changeme", 18 | }; 19 | exports.conf = conf; 20 | -------------------------------------------------------------------------------- /docker/kibana/kibana.yml: -------------------------------------------------------------------------------- 1 | server.port: 5601 2 | server.host: "0.0.0.0" 3 | elasticsearch.hosts: ["http://elasticsearch:9200"] 4 | csp.rules: 5 | - "script-src 'self' 'unsafe-eval' 'sha256-M2M+sgC2bZ4r73FO1LV5JmHiS5COwEb2Uqw7EbsHmBY='" 6 | 7 | elasticsearch.username: elastic 8 | elasticsearch.password: changeme 9 | -------------------------------------------------------------------------------- /docker/setup.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | mkdir -v -p logs rule_files es/es-data 4 | chmod -R 777 logs rule_files es/es-data 5 | cp -v ../sysmon_search_plugin/winlogbeat.yml stixioc-import-server 6 | docker-compose build stixioc-import-server 7 | cd ../sysmon_search_r && npm install 8 | -------------------------------------------------------------------------------- /docker/stixioc-import-server/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM python 2 | 3 | RUN pip install tornado openioc-to-stix git+https://github.com/oasis-open/cti-stix-slider.git pyyaml elasticsearch 4 | 5 | WORKDIR /root/stixioc-import-server/ 6 | -------------------------------------------------------------------------------- /docker/stixioc-import-server/server.conf: -------------------------------------------------------------------------------- 1 | # addr 2 | addr="0.0.0.0" 3 | 4 | # port 5 | port=56020 6 | 7 | # log level info/debug 8 | logging='info' 9 | 10 | # Debug 11 | debug=True 12 | -------------------------------------------------------------------------------- /docker/sysmonsearch_collection: -------------------------------------------------------------------------------- 1 | PATH=/sbin:/usr/sbin:/bin:/usr/bin 2 | 3 | 0,30 * * * * docker exec -it docker-stixioc-import-server python ../script/collection_alert_data.py 4 | 0 1 * * * * DATE=`date -d "-1 day" "+%Y.%m.%d"` ; docker exec -it docker-stixioc-import-server python ../script/collection_statistical_data.py $DATE 5 | -------------------------------------------------------------------------------- /images/SysmonSearch-search.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JPCERTCC/SysmonSearch/970a765fd8672f4060ff404d953acfa4e56f2ca8/images/SysmonSearch-search.png -------------------------------------------------------------------------------- /images/SysmonSearch.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JPCERTCC/SysmonSearch/970a765fd8672f4060ff404d953acfa4e56f2ca8/images/SysmonSearch.png -------------------------------------------------------------------------------- /images/alert.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JPCERTCC/SysmonSearch/970a765fd8672f4060ff404d953acfa4e56f2ca8/images/alert.png -------------------------------------------------------------------------------- /images/dashboard.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JPCERTCC/SysmonSearch/970a765fd8672f4060ff404d953acfa4e56f2ca8/images/dashboard.png -------------------------------------------------------------------------------- /images/dns.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JPCERTCC/SysmonSearch/970a765fd8672f4060ff404d953acfa4e56f2ca8/images/dns.png -------------------------------------------------------------------------------- /images/event_correlation.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JPCERTCC/SysmonSearch/970a765fd8672f4060ff404d953acfa4e56f2ca8/images/event_correlation.png -------------------------------------------------------------------------------- /images/event_list.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JPCERTCC/SysmonSearch/970a765fd8672f4060ff404d953acfa4e56f2ca8/images/event_list.png -------------------------------------------------------------------------------- /images/event_statistics.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JPCERTCC/SysmonSearch/970a765fd8672f4060ff404d953acfa4e56f2ca8/images/event_statistics.png -------------------------------------------------------------------------------- /images/event_summary.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JPCERTCC/SysmonSearch/970a765fd8672f4060ff404d953acfa4e56f2ca8/images/event_summary.png -------------------------------------------------------------------------------- /images/network_graph.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JPCERTCC/SysmonSearch/970a765fd8672f4060ff404d953acfa4e56f2ca8/images/network_graph.png -------------------------------------------------------------------------------- /images/parent_and_child.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JPCERTCC/SysmonSearch/970a765fd8672f4060ff404d953acfa4e56f2ca8/images/parent_and_child.png -------------------------------------------------------------------------------- /images/process_details.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JPCERTCC/SysmonSearch/970a765fd8672f4060ff404d953acfa4e56f2ca8/images/process_details.png -------------------------------------------------------------------------------- /images/process_list.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JPCERTCC/SysmonSearch/970a765fd8672f4060ff404d953acfa4e56f2ca8/images/process_list.png -------------------------------------------------------------------------------- /images/search.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JPCERTCC/SysmonSearch/970a765fd8672f4060ff404d953acfa4e56f2ca8/images/search.png -------------------------------------------------------------------------------- /images/sysmon_search_r.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JPCERTCC/SysmonSearch/970a765fd8672f4060ff404d953acfa4e56f2ca8/images/sysmon_search_r.png -------------------------------------------------------------------------------- /script/collection_alert_data_setting.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | 4 | ELASTICSEARCH_SERVER = "elasticsearch" 5 | ELASTICSEARCH_PORT = 9200 6 | ELASTICSEARCH_USER="elastic" 7 | ELASTICSEARCH_PASS="changeme" 8 | 9 | INDEX_NAME_ORG = "winlogbeat" 10 | INDEX_NAME = "sysmon-search-alert" 11 | MAX_GET_SIZE = 10000 12 | RULE_FILE_DIRECTORY = "/root/script/rule_files/*" 13 | WINLOGBEAT_YML = "/root/script/winlogbeat.yml" 14 | #WINLOGBEAT_YML = "../sysmon_search_plugin/winlogbeat.yml" 15 | -------------------------------------------------------------------------------- /script/collection_alert_data_setting.py.sample: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | 4 | # http service port 5 | ELASTICSEARCH_SERVER = "localhost" 6 | INDEX_NAME_ORG = "winlogbeat" 7 | INDEX_NAME = "sysmon-search-alert" 8 | MAX_GET_SIZE = 10000 9 | RULE_FILE_DIRECTORY = "C:\\rule_files\\*" 10 | -------------------------------------------------------------------------------- /script/collection_statistical_data_setting.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | 4 | ELASTICSEARCH_SERVER = "elasticsearch" 5 | ELASTICSEARCH_PORT = 9200 6 | ELASTICSEARCH_USER = "elastic" 7 | ELASTICSEARCH_PASS = "changeme" 8 | 9 | INDEX_NAME_ORG = "winlogbeat" 10 | INDEX_NAME = "sysmon-search-statistics" 11 | MAX_GET_SIZE = 10000 12 | WINLOGBEAT_YML = "/root/script/winlogbeat.yml" 13 | #WINLOGBEAT_YML = "../sysmon_search_plugin/winlogbeat.yml" 14 | 15 | #IP address to exclude from statistics 16 | EXCLUDED_IPADDRESS = [ 17 | ] 18 | 19 | #process to exclude from statistics 20 | EXCLUDED_PROCESS = [ 21 | ] 22 | -------------------------------------------------------------------------------- /script/exec_collection_statistical_data.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # * set siva install folder path 4 | export SCRIPT_HOME=/root/script 5 | export SCRIPTPATH=$SCRIPT_HOME/collection_statistical_data.py 6 | OUT_LOG=$SCRIPT_HOME/logs/collection_statistical_data.log 7 | 8 | init_env() { 9 | source $SCRIPT_HOME/.env/bin/activate 10 | } 11 | 12 | start() { 13 | #nohup python $SCRIPTPATH >> $OUT_LOG 2>&1 & 14 | DATE=$1 15 | python $SCRIPTPATH $DATE 16 | #python $SCRIPTPATH $1 17 | } 18 | 19 | echo -n "Starting collection_statistical_data.py: " 20 | echo 21 | #init_env 22 | start $1 23 | 24 | exit $? 25 | -------------------------------------------------------------------------------- /script/requirements.txt: -------------------------------------------------------------------------------- 1 | antlr4-python3-runtime==4.7.2 2 | certifi==2019.11.28 3 | chardet==3.0.4 4 | cybox==2.1.0.20 5 | elasticsearch==7.1.0 6 | idna==2.8 7 | lxml==4.4.2 8 | mixbox==1.0.3 9 | openioc-to-stix==1.4.0 10 | ordered-set==3.1.1 11 | ordereddict==1.1 12 | python-dateutil==2.8.1 13 | pytz==2019.3 14 | PyYAML==5.2 15 | requests==2.22.0 16 | simplejson==3.17.0 17 | six==1.13.0 18 | stix==1.2.0.7 19 | stix-validator==2.5.0 20 | stix2==1.1.0 21 | stix2-patterns==1.2.1 22 | stix2-slider==2.0.0 23 | stixmarx==1.0.6 24 | tornado==6.0.3 25 | urllib3==1.25.7 26 | xlrd==1.2.0 27 | -------------------------------------------------------------------------------- /script/rule_files/1.sample: -------------------------------------------------------------------------------- 1 | { 2 | "operator" : "AND", 3 | "patterns": [ 4 | { 5 | "key" : "Hash", 6 | "value" : "md" 7 | }, 8 | { 9 | "key" : "ProcessName", 10 | "value" : "net" 11 | } 12 | ] 13 | } -------------------------------------------------------------------------------- /stixioc-import-server/data/sample.ioc.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 192.168.1.1 10 | 11 | 12 | 13 | deadbeef:deadbeef:deadbeef:deadbeef 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 5432 22 | 23 | 24 | 25 | 26 | 27 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | evilMutex 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | mdmcpq3.PNF 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasAuto\Parameters\ServiceDLL 64 | 65 | 66 | 67 | Services\RasAuto\Parameters 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | svchost.exe 76 | 77 | 78 | 79 | 0xffef 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 0123456789abcdef0123456789abcdef 88 | 89 | 90 | 91 | aabbccddeeff00112233445566778899 92 | 93 | 94 | 95 | 98765432109876543210fedcbafedcba 96 | 97 | 98 | 99 | 100 | 101 | -------------------------------------------------------------------------------- /stixioc-import-server/data/sample.stixv2.json: -------------------------------------------------------------------------------- 1 | { 2 | "type": "bundle", 3 | "id": "bundle--0bd7aede-1fb7-4168-b782-3fb0a117e943", 4 | "spec_version": "2.0", 5 | "objects": [ 6 | { 7 | "type": "indicator", 8 | "id": "indicator--afc5cb0a-e803-4352-a0ee-acafe4f16690", 9 | "created": "2018-02-01T00:00:00.000Z", 10 | "modified": "2018-02-01T00:00:00.000Z", 11 | "labels": ["sample-activity"], 12 | "name": "IP address example", 13 | "description": "This is an example of IP address in patterns.", 14 | "pattern": "[ ipv4-addr:value = '127.0.0.1' OR ipv6-addr:value = 'deadbeef:deadbeef:deadbeef:deadbeef' ]", 15 | "valid_from": "2018-02-01T00:00:00.000Z" 16 | }, 17 | { 18 | "type": "indicator", 19 | "id": "indicator--52a5f48b-a4f2-40e5-9aea-24833a2c117b", 20 | "created": "2018-02-01T00:00:00.000Z", 21 | "modified": "2018-02-01T00:00:00.000Z", 22 | "labels": ["sample-activity"], 23 | "name": "Process name example", 24 | "description": "This is an example of Process name in patterns.", 25 | "pattern": "[ process:name = 'fooproc' ]", 26 | "valid_from": "2018-02-01T00:00:00.000Z" 27 | }, 28 | { 29 | "type": "indicator", 30 | "id": "indicator--e72e6491-a319-473c-8d55-4c04af00082b", 31 | "created": "2018-02-01T00:00:00.000Z", 32 | "modified": "2018-02-01T00:00:00.000Z", 33 | "labels": ["sample-activity"], 34 | "name": "File name example", 35 | "description": "This is an example of File name in patterns.", 36 | "pattern": "[ file:name = 'foo.dll' ]", 37 | "valid_from": "2018-02-01T00:00:00.000Z" 38 | }, 39 | { 40 | "type": "indicator", 41 | "id": "indicator--fb4d266f-4975-4c9d-9ede-bf3e75655c43", 42 | "created": "2018-02-01T00:00:00.000Z", 43 | "modified": "2018-02-01T00:00:00.000Z", 44 | "labels": ["sample-activity"], 45 | "name": "Registry key example", 46 | "description": "This is an example of Registry key in patterns.", 47 | "pattern": "[ windows-registry-key:key = 'HKEY_LOCAL_MACHINE\\\\System\\\\Foo\\\\Bar' ]", 48 | "valid_from": "2018-02-01T00:00:00.000Z" 49 | }, 50 | { 51 | "type": "indicator", 52 | "id": "indicator--abd8bdfd-9c26-427e-b59b-3a446a16e431", 53 | "created": "2018-02-01T00:00:00.000Z", 54 | "modified": "2018-02-01T00:00:00.000Z", 55 | "labels": ["sample-activity"], 56 | "name": "Registry value example", 57 | "description": "This is an example of Registry value in patterns.", 58 | "pattern": "[ windows-registry-key:values[*].data = 'qwerty' ]", 59 | "valid_from": "2018-02-01T00:00:00.000Z" 60 | }, 61 | { 62 | "type": "indicator", 63 | "id": "indicator--f195c7ea-e565-41c4-a0c5-5777b2a59fe7", 64 | "created": "2018-02-01T00:00:00.000Z", 65 | "modified": "2018-02-01T00:00:00.000Z", 66 | "labels": ["sample-activity"], 67 | "name": "Hash value example", 68 | "description": "This is an example of Hash value in patterns.", 69 | "pattern": "[ file:hashes.'MD5' = 'f7731ec55c841a9b5ffa6a3c1de50ea2' OR file:hashes.'SHA-1' = '54f42145ff085ce8e39dd14cf2568e34f248ef32' OR file:hashes.'SHA-256' = '1a3c501462412dd9569738c82eaf08f06ba2e65335c09c4a9c854906796b6488' ]", 70 | "valid_from": "2018-02-01T00:00:00.000Z" 71 | } 72 | ] 73 | } 74 | -------------------------------------------------------------------------------- /stixioc-import-server/data/stixv2.json: -------------------------------------------------------------------------------- 1 | { 2 | "type": "indicator", 3 | "id": "indicator--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f", 4 | "created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff", 5 | "created": "2016-04-06T20:03:48.000Z", 6 | "modified": "2016-04-06T20:03:48.000Z", 7 | "labels": ["malicious-activity"], 8 | "name": "Poison Ivy Malware", 9 | "description": "This file is part of Poison Ivy", 10 | "pattern": "[ file:hashes.'SHA-256' = '4bac27393bdd9777ce02453256c5577cd02275510b2227f473d03f533924f877' AND file:size = 100 ]", 11 | "valid_from": "2016-01-01T00:00:00Z" 12 | } -------------------------------------------------------------------------------- /stixioc-import-server/data/stuxnet.ioc.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | STUXNET VIRUS (METHODOLOGY) 4 | Generic indicator for the stuxnet virus. When loaded, stuxnet spawns lsass.exe in a suspended state. The malware then maps in its own executable section and fixes up the CONTEXT to point to the newly mapped in section. This is a common task performed by malware and allows the malware to execute under the pretense of a known and trusted process. 5 | methodology 6 | Mandiant 7 | 0001-01-01T00:00:00 8 | 9 | 10 | 11 | 12 | 13 | .stub 14 | 15 | 16 | 17 | mdmcpq3.PNF 18 | 19 | 20 | 21 | mdmeric3.PNF 22 | 23 | 24 | 25 | oem6C.PNF 26 | 27 | 28 | 29 | oem7A.PNF 30 | 31 | 32 | 33 | 34 | fs_rec.sys 35 | 36 | 37 | 38 | mrxsmb.sys 39 | 40 | 41 | 42 | sr.sys 43 | 44 | 45 | 46 | fastfat.sys 47 | 48 | 49 | 50 | 51 | 52 | mrxcls.sys 53 | 54 | 55 | 56 | Realtek Semiconductor Corp 57 | 58 | 59 | 60 | 61 | 62 | mrxnet.sys 63 | 64 | 65 | 66 | Realtek Semiconductor Corp 67 | 68 | 69 | 70 | 71 | 72 | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MRxCls\ImagePath 73 | 74 | 75 | 76 | mrxcls.sys 77 | 78 | 79 | 80 | 81 | 82 | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MRxNet\ImagePath 83 | 84 | 85 | 86 | mrxnet.sys 87 | 88 | 89 | 90 | 91 | 92 | -------------------------------------------------------------------------------- /stixioc-import-server/handlers/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JPCERTCC/SysmonSearch/970a765fd8672f4060ff404d953acfa4e56f2ca8/stixioc-import-server/handlers/__init__.py -------------------------------------------------------------------------------- /stixioc-import-server/handlers/base.py: -------------------------------------------------------------------------------- 1 | # # -*- coding: utf-8 -*- 2 | 3 | import tornado.web 4 | from tornado.web import HTTPError 5 | 6 | import logging 7 | from tornado.log import app_log, gen_log 8 | logger = logging.getLogger('stixioc-import-server.' + __name__) 9 | 10 | import traceback 11 | import json 12 | 13 | class BaseConvertHandler(tornado.web.RequestHandler): 14 | u''' 15 | ''' 16 | 17 | def write_error(self, status_code, **kwargs): 18 | u''' 19 | Override RequestHandler.write_error() function. 20 | ''' 21 | self.set_header('Content-Type', 'application/json') 22 | 23 | if self.settings.get("serve_traceback") and "exc_info" in kwargs: 24 | # in debug mode, try to send a traceback 25 | lines = [] 26 | traceback_str = "" 27 | for line in traceback.format_exception(*kwargs["exc_info"]): 28 | lines.append(line) 29 | 30 | self.finish(json.dumps({ 31 | 'error': { 32 | 'code': status_code, 33 | 'message': self._reason, 34 | # 'traceback': lines, 35 | 'traceback': lines[len(lines)-1], 36 | } 37 | })) 38 | else: 39 | self.finish(json.dumps({ 40 | 'error': { 41 | 'code': status_code, 42 | 'message': self._reason, 43 | } 44 | })) 45 | 46 | 47 | def http_error(self, status_code, reason=None, msg=None): 48 | u''' 49 | ''' 50 | self.set_status(status_code, reason) 51 | # self.write_error(status_code) 52 | raise HTTPError(status_code=status_code, reason=reason, log_message=msg) 53 | 54 | 55 | def http_normal(self, status_code=None, msg=None): 56 | u''' 57 | ''' 58 | if status_code is not None: 59 | self.set_status(status_code) 60 | self.write(msg if msg is not None else u'') 61 | 62 | gen_log.info('Response status:"%d"/message:"%s"', status_code, msg); 63 | 64 | self.finish() 65 | 66 | def out_gen_log(): 67 | u''' 68 | ''' 69 | pass 70 | -------------------------------------------------------------------------------- /stixioc-import-server/handlers/ioc.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | 4 | import tornado.web 5 | 6 | import logging 7 | from tornado.log import gen_log 8 | from tornado.log import app_log 9 | logger = logging.getLogger('stixioc-import-server.' + __name__) 10 | 11 | import traceback 12 | from io import BytesIO 13 | 14 | from lxml import etree 15 | 16 | from mixbox import idgen, namespaces 17 | from stix.core import STIXPackage as STIXPackage_v1 18 | from openioc2stix.translate import to_stix 19 | 20 | from .base import BaseConvertHandler 21 | import common 22 | 23 | class IoCConvertHandler(BaseConvertHandler): 24 | 25 | def initialize(self): 26 | pass 27 | 28 | def post(self): 29 | 30 | def _get_stix_package(ioc_xml): 31 | if ioc_xml is not None and len(ioc_xml) > 0: 32 | ns = namespaces.Namespace("http://openioc.org/openioc", "openioc", "") 33 | idgen.set_id_namespace(ns) 34 | 35 | stix_obj = to_stix(BytesIO(ioc_xml)) 36 | 37 | stix_package = STIXPackage_v1.from_xml(etree.fromstring(stix_obj.to_xml())) 38 | 39 | return stix_package 40 | 41 | else: 42 | raise RuntimeError('request body is empty.') 43 | 44 | try: 45 | msg = None 46 | for field_name, files in self.request.files.items(): 47 | for file in files: 48 | filename, content_type = file['filename'], file['content_type'] 49 | body = file['body'] 50 | 51 | gen_log.info('POST "%s" "%s" %d bytes', filename, content_type, len(body)) 52 | gen_log.info('POST file body:\n"%s"', body) 53 | 54 | stix_package = _get_stix_package(body) 55 | if stix_package is not None: 56 | patterns = common.get_search_items(stix_package) 57 | msg = {'fields' : patterns} 58 | 59 | self.http_normal(200, msg=msg if msg is not None else u'OK') 60 | 61 | except: 62 | #trace_msg = traceback.format_exc().decode('utf-8') 63 | trace_msg = traceback.format_exc() 64 | emsg = u'request_msg:{0} {1}'.format(self.request.body, trace_msg) 65 | gen_log.error(u',[session-id:{0}],{1}'.format(None, emsg)) 66 | self.http_error(400, msg=trace_msg) 67 | 68 | 69 | def get(self): 70 | raise tornado.web.HTTPError(405, u'Method Not Allowed') 71 | 72 | def delete(self): 73 | raise tornado.web.HTTPError(405, u'Method Not Allowed') 74 | -------------------------------------------------------------------------------- /stixioc-import-server/handlers/stixv1.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | 4 | import tornado.web 5 | 6 | import logging 7 | from tornado.log import gen_log 8 | from tornado.log import app_log 9 | logger = logging.getLogger('stixioc-import-server.' + __name__) 10 | 11 | import traceback 12 | from io import StringIO 13 | 14 | import stix.bindings.stix_core as stix 15 | from stix.core import STIXPackage as STIXPackage_v1 16 | 17 | from .base import BaseConvertHandler 18 | import common 19 | 20 | class StixV1ConvertHandler(BaseConvertHandler): 21 | 22 | def initialize(self): 23 | pass 24 | 25 | def post(self): 26 | 27 | try: 28 | msg = None 29 | for field_name, files in self.request.files.items(): 30 | for file in files: 31 | filename, content_type = file['filename'], file['content_type'] 32 | body = file['body'] 33 | 34 | gen_log.info('POST "%s" "%s" %d bytes', filename, content_type, len(body)) 35 | gen_log.info('POST file body:\n"%s"', body) 36 | 37 | stix_package = stix.parseString(body.decode()) 38 | 39 | patterns = common.get_search_items(stix_package) 40 | msg = {'fields' : patterns} 41 | 42 | self.http_normal(200, msg=msg if msg is not None else u'OK') 43 | 44 | except: 45 | trace_msg = traceback.format_exc().decode('utf-8') 46 | emsg = u'request_msg:{0} {1}'.format(self.request.body, trace_msg) 47 | gen_log.error(u',[session-id:{0}],{1}'.format(None, emsg)) 48 | self.http_error(400, msg=trace_msg) 49 | 50 | 51 | def get(self): 52 | raise tornado.web.HTTPError(405, u'Method Not Allowed') 53 | 54 | def delete(self): 55 | raise tornado.web.HTTPError(405, u'Method Not Allowed') 56 | -------------------------------------------------------------------------------- /stixioc-import-server/handlers/stixv2.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | 4 | import tornado.web 5 | 6 | import logging 7 | from tornado.log import gen_log 8 | from tornado.log import app_log 9 | logger = logging.getLogger('stixioc-import-server.' + __name__) 10 | 11 | import traceback 12 | import json 13 | 14 | import stixmarx 15 | from stix2slider.options import initialize_options, set_option_value 16 | from stix2slider.convert_stix import convert_indicator 17 | 18 | from .base import BaseConvertHandler 19 | import common 20 | 21 | stix_version = "2.0" 22 | 23 | class StixV2ConvertHandler(BaseConvertHandler): 24 | 25 | def initialize(self): 26 | pass 27 | 28 | def post(self): 29 | 30 | def _get_stix_package(in_json): 31 | if in_json is not None and len(in_json) > 0: 32 | initialize_options() 33 | set_option_value("version_of_stix2x", stix_version) 34 | 35 | container = stixmarx.new() 36 | stix_package = container.package 37 | json_content = json.loads(in_json.decode()) #.decode('utf-8')) 38 | if type(json_content) == list: 39 | for json_data in json_content: 40 | if "type" in json_data and json_data["type"] == "indicator": 41 | indicator = convert_indicator(json_data) 42 | stix_package.add_indicator(indicator) 43 | else: 44 | if "type" in json_content and json_content["type"] == "bundle": 45 | if "objects" in json_content and json_content["objects"] and type(json_content["objects"]) == list: 46 | for json_data in json_content["objects"]: 47 | #print("[json_data]") 48 | #print(json_data) 49 | if "type" in json_data and json_data["type"] == "indicator": 50 | indicator = convert_indicator(json_data) 51 | stix_package.add_indicator(indicator) 52 | 53 | elif "type" in json_content and json_content["type"] == "indicator": 54 | indicator = convert_indicator(json_content) 55 | stix_package.add_indicator(indicator) 56 | 57 | container.flush() 58 | container = None 59 | 60 | return stix_package 61 | 62 | else: 63 | raise RuntimeError('request body is empty.') 64 | 65 | 66 | try: 67 | msg = None 68 | for field_name, files in self.request.files.items(): 69 | for file in files: 70 | filename, content_type = file['filename'], file['content_type'] 71 | body = file['body'] 72 | #print(body) 73 | gen_log.debug('POST "%s" "%s" %d bytes', filename, content_type, len(body)) 74 | gen_log.debug('POST file body:\n"%s"', body) 75 | 76 | stix_package = _get_stix_package(body) 77 | #print(stix_package) 78 | if stix_package is not None: 79 | patterns = common.get_search_items(stix_package) 80 | msg = {'fields' : patterns} 81 | #print(msg) 82 | self.http_normal(200, msg=msg if msg is not None else u'OK') 83 | 84 | except: 85 | trace_msg = traceback.format_exc()#.decode('utf-8') 86 | emsg = u'request_msg:{0} {1}'.format(self.request.body, trace_msg) 87 | gen_log.error(u',[session-id:{0}],{1}'.format(None, emsg)) 88 | self.http_error(400, msg=trace_msg) 89 | 90 | 91 | def get(self): 92 | raise tornado.web.HTTPError(405, u'Method Not Allowed') 93 | 94 | def delete(self): 95 | raise tornado.web.HTTPError(405, u'Method Not Allowed') 96 | -------------------------------------------------------------------------------- /stixioc-import-server/requirements.txt: -------------------------------------------------------------------------------- 1 | antlr4-python3-runtime==4.7.2 2 | certifi==2019.9.11 3 | chardet==3.0.4 4 | cybox==2.1.0.18 5 | elasticsearch==7.0.5 6 | elasticsearch-dsl==7.1.0 7 | idna==2.8 8 | lxml==4.4.1 9 | mixbox==1.0.3 10 | openioc-to-stix==1.4.0 11 | ordered-set==3.1.1 12 | ordereddict==1.1 13 | pkg-resources==0.0.0 14 | python-dateutil==2.8.1 15 | pytz==2019.3 16 | requests==2.22.0 17 | simplejson==3.16.0 18 | six==1.13.0 19 | stix==1.2.0.7 20 | stix-validator==2.5.0 21 | stix2==1.1.0 22 | stix2-patterns==1.1.0 23 | stix2-slider==2.0.0 24 | stixmarx==1.0.6 25 | tornado==6.0.3 26 | urllib3==1.25.6 27 | xlrd==1.2.0 28 | -------------------------------------------------------------------------------- /stixioc-import-server/server.conf: -------------------------------------------------------------------------------- 1 | # port 2 | port=56020 3 | 4 | # log level info/debug 5 | logging='info' 6 | 7 | # Debug 8 | debug=True 9 | 10 | -------------------------------------------------------------------------------- /stixioc-import-server/server.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | 4 | import os 5 | 6 | import tornado.ioloop 7 | import tornado.options 8 | 9 | from tornado.options import define, options 10 | 11 | from tornado.log import access_log 12 | from tornado.log import app_log 13 | from tornado.log import gen_log 14 | from tornado.log import LogFormatter 15 | 16 | import logging 17 | import logging.handlers 18 | logger = logging.getLogger('stixioc-import-server.' + __name__) 19 | 20 | # Original Option Setting - server setting 21 | define("port", default=8000, help="run on the given port", type=int) 22 | define("debug", default=False, help="run in debug mode") 23 | define("addr", default="localhost", help="run on the given address", type=str) 24 | 25 | # Original Option Setting - API setting 26 | define("addforce", default=True) 27 | 28 | # CURRENT_PATH 29 | define("CURRENT_PATH", os.path.dirname(os.path.abspath(__file__))) 30 | 31 | # LOG_PATH 32 | define("ACCESS_LOG", options.CURRENT_PATH+"/logs/access.log") 33 | define("APPLICATION_LOG", options.CURRENT_PATH+"/logs/error.log") 34 | define("GENERAL_LOG", options.CURRENT_PATH+"/logs/application.log") 35 | 36 | tornado.options.parse_config_file(os.path.join(os.path.dirname(__file__), 'server.conf')) 37 | 38 | fmt = LogFormatter(color=False, 39 | fmt='%(color)s[%(levelname)1.1s %(asctime)s.%(msecs)03d %(module)s:%(lineno)d]%(end_color)s %(message)s', 40 | datefmt='%Y-%m-%d %H:%M:%S', 41 | colors={40: 1, 10: 4, 20: 2, 30: 3}) 42 | 43 | fh_access = logging.handlers.TimedRotatingFileHandler(filename=options.ACCESS_LOG, when='D') 44 | fh_access.setFormatter(fmt) 45 | access_log.addHandler( fh_access ) 46 | 47 | fh_app = logging.handlers.TimedRotatingFileHandler(filename=options.APPLICATION_LOG, when='D') 48 | fh_app.setFormatter(fmt) 49 | app_log.addHandler( fh_app ) 50 | 51 | fh_gen = logging.handlers.TimedRotatingFileHandler(filename=options.GENERAL_LOG, when='D') 52 | fh_gen.setFormatter(fmt) 53 | gen_log.addHandler( fh_gen ) 54 | 55 | 56 | from urls import url_patterns 57 | 58 | application = tornado.web.Application( 59 | url_patterns, 60 | cookie_secret="__TODO:_GENERATE_YOUR_OWN_RANDOM_VALUE_HERE__", 61 | xsrf_cookies=False, 62 | debug=options.debug, 63 | ) 64 | 65 | if __name__ == "__main__": 66 | 67 | gen_log.info( ',[session_id:],server started. port:{0}'.format(options.port) ) 68 | 69 | # Tornado Service Start 70 | try: 71 | #application.listen(options.port, "0.0.0.0") 72 | application.listen(options.port, options.addr) 73 | tornado.ioloop.IOLoop.instance().start() 74 | except KeyboardInterrupt: 75 | tornado.ioloop.IOLoop.instance().stop() 76 | gen_log.info( ',[session_id:],server stoped.' ) 77 | -------------------------------------------------------------------------------- /stixioc-import-server/tests/ioc2stix.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | 4 | import os 5 | import traceback 6 | import io 7 | from io import BytesIO 8 | 9 | from mixbox import idgen, namespaces 10 | 11 | from openioc2stix.translate import to_stix 12 | 13 | def read2str(fname): 14 | in_xml = None 15 | try: 16 | with io.open(fname, "rb") as f: 17 | in_xml = f.read() 18 | except: 19 | print traceback.format_exc().decode('utf-8') 20 | 21 | return in_xml 22 | 23 | def write2file(fname, out_str): 24 | with open(fname, "w") as f: 25 | f.write(out_str) 26 | 27 | def ioc2stix(): 28 | try: 29 | data_dir = os.path.abspath(os.path.join(os.path.dirname(os.path.abspath(__file__)), '../data')) 30 | 31 | in_xml = read2str(data_dir + '/stuxnet.ioc.xml') 32 | 33 | # Set the namespace to be used in the STIX Package 34 | ns = namespaces.Namespace("http://openioc.org/openioc", "openioc", "") 35 | idgen.set_id_namespace(ns) 36 | 37 | stix_package = to_stix(BytesIO(in_xml)) 38 | 39 | # print stix_package.to_xml() 40 | out_fname = './stuxnet.xml' 41 | write2file(out_fname, stix_package.to_xml()) 42 | 43 | except: 44 | print traceback.format_exc().decode('utf-8') 45 | 46 | 47 | if __name__ == "__main__": 48 | ioc2stix() 49 | 50 | -------------------------------------------------------------------------------- /stixioc-import-server/tests/req_ioc.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | 4 | import requests 5 | 6 | HOSTNAME='127.0.0.1' 7 | PORT=56020 8 | EP='http://' + HOSTNAME + ':' + str(PORT) + '/convert/ioc' 9 | 10 | files = { 11 | 'file': ('stuxnet.ioc.xml', open('../data/stuxnet.ioc.xml', 'r'), 'application/xml') 12 | } 13 | 14 | res = requests.post(EP, files=files) 15 | 16 | print res.status_code 17 | print res.text 18 | -------------------------------------------------------------------------------- /stixioc-import-server/tests/req_stixv1.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | 4 | import requests 5 | 6 | HOSTNAME='127.0.0.1' 7 | PORT=56020 8 | EP='http://' + HOSTNAME + ':' + str(PORT) + '/convert/stix/v1' 9 | 10 | files = { 11 | 'file': ('stuxnet.stix.xml', open('../data/stuxnet.stix.xml', 'r'), 'application/xml') 12 | } 13 | 14 | res = requests.post(EP, files=files) 15 | 16 | print res.status_code 17 | print res.text 18 | -------------------------------------------------------------------------------- /stixioc-import-server/tests/req_stixv2.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | 4 | import requests 5 | 6 | HOSTNAME='127.0.0.1' 7 | PORT=56020 8 | EP='http://' + HOSTNAME + ':' + str(PORT) + '/convert/stix/v2' 9 | 10 | files = { 11 | 'file': ('stixv2.json', open('../data/stixv2.json', 'r'), 'application/json') 12 | } 13 | 14 | res = requests.post(EP, files=files) 15 | 16 | print res.status_code 17 | print res.text 18 | -------------------------------------------------------------------------------- /stixioc-import-server/tests/stix2to1.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | 4 | import os 5 | import traceback 6 | import io 7 | import json 8 | 9 | import stixmarx 10 | 11 | from stix2slider.options import initialize_options 12 | from stix2slider.convert_stix import convert_indicator 13 | 14 | def read2str(fname): 15 | in_str = None 16 | try: 17 | with io.open(fname, "r") as f: 18 | in_str = f.read() 19 | except: 20 | print traceback.format_exc().decode('utf-8') 21 | 22 | return in_str 23 | 24 | def write2file(fname, out_str): 25 | with open(fname, "w") as f: 26 | f.write(out_str) 27 | 28 | def stix2to1(): 29 | try: 30 | data_dir = os.path.abspath(os.path.join(os.path.dirname(os.path.abspath(__file__)), '../data')) 31 | 32 | in_str = read2str(data_dir + '/stixv2.json') 33 | 34 | initialize_options() 35 | 36 | container = stixmarx.new() 37 | stix_package = container.package 38 | 39 | json_content = json.loads(in_str) 40 | if type(json_content) == list: 41 | for json_data in json_content: 42 | if "type" in json_data and json_data["type"] == "indicator": 43 | indicator = convert_indicator(json_data) 44 | stix_package.add_indicator(indicator) 45 | else: 46 | if "type" in json_content and json_content["type"] == "bundle": 47 | if "objects" in json_content and json_content["objects"] and type(json_content["objects"]) == list: 48 | for json_data in json_content["objects"]: 49 | if "type" in json_data and json_data["type"] == "indicator": 50 | indicator = convert_indicator(json_data) 51 | stix_package.add_indicator(indicator) 52 | 53 | elif "type" in json_content and json_content["type"] == "indicator": 54 | indicator = convert_indicator(json_content) 55 | stix_package.add_indicator(indicator) 56 | 57 | container.flush() 58 | container = None 59 | 60 | # print stix_package.to_xml() 61 | out_fname = './stixv2.xml' 62 | write2file(out_fname, stix_package.to_xml()) 63 | 64 | except: 65 | print traceback.format_exc().decode('utf-8') 66 | 67 | 68 | if __name__ == "__main__": 69 | stix2to1() 70 | 71 | -------------------------------------------------------------------------------- /stixioc-import-server/urls.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | 3 | from handlers.stixv1 import StixV1ConvertHandler 4 | from handlers.stixv2 import StixV2ConvertHandler 5 | from handlers.ioc import IoCConvertHandler 6 | 7 | url_patterns = [ 8 | (r'/convert/stix/v1', StixV1ConvertHandler), 9 | (r'/convert/stix/v2', StixV2ConvertHandler), 10 | (r'/convert/ioc', IoCConvertHandler), 11 | ] 12 | 13 | -------------------------------------------------------------------------------- /sysmon_search_plugin/README.md: -------------------------------------------------------------------------------- 1 | # visual 2 | 3 | > sample plugin 4 | 5 | --- 6 | 7 | ## development 8 | 9 | See the [kibana contributing guide](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md) for instructions setting up your development environment. Once you have completed that, use the following npm tasks. 10 | 11 | - `npm start` 12 | 13 | Start kibana and have it include this plugin 14 | 15 | - `npm start -- --config kibana.yml` 16 | 17 | You can pass any argument that you would normally send to `bin/kibana` by putting them after `--` when running `npm start` 18 | 19 | - `npm run build` 20 | 21 | Build a distributable archive 22 | 23 | - `npm run test:browser` 24 | 25 | Run the browser tests in a real web browser 26 | 27 | - `npm run test:server` 28 | 29 | Run the server tests using mocha 30 | 31 | For more information about any of these commands run `npm run ${task} -- --help`. 32 | -------------------------------------------------------------------------------- /sysmon_search_plugin/TRANSLATION.md: -------------------------------------------------------------------------------- 1 | A Kibana translation plugin structure. 2 | 3 | The main goal is to keep the plugin extremely simple so non-technical translators will have no trouble 4 | creating new translations for Kibana. Everything except for the translations themselves can be generated 5 | automatically with some enhancements to the Kibana plugin generator. The generator would only need a 6 | plugin name and a list of one or more languages the user wants to create translations for. 7 | 8 | The plugin exports its translation file(s) on the server when it it starts up. This is achieved by publishing the files 9 | via 'uiExports'.This is configurable by modifying the 'translations' item in the 'uiExports'. 10 | 11 | Translation files are broken up by language and must have names that match IETF BCP 47 language codes. 12 | Each translation file contains a single flat object with translation strings matched to their unique keys. Keys are 13 | prefixed with plugin names and a dash to ensure uniqueness between plugins. A translation plugin is not restricted to 14 | providing translations only for itself, the provided translations can cover other plugins as well. 15 | 16 | For example, this template plugin shows how a third party plugin might provide Spanish translations for the Kibana core "kibana" app, which is itself a separate plugin. 17 | 18 | To create a translation plugin using this template, follow these steps: 19 | 1. Generate the plugin using the generator 20 | 2. Add your translations files to /translations directory. Remove/Overwrite the existing translation file (i.e. 'es.json'). 21 | 3. Edit /index.js, updating the 'translations' item as per your plugin translations. 22 | 4. Restart the Kibana server to publish your plugin translations. 23 | -------------------------------------------------------------------------------- /sysmon_search_plugin/conf.js: -------------------------------------------------------------------------------- 1 | var conf = { 2 | //elasticsearch server URL 3 | "elasticsearch_url": "elasticsearch", 4 | //elasticsearch server Port 5 | "elasticsearch_port": "9200", 6 | //monitor rule file path 7 | "savepath": "/root/script/rule_files", 8 | //stixioc import server URL 9 | "import_server_url": "stixioc-import-server", 10 | //stixioc import server port 11 | "import_server_port": "56020", 12 | //internal time (hour) 13 | "refine_time_range": "1", 14 | //maximum object number 15 | "max_object_num": "30", 16 | "elasticsearch_user": "elastic", 17 | "elasticsearch_password": "changeme", 18 | }; 19 | exports.conf = conf; 20 | -------------------------------------------------------------------------------- /sysmon_search_plugin/gather-info.js: -------------------------------------------------------------------------------- 1 | const templatePkg = require('./package.json'); 2 | const kibanaPkg = require('../kibana/package.json'); 3 | 4 | const debugInfo = { 5 | kibana: { 6 | version: kibanaPkg.version, 7 | build: kibanaPkg.build, 8 | engines: kibanaPkg.engines, 9 | }, 10 | plugin: { 11 | name: templatePkg.name, 12 | version: templatePkg.version, 13 | kibana: templatePkg.kibana, 14 | dependencies: templatePkg.dependencies, 15 | }, 16 | }; 17 | 18 | console.log(debugInfo); -------------------------------------------------------------------------------- /sysmon_search_plugin/index.js: -------------------------------------------------------------------------------- 1 | import { resolve } from 'path'; 2 | import sysmon_search_Route from './server/routes/sysmon_search'; 3 | 4 | export default function (kibana) { 5 | return new kibana.Plugin({ 6 | require: ['elasticsearch'], 7 | name: 'sysmon_search_visual', 8 | uiExports: { 9 | app: { 10 | title: 'SysmonSearch', 11 | description: 'sample SysmonSearch plugin', 12 | main: 'plugins/sysmon_search_visual/app' 13 | }, 14 | }, 15 | config(Joi) { 16 | return Joi.object({ 17 | enabled: Joi.boolean().default(true), 18 | }).default(); 19 | }, 20 | init(server, options) { 21 | sysmon_search_Route(server); 22 | } 23 | }); 24 | }; 25 | -------------------------------------------------------------------------------- /sysmon_search_plugin/package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "sysmon_search_visual", 3 | "version": "1.0.0", 4 | "description": "This Kibana plugin visualize Sysmon's event log", 5 | "main": "index.js", 6 | "kibana": { 7 | "version": "kibana", 8 | "templateVersion": "1.0.0" 9 | }, 10 | "scripts": { 11 | "lint": "eslint **/*.js", 12 | "start": "plugin-helpers start", 13 | "test:server": "plugin-helpers test:server", 14 | "test:browser": "plugin-helpers test:browser", 15 | "build": "plugin-helpers build", 16 | "postinstall": "plugin-helpers postinstall", 17 | "gather-info": "node gather-info.js" 18 | }, 19 | "dependencies": { 20 | "boom": "^7.3.0", 21 | "elasticsearch": "^16.4.0", 22 | "js-yaml": "^3.13.1", 23 | "request": "^2.88.0", 24 | "sprintf-js": "^1.1.2" 25 | } 26 | } 27 | -------------------------------------------------------------------------------- /sysmon_search_plugin/public/__tests__/index.js: -------------------------------------------------------------------------------- 1 | import expect from 'expect.js'; 2 | 3 | describe('suite', () => { 4 | it('is a test', () => { 5 | expect(true).to.equal(true); 6 | }); 7 | }); 8 | -------------------------------------------------------------------------------- /sysmon_search_plugin/public/assets/i18n/locale-en.json: -------------------------------------------------------------------------------- 1 | { 2 | "TAB_ALERT": "Alert", 3 | "TAB_SEARCH": "Search", 4 | "TAB_STATISTICS": "Statistics", 5 | "TAB_EVENT_LIST": "Event List", 6 | 7 | "ALERT_H2": "Alert", 8 | "ALERT_DETECTION_BOX": "Detection Rules", 9 | "ALERT_TABLE_HOST_NAME": "Computer", 10 | "ALERT_TABLE_RECORDS": "Number of Matches", 11 | "ALERT_RULE_NAME": "Rule Name", 12 | "ALERT_RULE": "Logic", 13 | "ALERT_PERIOD": "Period", 14 | "ALERT_TABLE_ALL": "Overall", 15 | "ALERT_DELETE_BUTTON": "Delete file", 16 | "ALERT_MSG_CONFIRM_RULE_FILE": "Do you want to delete rule file $1?", 17 | "ALERT_MSG_SUCCEEDED_DELETE": "Rule file $1 is deleted.", 18 | "ALERT_MSG_FAILED_DELETE": "Failed to delete rule file $1.", 19 | 20 | "SEARCH_H2": "Search", 21 | "SEARCH_CRITERIA_SEARCH_DATE": "Date", 22 | "SEARCH_CRITERIA_SEARCH_FIELD": "Field", 23 | "SEARCH_CRITERIA_ADD_BUTTON": "Add", 24 | "SEARCH_CRITERIA_DEL_BUTTON": "Remove", 25 | "SEARCH_CRITERIA_IMPORT_BUTTON": "Import", 26 | "SEARCH_CRITERIA_SAVE_RULE_BUTTON1": "Save as", 27 | "SEARCH_CRITERIA_SAVE_RULE_BUTTON2": "Detection Rule", 28 | "SEARCH_CRITERIA_SEARCH_BUTTON": "Find Now", 29 | "SEARCH_PULLDOWN_IPADDRESS": "IP Address", 30 | "SEARCH_PULLDOWN_PORT": "Port", 31 | "SEARCH_PULLDOWN_HOST": "Host Name", 32 | "SEARCH_PULLDOWN_PROCESS": "Process Name", 33 | "SEARCH_PULLDOWN_FILE": "File Name", 34 | "SEARCH_PULLDOWN_KEY": "Registry Key", 35 | "SEARCH_PULLDOWN_VALUE": "Registry Value", 36 | "SEARCH_PULLDOWN_HASH": "Hash", 37 | 38 | "SEARCH_MSG_CONFIRM_IMPORT": "Import search criteria from file\nExisting queries are cleared.\n\nDo you want to continue?", 39 | "SEARCH_MSG_INVALID_FILE": "Invalid file.", 40 | "SEARCH_MSG_NO_SEARCH_CRITERIA": "Search criteria is empty in selected file.", 41 | "SEARCH_MSG_FAILED_IMPORT": "Failed to import search criteria.", 42 | 43 | "SEARCH_MSG_CONFIRM_SAVE_RULES": "Save search criteria as a detection rule.\n\nDo you want to continue?", 44 | "SEARCH_MSG_NO_RULE": "Search criteria is empty.\n\nSave canceled.", 45 | "SEARCH_MSG_SUCCEEDED_SAVE": "Detection rule is saved.", 46 | "SEARCH_MSG_FAILED_SAVE": "Failed to save detection rule.", 47 | 48 | "RESULTBOX_RESULT": "Results", 49 | "RESULTBOX_NUMBER_OF_RECORDS": "Records", 50 | "RESULTBOX_UNIQUE_HOSTS": "Unique Hosts", 51 | "RESULTBOX_LINKNAME_TABLE": "Table", 52 | "RESULTBOX_LINKNAME_GRAPH": "Graph", 53 | 54 | "STATISTICS_H2": "Statistics", 55 | "STATISTICS_TOTAL": "Total Records", 56 | "STATISTICS_DESTINATION_ADDRESS": "Destination Address", 57 | "STATISTICS_PROCESS": "Process", 58 | "STATISTICS_EVENT": "Event ID", 59 | "STATISTICS_DESTINATION_PORT": "Destination Port", 60 | "STATISTICS_REGISTRY_EVENT": "Registry Event", 61 | "STATISTICS_EVENT_LEVEL": "Event Level", 62 | "STATISTICS_DESCEND": "Descending Sort", 63 | "STATISTICS_ASCEND": "Ascending Sort", 64 | 65 | "EVENT_H2": "Event list", 66 | "EVENT_DETECTIONBOX_SEARCH_FIELD": "Search", 67 | "EVENT_DETECTIONBOX_AFTER": "After:", 68 | "EVENT_DETECTIONBOX_BEFORE": "Before:", 69 | "EVENT_DETECTIONBOX_HOSTNAME": "Host Name:", 70 | "EVENT_TABLE_DATE": "Date", 71 | "EVENT_TABLE_HOSTNAME": "HostName", 72 | "EVENT_TABLE_EVENTNUM": "NumberOfEvent", 73 | "EVENT_TABLE_BODY_HOSTNAME": "HostName:", 74 | "EVENT_TABLE_BODY_EVENTNUM": "NumberOfEvent:", 75 | 76 | "HOSTSTATS_H2": "Host Statistics", 77 | 78 | "EVENTSUMMARY_H2": "Event Summary", 79 | "EVENTSUMMARY_TABLE_TYPE": "Event Type", 80 | "EVENTSUMMARY_TABLE_NUM": "Records", 81 | 82 | "PROCESS_H2": "Process List", 83 | "PROCESS_TABLE_DATE": "Date", 84 | "PROCESS_TABLE_TYPE": "Event Type", 85 | "PROCESS_TABLE_SOURCE": "Source Process", 86 | "PROCESS_TABLE_VALUE": "Relevant Event Data", 87 | 88 | "PCR_H2": "Process Parent-Child Relationship", 89 | "DETAIL_H2": "Detailed Information", 90 | "DETAIL_MESSAGE": "No data exists to display create_process.", 91 | 92 | "CORRELATION_H2": "Event Correlation", 93 | 94 | "TARGET_HOSTNAME": "Host Name", 95 | "TARGET_DATE": "Date", 96 | "TARGET_PROCESS": "Process", 97 | 98 | "SEARCHBOX_SEARCH": "Search", 99 | "SEARCHBOX_PLACEHOLDER_KEYWORD": "Keyword", 100 | "SEARCHBOX_PLACEHOLDER_HASH": "HASH", 101 | "SEARCHBOX_PLACEHOLDER_HOSTNAME": "Host Name", 102 | 103 | "DATA_NAME_UTCTIME": "UtcTime", 104 | "DATA_NAME_EVENTID": "EventID", 105 | "DATA_NAME_LEVEL": "Level", 106 | "DATA_NAME_COMPUTER": "Computer", 107 | "DATA_NAME_USERNAME": "User", 108 | "DATA_NAME_IMAGE": "Image", 109 | "DATA_NAME_EVENTTYPE":"Event Category", 110 | "DATA_NAME_PROCESS": "Process", 111 | 112 | "OPEN_CORRELATION": "Open Event Correlation.", 113 | "OPEN_DETAIL":"Open Detailed Information.", 114 | "OPEN_PROCESS": "Open Process List in Chronological Order.", 115 | "OPEN_HOSTSTAS": "Open Bar Chart Counted on a Event ID.", 116 | "OPEN_EVENTSUMMARY": "Open Intermediate Window to Event Correlation.", 117 | 118 | "ALT_SEARCHICON": "Search Icon", 119 | 120 | "TEXTAREA_PLACEHOLDER": "Right-click on a node displays details. " 121 | } 122 | -------------------------------------------------------------------------------- /sysmon_search_plugin/public/assets/i18n/locale-ja.json: -------------------------------------------------------------------------------- 1 | { 2 | "TAB_ALERT": "検知情報画面", 3 | "TAB_SEARCH": "検索画面", 4 | "TAB_STATISTICS": "統計情報画面", 5 | "TAB_EVENT_LIST": "イベントリスト", 6 | 7 | "ALERT_H2": "検知情報", 8 | "ALERT_DETECTION_BOX": "検知ルール", 9 | "ALERT_TABLE_HOST_NAME": "ホスト名", 10 | "ALERT_TABLE_RECORDS": "検知レコード数", 11 | "ALERT_RULE_NAME": "ルール名", 12 | "ALERT_RULE": "条件", 13 | "ALERT_PERIOD": "期間", 14 | "ALERT_TABLE_ALL": "全体", 15 | "ALERT_DELETE_BUTTON": "ファイル削除", 16 | "ALERT_MSG_CONFIRM_RULE_FILE": "ルールファイル$1を削除しますか?", 17 | "ALERT_MSG_SUCCEEDED_DELETE": "ルールファイル$1を削除しました", 18 | "ALERT_MSG_FAILED_DELETE": "ルールファイル$1の削除に失敗しました", 19 | 20 | "SEARCH_H2": "検索画面", 21 | "SEARCH_CRITERIA_SEARCH_DATE": "期間", 22 | "SEARCH_CRITERIA_SEARCH_FIELD": "検索条件", 23 | "SEARCH_CRITERIA_ADD_BUTTON": "検索条件の追加", 24 | "SEARCH_CRITERIA_DEL_BUTTON": "削除", 25 | "SEARCH_CRITERIA_IMPORT_BUTTON": "ファイルインポート", 26 | "SEARCH_CRITERIA_SAVE_RULE_BUTTON1": "検索条件を検知", 27 | "SEARCH_CRITERIA_SAVE_RULE_BUTTON2": "ルールとして登録", 28 | "SEARCH_CRITERIA_SEARCH_BUTTON": "検索", 29 | "SEARCH_PULLDOWN_IPADDRESS": "IPアドレス", 30 | "SEARCH_PULLDOWN_PORT": "ポート番号", 31 | "SEARCH_PULLDOWN_HOST": "ホスト名", 32 | "SEARCH_PULLDOWN_PROCESS": "プロセス名", 33 | "SEARCH_PULLDOWN_FILE": "ファイル名", 34 | "SEARCH_PULLDOWN_KEY": "レジストリキー", 35 | "SEARCH_PULLDOWN_VALUE": "レジストリ値", 36 | "SEARCH_PULLDOWN_HASH": "ハッシュ値", 37 | 38 | "SEARCH_MSG_CONFIRM_IMPORT": "指定したファイルを読み込み画面項目に設定します。\n現在入力されている項目はクリアされます。\n\nよろしいですか?", 39 | "SEARCH_MSG_INVALID_FILE": "指定したファイルは有効なファイルではありません。", 40 | "SEARCH_MSG_NO_SEARCH_CRITERIA": "インポートするデータがありません。", 41 | "SEARCH_MSG_FAILED_IMPORT": "インポート処理に失敗しました。", 42 | 43 | "SEARCH_MSG_CONFIRM_SAVE_RULES": "検索条件を検知ルールとして登録します。\n\nよろしいですか?", 44 | "SEARCH_MSG_NO_RULE": "画面項目が設定されていません。\n\n処理を中止します。", 45 | "SEARCH_MSG_SUCCEEDED_SAVE": "検知ルールを登録しました。", 46 | "SEARCH_MSG_FAILED_SAVE": "検知ルールの登録に失敗しました。", 47 | 48 | "RESULTBOX_RESULT": "検知結果", 49 | "RESULTBOX_NUMBER_OF_RECORDS": "レコード数", 50 | "RESULTBOX_UNIQUE_HOSTS": "ユニークホスト数", 51 | "RESULTBOX_LINKNAME_TABLE": "一覧", 52 | "RESULTBOX_LINKNAME_GRAPH": "グラフ", 53 | 54 | "STATISTICS_H2": "統計情報画面", 55 | "STATISTICS_TOTAL": "データ件数", 56 | "STATISTICS_DESTINATION_ADDRESS": "接続先アドレス", 57 | "STATISTICS_PROCESS": "プロセス", 58 | "STATISTICS_EVENT": "イベントID", 59 | "STATISTICS_DESTINATION_PORT": "接続先ポート", 60 | "STATISTICS_REGISTRY_EVENT": "レジストリイベント", 61 | "STATISTICS_EVENT_LEVEL": "イベントレベル", 62 | "STATISTICS_DESCEND": "降順$1件", 63 | "STATISTICS_ASCEND": "昇順$1件", 64 | 65 | "EVENT_H2": "イベントリスト画面", 66 | "EVENT_DETECTIONBOX_SEARCH_FIELD": "検索", 67 | "EVENT_DETECTIONBOX_AFTER": "開始日付:", 68 | "EVENT_DETECTIONBOX_BEFORE": "終了日付:", 69 | "EVENT_DETECTIONBOX_HOSTNAME": "ホスト名:", 70 | "EVENT_TABLE_DATE": "日付", 71 | "EVENT_TABLE_HOSTNAME": "ホスト名", 72 | "EVENT_TABLE_EVENTNUM": "イベント数", 73 | "EVENT_TABLE_BODY_HOSTNAME": "ホスト名:", 74 | "EVENT_TABLE_BODY_EVENTNUM": "イベント数:", 75 | 76 | "HOSTSTATS_H2": "ホスト統計情報画面", 77 | 78 | "EVENTSUMMARY_H2": "イベント情報", 79 | "EVENTSUMMARY_TABLE_TYPE": "イベントタイプ", 80 | "EVENTSUMMARY_TABLE_NUM": "レコード数", 81 | 82 | "PROCESS_H2": "プロセス起動一覧", 83 | "PROCESS_TABLE_DATE": "日付", 84 | "PROCESS_TABLE_TYPE": "イベントタイプ", 85 | "PROCESS_TABLE_SOURCE": "発生元プロセス", 86 | "PROCESS_TABLE_VALUE": "関連イベントデータ", 87 | 88 | "PCR_H2": "プロセス親子図表示", 89 | "DETAIL_H2": "詳細情報", 90 | "DETAIL_MESSAGE": " create_processのデータが存在しません。", 91 | 92 | "CORRELATION_H2": "プロセス関連図", 93 | 94 | "TARGET_HOSTNAME": "ホスト名", 95 | "TARGET_DATE": "対象日", 96 | "TARGET_PROCESS": "プロセス", 97 | 98 | "SEARCHBOX_SEARCH": "検索", 99 | "SEARCHBOX_PLACEHOLDER_KEYWORD": "キーワード", 100 | "SEARCHBOX_PLACEHOLDER_HASH": "HASH", 101 | "SEARCHBOX_PLACEHOLDER_HOSTNAME": "ホスト名", 102 | 103 | "DATA_NAME_UTCTIME": "プロセス起動時間", 104 | "DATA_NAME_EVENTID": "イベントID", 105 | "DATA_NAME_LEVEL": "レベル", 106 | "DATA_NAME_COMPUTER": "コンピューター", 107 | "DATA_NAME_USERNAME": "ユーザー", 108 | "DATA_NAME_IMAGE": "イメージ", 109 | "DATA_NAME_EVENTTYPE":"イベントのカテゴリ", 110 | "DATA_NAME_PROCESS": "プロセス名", 111 | 112 | "OPEN_CORRELATION": "プロセス関連図表示", 113 | "OPEN_DETAIL":"詳細情報表示(グラフィカル表示)", 114 | "OPEN_PROCESS": "プロセス起動一覧を時系列で表示", 115 | "OPEN_HOSTSTAS": "イベントごとのレコード数を積み上げ棒グラフを表示", 116 | "OPEN_EVENTSUMMARY": "イベントタイプごとの分析を開始", 117 | 118 | "ALT_SEARCHICON": "検索アイコン", 119 | 120 | "TEXTAREA_PLACEHOLDER": "ノードを右クリックすると詳細が表示されます" 121 | } 122 | -------------------------------------------------------------------------------- /sysmon_search_plugin/public/data/detail_map.js: -------------------------------------------------------------------------------- 1 | var edges = [ 2 | { 3 | "arrows": "to", 4 | "color": { 5 | "color": "lightgray" 6 | }, 7 | "from": 1, 8 | "length": 200, 9 | "to": 2 10 | }, 11 | { 12 | "arrows": "to", 13 | "color": { 14 | "color": "lightgray" 15 | }, 16 | "from": 2, 17 | "length": 200, 18 | "to": 3 19 | }, 20 | { 21 | "arrows": "to", 22 | "color": { 23 | "color": "lightgray" 24 | }, 25 | "from": 3, 26 | "length": 200, 27 | "to": 4 28 | }, 29 | { 30 | "arrows": "to", 31 | "color": { 32 | "color": "lightgray" 33 | }, 34 | "from": 1, 35 | "length": 200, 36 | "to": 201 37 | }, 38 | { 39 | "arrows": "to", 40 | "color": { 41 | "color": "lightgray" 42 | }, 43 | "from": 201, 44 | "length": 200, 45 | "to": 202 46 | }, 47 | { 48 | "arrows": "to", 49 | "color": { 50 | "color": "lightgray" 51 | }, 52 | "from": 201, 53 | "length": 200, 54 | "to": 203 55 | }, 56 | { 57 | "arrows": "to", 58 | "color": { 59 | "color": "lightgray" 60 | }, 61 | "from": 1, 62 | "length": 200, 63 | "to": 301 64 | }, 65 | { 66 | "arrows": "to", 67 | "color": { 68 | "color": "lightgray" 69 | }, 70 | "from": 301, 71 | "length": 200, 72 | "to": 302 73 | }, 74 | { 75 | "arrows": "to", 76 | "color": { 77 | "color": "lightgray" 78 | }, 79 | "from": 4, 80 | "length": 200, 81 | "to": 501 82 | }, 83 | { 84 | "arrows": "to", 85 | "color": { 86 | "color": "lightgray" 87 | }, 88 | "from": 4, 89 | "length": 200, 90 | "to": 502 91 | }, 92 | { 93 | "arrows": "to", 94 | "color": { 95 | "color": "lightgray" 96 | }, 97 | "from": 4, 98 | "length": 200, 99 | "to": 503 100 | } 101 | ]; 102 | exports.edges = edges; -------------------------------------------------------------------------------- /sysmon_search_plugin/public/data/proc_info.js: -------------------------------------------------------------------------------- 1 | var items = [ 2 | { 3 | "content": "ipconfig", 4 | "id": 1, 5 | "start": "2017-11-14 04:04:42.674" 6 | }, 7 | { 8 | "content": "C:\\Windows\\System32\\mobsync.exe -Embedding", 9 | "id": 2, 10 | "start": "2017-11-14 04:21:21.148" 11 | }, 12 | { 13 | "content": "\"C:\\Windows\\system32\\cmd.exe\" ", 14 | "id": 3, 15 | "start": "2017-11-14 04:21:38.366" 16 | }, 17 | { 18 | "content": "ipconfig", 19 | "id": 4, 20 | "start": "2017-11-14 04:21:43.459" 21 | }, 22 | { 23 | "content": "ping 192.168.124.100", 24 | "id": 5, 25 | "start": "2017-11-14 04:22:39.258" 26 | }, 27 | { 28 | "content": "wininit.exe", 29 | "id": 6, 30 | "start": "2017-11-14 04:34:19.031" 31 | }, 32 | { 33 | "content": "winlogon.exe", 34 | "id": 7, 35 | "start": "2017-11-14 04:34:20.296" 36 | }, 37 | { 38 | "content": "C:\\Windows\\system32\\services.exe", 39 | "id": 8, 40 | "start": "2017-11-14 04:34:21.140" 41 | }, 42 | { 43 | "content": "C:\\Windows\\system32\\lsass.exe", 44 | "id": 9, 45 | "start": "2017-11-14 04:34:21.453" 46 | }, 47 | { 48 | "content": "C:\\Windows\\system32\\lsm.exe", 49 | "id": 10, 50 | "start": "2017-11-14 04:34:21.484" 51 | }, 52 | { 53 | "content": "C:\\Windows\\system32\\svchost.exe -k LocalService", 54 | "id": 11, 55 | "start": "2017-11-14 04:34:25.203" 56 | }, 57 | { 58 | "content": "C:\\Windows\\System32\\spoolsv.exe", 59 | "id": 12, 60 | "start": "2017-11-14 04:34:29.359" 61 | }, 62 | { 63 | "content": "C:\\Windows\\system32\\svchost.exe -k LocalServiceNoNetwork", 64 | "id": 13, 65 | "start": "2017-11-14 04:34:29.750" 66 | }, 67 | { 68 | "content": "C:\\Windows\\Sysmon.exe", 69 | "id": 14, 70 | "start": "2017-11-14 04:34:32.250" 71 | }, 72 | { 73 | "content": "atbroker.exe", 74 | "id": 15, 75 | "start": "2017-11-14 04:34:41.250" 76 | }, 77 | { 78 | "content": "C:\\Windows\\system32\\wbem\\wmiprvse.exe -Embedding", 79 | "id": 16, 80 | "start": "2017-11-14 04:34:48.782" 81 | }, 82 | { 83 | "content": "C:\\Windows\\Explorer.EXE", 84 | "id": 17, 85 | "start": "2017-11-14 04:35:05.087" 86 | }, 87 | { 88 | "content": "\"C:\\Program Files\\Common Files\\Adobe\\ARM\\1.0\\AdobeARM.exe\" ", 89 | "id": 18, 90 | "start": "2017-11-14 04:35:08.123" 91 | }, 92 | { 93 | "content": "C:\\Windows\\System32\\svchost.exe -k secsvcs", 94 | "id": 19, 95 | "start": "2017-11-14 04:36:48.004" 96 | }, 97 | { 98 | "content": "\"C:\\Users\\chiyoda\\Desktop\\FakeVirus-20160416\\FakeVirus-20160416.exe\" ", 99 | "id": 20, 100 | "start": "2017-11-14 04:37:24.848" 101 | }, 102 | { 103 | "content": "\"C:\\ProgramData\\{01D1A19C-CC41-492D-AAB4-298862D6B085}\\{A559C46D-6841-4E04-9592-6351537073E6}.exe\" ", 104 | "id": 21, 105 | "start": "2017-11-14 04:37:25.364" 106 | }, 107 | { 108 | "content": "cmd /c \"\"C:\\ProgramData\\{01D1A19C-CC41-492D-AAB4-298862D6B085}\\{076B31A4-7CB7-48C9-A0E1-F0944A0B20FB}.bat\" \"", 109 | "id": 22, 110 | "start": "2017-11-14 04:37:25.642" 111 | }, 112 | { 113 | "content": "ipconfig.exe /all ", 114 | "id": 23, 115 | "start": "2017-11-14 04:37:25.846" 116 | }, 117 | { 118 | "content": "cmd /c \"\"C:\\ProgramData\\{01D1A19C-CC41-492D-AAB4-298862D6B085}\\11F61C60CE548E2148C2F7A2E5F7103C.bat\" \"", 119 | "id": 24, 120 | "start": "2017-11-14 04:37:55.816" 121 | }, 122 | { 123 | "content": "c:\\windows\\system32\\rundll32.exe C:\\ProgramData\\{01D1A19C-CC41-492D-AAB4-298862D6B085}\\Injection.dll ij", 124 | "id": 25, 125 | "start": "2017-11-14 04:37:55.951" 126 | }, 127 | { 128 | "content": "\"C:\\Users\\chiyoda\\Desktop\\eec788644c266438b3bdb3b2ebdcd53851d5dffa.exe\" ", 129 | "id": 26, 130 | "start": "2017-11-14 04:49:39.968" 131 | }, 132 | { 133 | "content": "\"C:\\Users\\chiyoda\\Desktop\\zepto-ca5e9f94ae8596be11c0651d57b354364eda7946.exe\" ", 134 | "id": 27, 135 | "start": "2017-11-14 04:56:57.467" 136 | }, 137 | { 138 | "content": "\"C:\\Users\\chiyoda\\Desktop\\zepto-ca5e9f94ae8596be11c0651d57b354364eda7946.exe\"", 139 | "id": 28, 140 | "start": "2017-11-14 04:57:24.372" 141 | } 142 | ]; 143 | exports.items = items; -------------------------------------------------------------------------------- /sysmon_search_plugin/public/data/process_list.js: -------------------------------------------------------------------------------- 1 | var nodes = [ 2 | { 3 | "id": 1, 4 | "image": "../plugins/sysmon_search_visual/program.png", 5 | "info": "{\"path\": \"?\", \"image\": \"System\", \"guid\": \"{0079005F-0073-0074-6500-6D0000000000}\", \"pid\": \"4\", \"recode_number\": 33400}", 6 | "label": "System", 7 | "shape": "circularImage", 8 | "title": "?", 9 | "url": "sysmon_search_visual#/detail.html?pid=4&image=%7B0079005F-0073-0074-6500-6D0000000000%7D" 10 | }, 11 | { 12 | "id": 2, 13 | "image": "../plugins/sysmon_search_visual/program.png", 14 | "info": "{\"image\": \"C:\\\\Windows\\\\System32\\\\smss.exe\", \"pid\": \"236\", \"record_number\": 33400, \"path\": \"\\\\SystemRoot\\\\System32\\\\smss.exe\", \"guid\": \"{B9BDBBFE-7246-5A0A-0000-00105C2D0000}\", \"utc_time\": \"2017-11-14 04:34:14.609\"}", 15 | "label": "C:\\Windows\\System32\\smss.exe", 16 | "shape": "circularImage", 17 | "title": "\\SystemRoot\\System32\\smss.exe", 18 | "url": "sysmon_search_visual#/detail.html?pid=236&image=%7BB9BDBBFE-7246-5A0A-0000-00105C2D0000%7D" 19 | }, 20 | { 21 | "id": 3, 22 | "image": "../plugins/sysmon_search_visual/program.png", 23 | "info": "{\"image\": \"C:\\\\Windows\\\\System32\\\\smss.exe\", \"pid\": \"344\", \"record_number\": 33404, \"path\": \"\\\\SystemRoot\\\\System32\\\\smss.exe 00000001 0000003c \", \"guid\": \"{B9BDBBFE-8D26-5A1F-0000-0010B9580000}\", \"utc_time\": \"2017-11-30 04:46:30.421\"}", 24 | "label": "C:\\Windows\\System32\\smss.exe", 25 | "shape": "circularImage", 26 | "title": "\\SystemRoot\\System32\\smss.exe 00000001 0000003c ", 27 | "url": "sysmon_search_visual#/detail.html?pid=344&image=%7BB9BDBBFE-8D26-5A1F-0000-0010B9580000%7D" 28 | }, 29 | { 30 | "id": 4, 31 | "image": "../plugins/sysmon_search_visual/program.png", 32 | "info": "{\"image\": \"C:\\\\Windows\\\\System32\\\\winlogon.exe\", \"pid\": \"392\", \"record_number\": 33407, \"path\": \"winlogon.exe\", \"guid\": \"{B9BDBBFE-8D27-5A1F-0000-0010325B0000}\", \"utc_time\": \"2017-11-30 04:46:31.640\"}", 33 | "label": "C:\\Windows\\System32\\winlogon.exe", 34 | "shape": "circularImage", 35 | "title": "winlogon.exe", 36 | "url": "sysmon_search_visual#/detail.html?pid=392&image=%7BB9BDBBFE-8D27-5A1F-0000-0010325B0000%7D" 37 | }, 38 | { 39 | "id": 5, 40 | "image": "../plugins/sysmon_search_visual/program.png", 41 | "info": "{\"image\": \"C:\\\\Windows\\\\System32\\\\userinit.exe\", \"pid\": \"2372\", \"record_number\": 33520, \"path\": \"C:\\\\Windows\\\\system32\\\\userinit.exe\", \"guid\": \"{B9BDBBFE-9541-5A1F-0000-00100C010300}\", \"utc_time\": \"2017-11-30 05:21:05.034\"}", 42 | "label": "C:\\Windows\\System32\\userinit.exe", 43 | "shape": "circularImage", 44 | "title": "C:\\Windows\\system32\\userinit.exe", 45 | "url": "sysmon_search_visual#/detail.html?pid=2372&image=%7BB9BDBBFE-9541-5A1F-0000-00100C010300%7D" 46 | }, 47 | { 48 | "id": 6, 49 | "image": "../plugins/sysmon_search_visual/program.png", 50 | "info": "{\"image\": \"C:\\\\Windows\\\\explorer.exe\", \"pid\": \"2404\", \"record_number\": 33521, \"path\": \"C:\\\\Windows\\\\Explorer.EXE\", \"guid\": \"{B9BDBBFE-9541-5A1F-0000-00104C040300}\", \"utc_time\": \"2017-11-30 05:21:05.381\"}", 51 | "label": "C:\\Windows\\explorer.exe", 52 | "shape": "circularImage", 53 | "title": "C:\\Windows\\Explorer.EXE", 54 | "url": "sysmon_search_visual#/detail.html?pid=2404&image=%7BB9BDBBFE-9541-5A1F-0000-00104C040300%7D" 55 | }, 56 | { 57 | "id": 7, 58 | "image": "../plugins/sysmon_search_visual/program.png", 59 | "info": "{\"image\": \"C:\\\\Users\\\\chiyoda\\\\Desktop\\\\download\\\\Ursnif_malware.exe\", \"pid\": \"3332\", \"record_number\": 33528, \"path\": \"\\\"C:\\\\Users\\\\chiyoda\\\\Desktop\\\\download\\\\Ursnif_malware.exe\\\" \", \"guid\": \"{B9BDBBFE-9565-5A1F-0000-001013360400}\", \"utc_time\": \"2017-11-30 05:21:41.404\"}", 60 | "label": "C:\\Users\\chiyoda\\Desktop\\download\\Ursnif_malware.exe", 61 | "shape": "circularImage", 62 | "title": "\"C:\\Users\\chiyoda\\Desktop\\download\\Ursnif_malware.exe\" ", 63 | "url": "sysmon_search_visual#/detail.html?pid=3332&image=%7BB9BDBBFE-9565-5A1F-0000-001013360400%7D" 64 | }, 65 | { 66 | "id": 8, 67 | "image": "../plugins/sysmon_search_visual/program.png", 68 | "info": "{\"image\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\", \"pid\": \"3520\", \"record_number\": 33534, \"path\": \"cmd /c \\\"\\\"C:\\\\Users\\\\chiyoda\\\\AppData\\\\Local\\\\Temp\\\\6C56\\\\B756.bat\\\" \\\"C:\\\\Users\\\\chiyoda\\\\AppData\\\\Roaming\\\\MICROS~1\\\\Cewmcatq\\\\BWCohlEx.exe\\\" \\\"C:\\\\Users\\\\chiyoda\\\\Desktop\\\\download\\\\URSNIF~1.EXE\\\"\\\"\", \"guid\": \"{B9BDBBFE-9570-5A1F-0000-00104D7F0400}\", \"utc_time\": \"2017-11-30 05:21:52.244\"}", 69 | "label": "C:\\Windows\\System32\\cmd.exe", 70 | "shape": "circularImage", 71 | "title": "cmd /c \"\"C:\\Users\\chiyoda\\AppData\\Local\\Temp\\6C56\\B756.bat\" \"C:\\Users\\chiyoda\\AppData\\Roaming\\MICROS~1\\Cewmcatq\\BWCohlEx.exe\" \"C:\\Users\\chiyoda\\Desktop\\download\\URSNIF~1.EXE\"\"", 72 | "url": "sysmon_search_visual#/detail.html?pid=3520&image=%7BB9BDBBFE-9570-5A1F-0000-00104D7F0400%7D" 73 | }, 74 | { 75 | "id": 9, 76 | "image": "../plugins/sysmon_search_visual/program.png", 77 | "info": "{\"image\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\", \"pid\": \"3548\", \"record_number\": 33536, \"path\": \"cmd /C \\\"\\\"C:\\\\Users\\\\chiyoda\\\\AppData\\\\Roaming\\\\MICROS~1\\\\Cewmcatq\\\\BWCohlEx.exe\\\" \\\"C:\\\\Users\\\\chiyoda\\\\Desktop\\\\download\\\\URSNIF~1.EXE\\\"\\\"\", \"guid\": \"{B9BDBBFE-9570-5A1F-0000-00106B860400}\", \"utc_time\": \"2017-11-30 05:21:52.775\"}", 78 | "label": "C:\\Windows\\System32\\cmd.exe", 79 | "shape": "circularImage", 80 | "title": "cmd /C \"\"C:\\Users\\chiyoda\\AppData\\Roaming\\MICROS~1\\Cewmcatq\\BWCohlEx.exe\" \"C:\\Users\\chiyoda\\Desktop\\download\\URSNIF~1.EXE\"\"", 81 | "url": "sysmon_search_visual#/detail.html?pid=3548&image=%7BB9BDBBFE-9570-5A1F-0000-00106B860400%7D" 82 | }, 83 | { 84 | "id": 10, 85 | "image": "../plugins/sysmon_search_visual/program.png", 86 | "info": "{\"image\": \"C:\\\\Users\\\\chiyoda\\\\AppData\\\\Roaming\\\\MICROS~1\\\\Cewmcatq\\\\BWCohlEx.exe\", \"pid\": \"3556\", \"record_number\": 33537, \"path\": \"\\\"C:\\\\Users\\\\chiyoda\\\\AppData\\\\Roaming\\\\MICROS~1\\\\Cewmcatq\\\\BWCohlEx.exe\\\" \\\"C:\\\\Users\\\\chiyoda\\\\Desktop\\\\download\\\\URSNIF~1.EXE\\\"\", \"guid\": \"{B9BDBBFE-9570-5A1F-0000-001037870400}\", \"utc_time\": \"2017-11-30 05:21:52.820\"}", 87 | "label": "C:\\Users\\chiyoda\\AppData\\Roaming\\MICROS~1\\Cewmcatq\\BWCohlEx.exe", 88 | "shape": "circularImage", 89 | "title": "\"C:\\Users\\chiyoda\\AppData\\Roaming\\MICROS~1\\Cewmcatq\\BWCohlEx.exe\" \"C:\\Users\\chiyoda\\Desktop\\download\\URSNIF~1.EXE\"", 90 | "url": "sysmon_search_visual#/detail.html?pid=3556&image=%7BB9BDBBFE-9570-5A1F-0000-001037870400%7D" 91 | } 92 | ]; 93 | exports.nodes = nodes; 94 | -------------------------------------------------------------------------------- /sysmon_search_plugin/public/data/process_map.js: -------------------------------------------------------------------------------- 1 | var edges = [ 2 | { 3 | "arrows": "to", 4 | "color": { 5 | "color": "lightgray" 6 | }, 7 | "from": 1, 8 | "length": 200, 9 | "to": 2 10 | }, 11 | { 12 | "arrows": "to", 13 | "color": { 14 | "color": "lightgray" 15 | }, 16 | "from": 2, 17 | "length": 200, 18 | "to": 3 19 | }, 20 | { 21 | "arrows": "to", 22 | "color": { 23 | "color": "lightgray" 24 | }, 25 | "from": 3, 26 | "length": 200, 27 | "to": 4 28 | }, 29 | { 30 | "arrows": "to", 31 | "color": { 32 | "color": "lightgray" 33 | }, 34 | "from": 4, 35 | "length": 200, 36 | "to": 5 37 | }, 38 | { 39 | "arrows": "to", 40 | "color": { 41 | "color": "lightgray" 42 | }, 43 | "from": 5, 44 | "length": 200, 45 | "to": 6 46 | }, 47 | { 48 | "arrows": "to", 49 | "color": { 50 | "color": "lightgray" 51 | }, 52 | "from": 6, 53 | "length": 200, 54 | "to": 7 55 | }, 56 | { 57 | "arrows": "to", 58 | "color": { 59 | "color": "lightgray" 60 | }, 61 | "from": 7, 62 | "length": 200, 63 | "to": 8 64 | }, 65 | { 66 | "arrows": "to", 67 | "color": { 68 | "color": "lightgray" 69 | }, 70 | "from": 8, 71 | "length": 200, 72 | "to": 9 73 | }, 74 | { 75 | "arrows": "to", 76 | "color": { 77 | "color": "lightgray" 78 | }, 79 | "from": 9, 80 | "length": 200, 81 | "to": 10 82 | } 83 | ]; 84 | exports.edges = edges; -------------------------------------------------------------------------------- /sysmon_search_plugin/public/dist/img/network/acceptDeleteIcon.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JPCERTCC/SysmonSearch/970a765fd8672f4060ff404d953acfa4e56f2ca8/sysmon_search_plugin/public/dist/img/network/acceptDeleteIcon.png -------------------------------------------------------------------------------- /sysmon_search_plugin/public/dist/img/network/addNodeIcon.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JPCERTCC/SysmonSearch/970a765fd8672f4060ff404d953acfa4e56f2ca8/sysmon_search_plugin/public/dist/img/network/addNodeIcon.png -------------------------------------------------------------------------------- /sysmon_search_plugin/public/dist/img/network/backIcon.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JPCERTCC/SysmonSearch/970a765fd8672f4060ff404d953acfa4e56f2ca8/sysmon_search_plugin/public/dist/img/network/backIcon.png -------------------------------------------------------------------------------- /sysmon_search_plugin/public/dist/img/network/connectIcon.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JPCERTCC/SysmonSearch/970a765fd8672f4060ff404d953acfa4e56f2ca8/sysmon_search_plugin/public/dist/img/network/connectIcon.png -------------------------------------------------------------------------------- /sysmon_search_plugin/public/dist/img/network/cross.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JPCERTCC/SysmonSearch/970a765fd8672f4060ff404d953acfa4e56f2ca8/sysmon_search_plugin/public/dist/img/network/cross.png -------------------------------------------------------------------------------- /sysmon_search_plugin/public/dist/img/network/cross2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JPCERTCC/SysmonSearch/970a765fd8672f4060ff404d953acfa4e56f2ca8/sysmon_search_plugin/public/dist/img/network/cross2.png -------------------------------------------------------------------------------- /sysmon_search_plugin/public/dist/img/network/deleteIcon.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JPCERTCC/SysmonSearch/970a765fd8672f4060ff404d953acfa4e56f2ca8/sysmon_search_plugin/public/dist/img/network/deleteIcon.png -------------------------------------------------------------------------------- /sysmon_search_plugin/public/dist/img/network/downArrow.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JPCERTCC/SysmonSearch/970a765fd8672f4060ff404d953acfa4e56f2ca8/sysmon_search_plugin/public/dist/img/network/downArrow.png -------------------------------------------------------------------------------- /sysmon_search_plugin/public/dist/img/network/editIcon.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JPCERTCC/SysmonSearch/970a765fd8672f4060ff404d953acfa4e56f2ca8/sysmon_search_plugin/public/dist/img/network/editIcon.png -------------------------------------------------------------------------------- /sysmon_search_plugin/public/dist/img/network/leftArrow.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JPCERTCC/SysmonSearch/970a765fd8672f4060ff404d953acfa4e56f2ca8/sysmon_search_plugin/public/dist/img/network/leftArrow.png -------------------------------------------------------------------------------- /sysmon_search_plugin/public/dist/img/network/minus.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JPCERTCC/SysmonSearch/970a765fd8672f4060ff404d953acfa4e56f2ca8/sysmon_search_plugin/public/dist/img/network/minus.png -------------------------------------------------------------------------------- /sysmon_search_plugin/public/dist/img/network/plus.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JPCERTCC/SysmonSearch/970a765fd8672f4060ff404d953acfa4e56f2ca8/sysmon_search_plugin/public/dist/img/network/plus.png -------------------------------------------------------------------------------- /sysmon_search_plugin/public/dist/img/network/rightArrow.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JPCERTCC/SysmonSearch/970a765fd8672f4060ff404d953acfa4e56f2ca8/sysmon_search_plugin/public/dist/img/network/rightArrow.png -------------------------------------------------------------------------------- /sysmon_search_plugin/public/dist/img/network/upArrow.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JPCERTCC/SysmonSearch/970a765fd8672f4060ff404d953acfa4e56f2ca8/sysmon_search_plugin/public/dist/img/network/upArrow.png -------------------------------------------------------------------------------- /sysmon_search_plugin/public/dist/img/network/zoomExtends.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JPCERTCC/SysmonSearch/970a765fd8672f4060ff404d953acfa4e56f2ca8/sysmon_search_plugin/public/dist/img/network/zoomExtends.png -------------------------------------------------------------------------------- /sysmon_search_plugin/public/dist/visual.css: -------------------------------------------------------------------------------- 1 | .square { 2 | width: 16px; 3 | height: 16px; 4 | float: left; 5 | margin-right: 10px; 6 | } 7 | 8 | .visgroup0 { 9 | fill: #87CEFA; 10 | } 11 | 12 | .visgroup1 { 13 | fill: #FFDEAD; 14 | } 15 | 16 | .visgroup2 { 17 | fill: #7B68EE; 18 | } 19 | 20 | .visgroup3 { 21 | fill: #8FBC8F; 22 | } 23 | 24 | .visgroup4 { 25 | fill: #FF3366; 26 | } 27 | 28 | .visgroup5 { 29 | fill: #33FFFF; 30 | } 31 | 32 | .visgroup6 { 33 | fill: #666699; 34 | } 35 | 36 | .visgroup7 { 37 | fill: #00FA9A; 38 | } 39 | 40 | .visgroup8 { 41 | fill: #FF00FF; 42 | } 43 | 44 | .visgroup9 { 45 | fill: #FFA500; 46 | } 47 | 48 | .visgroup10 { 49 | fill: #6B8E23; 50 | } 51 | 52 | #square0 { 53 | background: #87CEFA; 54 | } 55 | 56 | #square1 { 57 | background: #FFDEAD; 58 | } 59 | 60 | #square2 { 61 | background: #7B68EE; 62 | } 63 | 64 | #square3 { 65 | background: #8FBC8F; 66 | } 67 | 68 | #square4 { 69 | background: #FF3366; 70 | } 71 | 72 | #square5 { 73 | background: #33FFFF; 74 | } 75 | 76 | #square6 { 77 | background: #666699; 78 | } 79 | 80 | #square7 { 81 | background: #00FA9A; 82 | } 83 | 84 | #square8 { 85 | background: #FF00FF; 86 | } 87 | 88 | #square9 { 89 | background: #FFA500; 90 | } 91 | 92 | #square10 { 93 | background: #6B8E23; 94 | } 95 | 96 | path { stroke: #fff; } 97 | .axis { font: 10px sans-serif; } 98 | .legend tr{ border-bottom:1px solid grey; } 99 | .legend tr:first-child{ border-top:1px solid grey; } 100 | 101 | .x.axis text{transform: rotateZ(10deg);} 102 | 103 | .axis path, 104 | .axis line { 105 | fill: none; 106 | stroke: #000; 107 | shape-rendering: crispEdges; 108 | } 109 | 110 | /*.x.axis path { display: none; }*/ 111 | 112 | .legend{ 113 | margin:30px; 114 | display:inline-block; 115 | border-collapse: collapse; 116 | border-spacing: 0px; 117 | } 118 | 119 | .legend td{ 120 | vertical-align:bottom; 121 | } 122 | 123 | .legendFreq, .legendPerc{ 124 | align:right; 125 | width:20px; 126 | } 127 | 128 | -------------------------------------------------------------------------------- /sysmon_search_plugin/public/images/arrow01.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JPCERTCC/SysmonSearch/970a765fd8672f4060ff404d953acfa4e56f2ca8/sysmon_search_plugin/public/images/arrow01.png -------------------------------------------------------------------------------- /sysmon_search_plugin/public/images/file.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JPCERTCC/SysmonSearch/970a765fd8672f4060ff404d953acfa4e56f2ca8/sysmon_search_plugin/public/images/file.png -------------------------------------------------------------------------------- /sysmon_search_plugin/public/images/file_create_time.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JPCERTCC/SysmonSearch/970a765fd8672f4060ff404d953acfa4e56f2ca8/sysmon_search_plugin/public/images/file_create_time.png -------------------------------------------------------------------------------- /sysmon_search_plugin/public/images/image_loaded.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JPCERTCC/SysmonSearch/970a765fd8672f4060ff404d953acfa4e56f2ca8/sysmon_search_plugin/public/images/image_loaded.png -------------------------------------------------------------------------------- /sysmon_search_plugin/public/images/net.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JPCERTCC/SysmonSearch/970a765fd8672f4060ff404d953acfa4e56f2ca8/sysmon_search_plugin/public/images/net.png -------------------------------------------------------------------------------- /sysmon_search_plugin/public/images/program.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JPCERTCC/SysmonSearch/970a765fd8672f4060ff404d953acfa4e56f2ca8/sysmon_search_plugin/public/images/program.png -------------------------------------------------------------------------------- /sysmon_search_plugin/public/images/reg.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JPCERTCC/SysmonSearch/970a765fd8672f4060ff404d953acfa4e56f2ca8/sysmon_search_plugin/public/images/reg.png -------------------------------------------------------------------------------- /sysmon_search_plugin/public/images/reg_category.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JPCERTCC/SysmonSearch/970a765fd8672f4060ff404d953acfa4e56f2ca8/sysmon_search_plugin/public/images/reg_category.png -------------------------------------------------------------------------------- /sysmon_search_plugin/public/images/rthread.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JPCERTCC/SysmonSearch/970a765fd8672f4060ff404d953acfa4e56f2ca8/sysmon_search_plugin/public/images/rthread.png -------------------------------------------------------------------------------- /sysmon_search_plugin/public/images/search_icon.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JPCERTCC/SysmonSearch/970a765fd8672f4060ff404d953acfa4e56f2ca8/sysmon_search_plugin/public/images/search_icon.png -------------------------------------------------------------------------------- /sysmon_search_plugin/public/images/wmi.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JPCERTCC/SysmonSearch/970a765fd8672f4060ff404d953acfa4e56f2ca8/sysmon_search_plugin/public/images/wmi.png -------------------------------------------------------------------------------- /sysmon_search_plugin/public/less/main.less: -------------------------------------------------------------------------------- 1 | .container { 2 | margin-top: 30px; 3 | } 4 | 5 | -------------------------------------------------------------------------------- /sysmon_search_plugin/public/routes.js: -------------------------------------------------------------------------------- 1 | import uiRoutes from 'ui/routes'; 2 | 3 | import hostsHTML from './templates/hosts.html'; 4 | import eventHTML from './templates/event.html'; 5 | import host_statisticHTML from './templates/host_statistic.html'; 6 | import process_listHTML from './templates/process_list.html'; 7 | import PTreeHTML from './templates/process_tree.html'; 8 | import POverviewHTML from './templates/overview.html'; 9 | import PDetailHTML from './templates/detail.html'; 10 | import alertHTML from './templates/alert.html'; 11 | import searchHTML from './templates/search.html'; 12 | import dashboardHTML from './templates/dashboard.html'; 13 | 14 | uiRoutes.enable(); 15 | uiRoutes 16 | .when('/', { 17 | template: hostsHTML, 18 | controller: 'hostsController', 19 | controllerAs: 'ctrl' 20 | }) 21 | .when('/hosts', { 22 | template: hostsHTML, 23 | controller: 'hostsController', 24 | controllerAs: 'ctrl' 25 | }) 26 | .when('/host_statistic/:hostname/:date', { 27 | template: host_statisticHTML, 28 | controller: 'host_statisticController', 29 | controllerAs: 'ctrl' 30 | }) 31 | .when('/event/:hostname/:date', { 32 | template: eventHTML, 33 | controller: 'eventController', 34 | controllerAs: 'ctrl' 35 | }) 36 | .when('/process_list/:hostname/:eventtype/:date/:_id', { 37 | template: process_listHTML, 38 | controller: 'process_listController', 39 | controllerAs: 'ctrl' 40 | }) 41 | .when('/process/:hostname/:date/:guid?', { 42 | template: PTreeHTML, 43 | controller: 'processController', 44 | controllerAs: 'ctrl' 45 | }) 46 | .when('/process_overview/:hostname/:date/:guid', { 47 | template: POverviewHTML, 48 | controller: 'process_overviewController', 49 | controllerAs: 'ctrl' 50 | }) 51 | .when('/process_detail/:hostname/:date/:guid/:_id', { 52 | template: PDetailHTML, 53 | controller: 'process_detailController', 54 | controllerAs: 'ctrl' 55 | }) 56 | .when('/alert', { 57 | template: alertHTML, 58 | controller: 'alertController', 59 | controllerAs: 'ctrl' 60 | }) 61 | .when('/search', { 62 | template: searchHTML, 63 | controller: 'searchController', 64 | controllerAs: 'ctrl' 65 | }) 66 | .when('/dashboard', { 67 | template: dashboardHTML, 68 | controller: 'dashboardController', 69 | controllerAs: 'ctrl' 70 | }) 71 | 72 | module.exports = uiRoutes 73 | -------------------------------------------------------------------------------- /sysmon_search_plugin/public/templates/alert.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | Event List 5 | 6 | 17 | 18 | 19 |
20 | 21 | 24 | 25 |
26 | 40 |
41 |
42 | 43 |
44 |

{{ lang["ALERT_H2"] }}

45 |
46 |
47 | 49 |
50 |
51 |
52 | 53 |
54 | 55 |
{{ lang["ALERT_DETECTION_BOX"] }}
56 |
57 | 58 | 63 |
{{rule.value}} 59 | 60 | {{ lang["ALERT_DELETE_BUTTON"] }} 61 | 62 |
64 |
65 | 66 | 67 |
68 |
69 | 70 |
71 |
{{ lang["RESULTBOX_RESULT"] }}
72 | 73 |
74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 |
{{ lang["RESULTBOX_NUMBER_OF_RECORDS"] }}{{ lang["RESULTBOX_UNIQUE_HOSTS"] }}
{{data.rulename}}{{data.hit}}{{data.unique_hosts}}
90 |
91 | 92 |
93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 |
{{ lang["ALERT_TABLE_HOST_NAME"] }}{{ctrl.key}}{{ lang["ALERT_TABLE_RECORDS"] }}{{ctrl.doc_count}}
{{data.key}}{{data.doc_count}}
107 |
108 | 109 |
result
110 | 111 | 112 | 113 | 114 | 115 | 118 | 119 | 120 | 121 | 122 | 123 | 124 | 125 | 126 | 127 | 128 | 131 | 136 | 137 | 140 | 141 | 142 | 143 |
UtcTime{{ctrl.utc_time}}EventId{{ctrl.event_id}}Computer{{ctrl.computer_name}}UserName{{ctrl.user_name}}Image{{ctrl.image}}RuleName{{ctrl.rulename}}
{{data.utc_time}}{{data.event_id}} 132 | {{data.computer_name}}
133 | {{lang.RESULTBOX_LINKNAME_TABLE}} 134 | {{lang.RESULTBOX_LINKNAME_GRAPH}} 135 | 		{{data.user_name}} 138 | {{data.image}} 139 | {{data.rule_name}}
144 |
145 | 146 | 147 |
148 |
149 | 150 | 151 | 152 | 153 | -------------------------------------------------------------------------------- /sysmon_search_plugin/public/templates/dashboard.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | statistics 6 | 7 | 8 | 9 | 10 |
11 | 12 | 15 | 16 |
17 | 31 |
32 | 33 |
34 | 35 |
36 |

{{ lang["STATISTICS_H2"] }}

37 | 38 | 39 |
40 | 41 |
42 | 44 |
45 | 46 |
47 | 48 | 49 |
50 | {{ lang["STATISTICS_TOTAL"] }}:{{ctrl.total}} 51 |
52 | 53 |
54 | 55 |
56 |
{{ lang["STATISTICS_DESTINATION_ADDRESS"] }}
57 |
{{ lang["STATISTICS_DESTINATION_PORT"] }}
58 |
59 | 60 |
61 |
{{ lang["STATISTICS_PROCESS"] }}
62 |
{{ lang["STATISTICS_REGISTRY_EVENT"] }}
63 |
64 | 65 |
66 | 67 | 68 |
69 | 70 | 71 | -------------------------------------------------------------------------------- /sysmon_search_plugin/public/templates/detail.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | Detail 5 | 6 | 7 | 8 |
9 |
10 | 15 |
16 | 30 |
31 |
32 |

{{ lang["DETAIL_H2"] }}

33 |

{{ lang["TARGET_HOSTNAME"] }}:{{ctrl.hostname}}

34 |

{{ lang["TARGET_DATE"] }}:{{ctrl.date}}

35 |

{{ lang["TARGET_PROCESS"] }}:{{ctrl.image}}

36 |
37 |
38 | {{lang.ALT_SEARCHICON}} 39 | 40 |
41 |
42 | 45 | 48 |
49 |
50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 |
{{ lang["PROCESS_TABLE_DATE"] }}{{ lang["PROCESS_TABLE_TYPE"] }}{{ lang["PROCESS_TABLE_SOURCE"] }}{{ lang["PROCESS_TABLE_VALUE"] }}
{{day_data.date}}{{day_data.type}}{{day_data.process}}{{day_data.disp}}
69 |
70 |
71 |
72 | 73 | 74 | -------------------------------------------------------------------------------- /sysmon_search_plugin/public/templates/event.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | Event List 5 | 6 | 7 | 8 | 9 | 10 |
11 | 14 | 15 |
16 | 30 |
31 | 32 |
33 | 34 | 35 | 36 |
{{ lang["EVENTSUMMARY_H2"] }}{{ lang["TARGET_HOSTNAME"] }}{{ctrl.hostname}}{{ lang["TARGET_DATE"] }}{{ctrl.date}}
37 | 38 | 39 |
40 |
41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 |
{{ lang["EVENTSUMMARY_TABLE_TYPE"] }}{{ lang["EVENTSUMMARY_TABLE_NUM"] }}Percentage
{{day_data.type}}		{{day_data.value}}{{(day_data.value/ctrl.total)*100 | number:0}} %
Total{{ctrl.total}}{{ lang["CORRELATION_H2"] }}
63 |
64 |
65 | 66 |
67 | 68 | 69 | -------------------------------------------------------------------------------- /sysmon_search_plugin/public/templates/host_statistic.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | Event List 5 | 6 | 7 | 8 | 9 |
10 | 11 | 14 | 15 |
16 | 30 |
31 |
32 |
33 |

{{ lang["HOSTSTATS_H2"] }}

34 |
35 | 36 |
37 | 38 |
39 | 40 |
41 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 57 | 58 | 59 |
{{ lang["EVENTSUMMARY_TABLE_TYPE"] }}
56 | {{day_data.type}}
60 | 61 |
62 | 63 |
64 | 65 | 66 | 67 | 68 | -------------------------------------------------------------------------------- /sysmon_search_plugin/public/templates/hosts.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | Hosts List 5 | 17 | 18 | 19 | 20 |
21 | 24 |
25 | 39 |
40 | 41 |
42 |
43 |

{{ lang["EVENT_H2"] }}

44 |
45 | 46 |
47 |
{{ lang["EVENT_DETECTIONBOX_SEARCH_FIELD"] }}
48 |
49 | 50 | 51 | 52 | 55 | 58 | 61 | 64 | 65 | 66 | 69 | 72 | 73 | 74 |
53 | {{ lang["EVENT_DETECTIONBOX_AFTER"] }} 54 | 56 | 57 | 59 | {{ lang["EVENT_DETECTIONBOX_BEFORE"] }} 60 | 62 | 63 |
67 | {{ lang["EVENT_DETECTIONBOX_HOSTNAME"] }} 68 | 70 | 71 |
75 | 76 |
77 | 78 |
79 | 80 | 81 |
result
82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 94 | 95 | 96 |
{{ lang["EVENT_TABLE_DATE"] }}{{ lang["EVENT_TABLE_HOSTNAME"] }}{{ lang["EVENT_TABLE_EVENTNUM"] }}
{{day_data.date}} 90 | {{item.key}} 91 | 92 | {{item.doc_count}} 93 |
97 | 98 | 99 | 100 | 104 |
105 | 106 | -------------------------------------------------------------------------------- /sysmon_search_plugin/public/templates/overview.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | Overview 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 |
13 | 14 | 15 | 16 |
17 | 31 |
32 | 33 |
34 | 35 |
36 | 41 |
42 |

{{ lang["PCR_H2"] }}

43 | 44 | 45 | 46 | 47 | 48 | 49 |
GUID{{ctrl.guid}}{{ lang["TARGET_HOSTNAME"] }}{{ctrl.hostname}}{{ lang["TARGET_DATE"] }}{{ctrl.date}}
50 |
51 | 52 |
53 | 54 |
55 | {{lang.ALT_SEARCHICON}} 56 | 57 |
58 | 59 |
60 | 61 | 62 | 63 | 66 | 69 | 70 | 73 | 76 | 79 | 80 | 81 |
64 | {{ lang["EVENT_DETECTIONBOX_AFTER"] }} 65 | 67 | 68 | 71 | {{ lang["EVENT_DETECTIONBOX_BEFORE"] }} 72 | 74 | 75 | 77 | 78 |
82 | 85 | 88 |
89 |
90 | 91 | 92 |
93 |
94 |
{{ctrl.message}}
95 |

97 |
98 | 99 |
100 |
101 | 102 | 103 | -------------------------------------------------------------------------------- /sysmon_search_plugin/public/templates/process_list.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | Event List 5 | 8 | 9 | 10 | 11 |
12 | 13 | 16 | 17 |
18 | 32 |
33 | 34 |
35 | 41 | 42 |
43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 |
{{ lang["PROCESS_H2"] }} {{ lang["TARGET_HOSTNAME"] }}{{ctrl.hostname}}{{ lang["TARGET_DATE"] }}{{ctrl.date}}Total{{ctrl.data.length}}
51 |
52 | 53 |
54 | 55 |
56 | {{lang.ALT_SEARCHICON}} 57 | 58 |
59 | 60 |
61 | 64 | 67 |
68 | 69 |
70 | 71 |
72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 |
record_id{{ lang["PROCESS_TABLE_DATE"] }}{{ lang["PROCESS_TABLE_TYPE"] }}{{ lang["PROCESS_TABLE_SOURCE"] }}{{ lang["PROCESS_TABLE_VALUE"] }}
{{day_data.number}}{{day_data.date}}{{day_data.type}}{{day_data.process}}{{day_data.disp}}
92 |
93 | 94 |
95 | 96 | 97 | 98 | 99 | -------------------------------------------------------------------------------- /sysmon_search_plugin/public/templates/process_tree.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | process tree 5 | 6 | 7 | 14 | 15 | 16 | 17 | 18 |
19 | 22 |
23 | 37 |
38 |
39 | 44 | 45 |
46 | 47 | 48 | 49 | 50 | 51 | 52 |
{{ lang["CORRELATION_H2"] }} {{ lang["TARGET_HOSTNAME"] }}{{ctrl.hostname}}{{ lang["TARGET_DATE"] }}{{ctrl.date}}
53 |
54 | 55 |
56 | 57 |
58 | search_icon 59 | 60 |
61 | 62 |
63 |
64 | 65 | 66 | 67 | 70 | 73 | 76 | 79 | 82 | 83 | 84 |
68 | {{ lang["EVENT_DETECTIONBOX_AFTER"] }} 69 | 71 | 72 | 74 | {{ lang["EVENT_DETECTIONBOX_BEFORE"] }} 75 | 77 | 78 | 80 | 81 |
85 |
86 | 87 | 90 | 93 | 94 |
95 |
96 | 97 |
98 |

100 |
101 | 102 |
103 | 104 |
105 |
106 | 107 | 108 | -------------------------------------------------------------------------------- /sysmon_search_plugin/server/__tests__/index.js: -------------------------------------------------------------------------------- 1 | import expect from 'expect.js'; 2 | 3 | describe('suite', () => { 4 | it('is a test', () => { 5 | expect(true).to.equal(true); 6 | }); 7 | }); 8 | -------------------------------------------------------------------------------- /sysmon_search_plugin/server/routes/search/Utils.js: -------------------------------------------------------------------------------- 1 | var Utils = { 2 | eventid_to_type: function(event_id) { 3 | var result = ""; 4 | switch (event_id) { 5 | case 1: 6 | result = "create_process"; 7 | break; 8 | case 11: 9 | result = "create_file"; 10 | break; 11 | case 12: 12 | case 13: 13 | case 14: 14 | result = "registry"; 15 | break; 16 | case 3: 17 | result = "net_access"; 18 | break; 19 | case 8: 20 | result = "remote_thread"; 21 | break; 22 | case 2: 23 | result = "file_create_time"; 24 | break; 25 | case 7: 26 | result = "image_loaded"; 27 | break; 28 | case 19: 29 | case 20: 30 | case 21: 31 | result = "wmi"; 32 | break; 33 | 34 | case 22: 35 | result = "dns"; 36 | break; 37 | //case 5: 38 | // result = "process_terminated"; 39 | // break; 40 | 41 | default: 42 | result = "other"; 43 | break; 44 | } 45 | 46 | return result; 47 | }, 48 | get_range_datetime: function(date) { 49 | var date_str = date.substr(0, 10)+"T"+date.substr(11, 12)+"Z"; 50 | var base_date = new Date(date_str); 51 | var start_date = new Date(base_date.getTime()); 52 | var end_date = new Date(base_date.getTime()); 53 | //start_date.setHours(start_date.getHours() - Number(config.refine_time_range)); 54 | //end_date.setHours(end_date.getHours() + Number(config.refine_time_range)); 55 | start_date.setHours(start_date.getHours() - 1); 56 | end_date.setHours(end_date.getHours() + 1); 57 | var start_date_str = this.date_to_text(start_date); 58 | var end_date_str = this.date_to_text(end_date); 59 | 60 | return {"start_date": start_date_str, "end_date": end_date_str}; 61 | }, 62 | get_range_datetime2: function(date, start_time, end_time) { 63 | //var date_str = date.substr(0, 10)+"T"+date.substr(11, 12)+"Z"; 64 | //var base_date = new Date(date_str); 65 | var base_date = new Date(date); 66 | var start_date = new Date(base_date.getTime()); 67 | var end_date = new Date(base_date.getTime()); 68 | 69 | var start_time_array = start_time.split(':'); 70 | var ent_time_array = end_time.split(':'); 71 | 72 | start_date.setUTCHours(parseInt(start_time_array[0]),parseInt(start_time_array[1])); 73 | end_date.setUTCHours(parseInt(ent_time_array[0]),parseInt(ent_time_array[1]),59); 74 | 75 | var start_date_str = this.date_to_text(start_date); 76 | var end_date_str = this.date_to_text(end_date); 77 | 78 | return {"start_date": start_date_str, "end_date": end_date_str}; 79 | }, 80 | get_range_datetime3: function(start_time, end_time) { 81 | var start_date = new Date(); 82 | var end_date = new Date(); 83 | 84 | start_date.setTime( start_time ); 85 | end_date.setTime( end_time ); 86 | 87 | var start_date_str = this.date_to_text(start_date); 88 | var end_date_str = this.date_to_text(end_date); 89 | 90 | return {"start_date": start_date_str, "end_date": end_date_str}; 91 | }, 92 | date_to_text: function(date) { 93 | var y = this.padding(date.getUTCFullYear(), 4, "0"), 94 | m = this.padding(date.getUTCMonth()+1, 2, "0"), 95 | d = this.padding(date.getUTCDate(), 2, "0"), 96 | h = this.padding(date.getUTCHours(), 2, "0"), 97 | min = this.padding(date.getUTCMinutes(), 2, "0"), 98 | s = this.padding(date.getUTCSeconds(), 2, "0"), 99 | millsec = this.padding(date.getUTCMilliseconds(), 3, "0"); 100 | 101 | return [y, m, d].join('-') + 'T' + [h, min, s].join(':') + 'Z'; 102 | }, 103 | padding: function(n, d, p) { 104 | p = p || '0'; 105 | return (p.repeat(d) + n).slice(-d); 106 | } 107 | } 108 | 109 | module["exports"] = Utils; 110 | -------------------------------------------------------------------------------- /sysmon_search_plugin/server/routes/search/alert_data.js: -------------------------------------------------------------------------------- 1 | const Utils = require('./Utils'); 2 | 3 | async function alertData(sysmon, data) { 4 | var sort_item = {}; 5 | sort_item[data.sort_item] = data.sort_order; 6 | //if(data.sort_item != "event_id")sort_item[data.sort_item + ".keyword"] = data.sort_order; 7 | //else sort_item[data.sort_item] = data.sort_order; 8 | 9 | var sort = []; 10 | sort.push(sort_item); 11 | 12 | var searchObj = { 13 | "size": 10000, 14 | "query": { 15 | "bool": { 16 | "must": [{ 17 | "range": {"@timestamp": data.query} 18 | }] 19 | } 20 | }, 21 | "aggs": { 22 | "unique_hosts": { 23 | "terms": { 24 | "field": "computer_name.keyword", 25 | "size" : 100000 26 | } 27 | }, 28 | "tabledata": { 29 | "terms": { 30 | "field": "rule.file_name.keyword", 31 | "size" : 100000 32 | }, 33 | "aggs": { 34 | "hosts": { 35 | "terms": { 36 | "field": "computer_name.keyword", 37 | "size" : 100000 38 | } 39 | } 40 | } 41 | } 42 | }, 43 | "sort": sort, 44 | "_source": [ 45 | "record_number", 46 | "event_id", 47 | "level", 48 | "computer_name", 49 | "event_data", 50 | "@timestamp", 51 | "rule", 52 | "original_id" 53 | ] 54 | }; 55 | 56 | 57 | const el_result = await sysmon.client.search({ 58 | index: 'sysmon-search-alert-*', 59 | // size: 1000, 60 | body: searchObj 61 | }); 62 | //console.log(JSON.stringify(searchObj) + " => " + JSON.stringify(el_result)); 63 | console.log(JSON.stringify(searchObj)); 64 | 65 | var results = []; 66 | var results_count = 0; 67 | var unique_hosts = []; 68 | var tabledata = []; 69 | if (el_result !== null) { 70 | if (el_result.hits != null) { 71 | results_count = el_result.hits.total; 72 | var hits = el_result.hits.hits; 73 | for (var index in hits) { 74 | var hit = hits[index]._source; 75 | var description = Utils.eventid_to_type(hit.event_id); 76 | var tmp = { 77 | "number": hit.record_number, 78 | "utc_time": hit.event_data.UtcTime, 79 | "event_id": hit.event_id, 80 | "level": hit.level, 81 | "computer_name": hit.computer_name, 82 | "user_name": hit.event_data.User, 83 | "image": hit.event_data.Image, 84 | "date": hit["@timestamp"], 85 | "rule": hit.rule, 86 | "process_guid": hit.event_data.ProcessGuid, 87 | "description": description, 88 | "rule_name": hit.rule[0].file_name, 89 | "_id" : hit.original_id 90 | }; 91 | if(hit.event_id == 8){ 92 | tmp["process_guid"]=hit.event_data.SourceProcessGuid; 93 | tmp["image"]=hit.event_data.SourceImage; 94 | } 95 | 96 | results.push(tmp); 97 | } 98 | } 99 | if(el_result.aggregations != null){ 100 | unique_hosts = el_result.aggregations.unique_hosts.buckets; 101 | tabledata = el_result.aggregations.tabledata.buckets; 102 | } 103 | } 104 | 105 | const response = { 106 | "total": results_count, 107 | "hits": results, 108 | "unique_hosts": unique_hosts, 109 | "table_data" : tabledata 110 | }; 111 | return response; 112 | } 113 | 114 | module.exports = alertData; 115 | -------------------------------------------------------------------------------- /sysmon_search_plugin/server/routes/search/alert_host.js: -------------------------------------------------------------------------------- 1 | async function alertHost(sysmon, data) { 2 | var uniqueHostObj = { 3 | "size": 0, 4 | "query": { 5 | "bool": { 6 | "must": [{ 7 | "range": {"@timestamp": data.query} 8 | }] 9 | } 10 | }, 11 | "aggs": { 12 | "unique_hosts": { 13 | "terms": { 14 | "field": "computer_name.keyword", 15 | "size" : 100000 16 | } 17 | } 18 | } 19 | }; 20 | 21 | const el_result = await sysmon.client.search({ 22 | index: 'sysmon-search-alert-*', 23 | // size: 1000, 24 | body: uniqueHostObj 25 | }; 26 | 27 | var unique_hosts = []; 28 | if(el_result.aggregations != null)unique_hosts = el_result.aggregations.unique_hosts.buckets; 29 | return unique_hosts; 30 | } 31 | 32 | module.exports = alertHost; 33 | -------------------------------------------------------------------------------- /sysmon_search_plugin/server/routes/search/alert_rule.js: -------------------------------------------------------------------------------- 1 | const util = require('util'); 2 | const sprintf = require('sprintf-js').sprintf; 3 | const path = require('path'); 4 | 5 | const CONFIG_PATH = '../../../conf.js'; 6 | import {conf as config} from '../../../conf.js'; 7 | 8 | function padding(n, d, p) { 9 | p = p || '0'; 10 | return (p.repeat(d) + n).slice(-d); 11 | }; 12 | 13 | function create_rule_filename() { 14 | var date = new Date(Date.now()); 15 | var year = padding(date.getFullYear(), 4, "0"), 16 | month = padding(date.getMonth()+1, 2, "0"), 17 | day = padding(date.getDate(), 2, "0"), 18 | hour = padding(date.getHours(), 2, "0"), 19 | min = padding(date.getMinutes(), 2, "0"), 20 | second = padding(date.getSeconds(), 2, "0"), 21 | millsec = padding(date.getMilliseconds(), 3, "0"); 22 | var filename = sprintf( 23 | 'rule-%1$s%2$s%3$s%4$s%5$s%6$s%7$s.json', year, month, day, hour, min, second, millsec 24 | ); 25 | return filename; 26 | }; 27 | 28 | function create_fullpath(savepath, filename) { 29 | var conf_dir = path.join(__dirname, path.dirname(CONFIG_PATH)); 30 | console.log("savepath:", savepath, "/filename:", filename, "/basedir:", conf_dir); 31 | if (path.isAbsolute(savepath)) { 32 | return path.join(savepath, filename); 33 | } else { 34 | return path.join(conf_dir, savepath, filename); 35 | } 36 | }; 37 | 38 | const saveAlert = function (params) { 39 | //console.log(util.inspect(params)); 40 | var filename = create_rule_filename(); 41 | var fullpath = create_fullpath(config.savepath, filename); 42 | console.log(fullpath); 43 | try { 44 | const fs = require('fs'); 45 | fs.writeFileSync(fullpath, JSON.stringify(params, null, 2)); 46 | console.log("#---------- save search criteria/success ----------"); 47 | var res = { 48 | 'status': 200, 49 | 'result': sprintf('succeeded to save rules in "%1$s".', fullpath) 50 | }; 51 | console.log(res); 52 | return res; 53 | } catch (e) { 54 | console.error("#---------- save search criteria/fail ----------"); 55 | console.error(util.inspect(e)); 56 | return e; 57 | } 58 | } 59 | 60 | const getAlert = async function (params) { 61 | var conf_dir = path.join(__dirname, path.dirname(CONFIG_PATH)); 62 | var savepath = config.savepath; 63 | if (!path.isAbsolute(savepath)) savepath = path.join(conf_dir, savepath); 64 | console.log(`savepath: ${savepath}`); 65 | const fs = require('fs').promises; 66 | const result = await fs.readdir(savepath, async function(err, files){ 67 | if (err){ 68 | console.error("#---------- Acquisition of file list failed ----------"); 69 | console.log(err); 70 | return; 71 | } 72 | const fileList = await files.filter(async function(file){ 73 | return fs.statSync(create_fullpath(config.savepath,file)).isFile(); 74 | }) 75 | console.log("file list: " + fileList); 76 | return fileList; 77 | }); 78 | return result; 79 | } 80 | 81 | const deleteAlert = async function (params) { 82 | var deleted = 0; 83 | if(params.filename == null || params.filename == ""){ 84 | deleted = -1; 85 | } else { 86 | const basename = path.basename(params.filename); 87 | const filepath = create_fullpath(config.savepath, basename); 88 | 89 | const fs = require('fs').promises; 90 | deleted = await fs.unlink(filepath) 91 | .then(result=>{return 1}) 92 | .catch(err => {return -1}) 93 | } 94 | const result = { 95 | data: deleted 96 | } 97 | return result; 98 | 99 | } 100 | 101 | module.exports = { 102 | saveAlert, 103 | getAlert, 104 | deleteAlert 105 | }; 106 | -------------------------------------------------------------------------------- /sysmon_search_plugin/server/routes/search/dashboard.js: -------------------------------------------------------------------------------- 1 | async function dashBoard(sysmon, data) { 2 | var searchObj = { 3 | "size": 0, 4 | "query": { 5 | "bool": { 6 | "must": [ 7 | {"range":{"@timestamp": data.query}} 8 | ] 9 | } 10 | }, 11 | "aggs": { 12 | "by_image_asc": { 13 | "terms": { 14 | "field": "statistics_data.Image.keyword", 15 | "order" : { "_count" : "asc" }, 16 | "size": 100 17 | } 18 | }, 19 | "by_image_desc": { 20 | "terms": { 21 | "field": "statistics_data.Image.keyword", 22 | "order" : { "_count" : "desc" }, 23 | "size": 100 24 | } 25 | }, 26 | "by_DestinationIp_asc": { 27 | "terms": { 28 | "field": "statistics_data.DestinationIp.keyword", 29 | "order" : { "_count" : "asc" }, 30 | "size": 100 31 | } 32 | }, 33 | "by_DestinationIp_desc": { 34 | "terms": { 35 | "field": "statistics_data.DestinationIp.keyword", 36 | "order" : { "_count" : "desc" }, 37 | "size": 100 38 | } 39 | }, 40 | "by_eventtype": { 41 | "terms": { 42 | "field": "statistics_data.EventType.keyword", 43 | "order" : { "_count" : "asc" }, 44 | "size": 100 45 | } 46 | }, 47 | "by_DestinationPort": { 48 | "terms": { 49 | "field": "statistics_data.DestinationPort.keyword", 50 | "order" : { "_count" : "asc" }, 51 | "size": 100 52 | } 53 | } 54 | } 55 | }; 56 | 57 | //const el_result = this.search_statistical(searchObj); 58 | const el_result = await sysmon.client.search({ 59 | index: 'sysmon-search-statistics-*', 60 | // size: 1000, 61 | body: searchObj 62 | }); 63 | 64 | var results = {}; 65 | var keys=[ 66 | "by_image_asc","by_image_desc","by_DestinationIp_asc","by_DestinationIp_desc","by_eventtype","by_DestinationPort" 67 | ]; 68 | for (var key in keys) { 69 | if(el_result.aggregations != null && keys[key] in el_result["aggregations"]){ 70 | results[keys[key]] = el_result["aggregations"][keys[key]]["buckets"]; 71 | }else{ 72 | results[keys[key]] = []; 73 | } 74 | } 75 | 76 | if(el_result.hits!=null) results["total"] = el_result["hits"]["total"]; 77 | 78 | return results; 79 | } 80 | 81 | module.exports = dashBoard; -------------------------------------------------------------------------------- /sysmon_search_plugin/server/routes/search/events.js: -------------------------------------------------------------------------------- 1 | async function events(sysmon, hostname, date) { 2 | var timestamp = { 3 | "range" : {"@timestamp": date} 4 | } 5 | if (typeof date === "string"){ 6 | timestamp = { 7 | "match" : {"@timestamp": date} 8 | } 9 | } 10 | var host = {}; 11 | host[sysmon.computer_name] = hostname; 12 | var searchObj = { 13 | "size": 0, 14 | "query": { 15 | "bool": { 16 | "must": [ 17 | {"match": host}, 18 | {"match": sysmon.channel}, 19 | timestamp 20 | ] 21 | } 22 | }, 23 | "aggs": { 24 | "group_by": { 25 | "date_histogram": { 26 | "field": "@timestamp", 27 | "interval": "1d", 28 | "format": "yyyy-MM-dd" 29 | }, 30 | "aggs": { 31 | "event_id": { 32 | "terms": { 33 | "field": sysmon.event_id, 34 | "size" : 100000 35 | } 36 | } 37 | } 38 | } 39 | } 40 | }; 41 | 42 | const el_result = await sysmon.client.search({ 43 | index: sysmon.index, 44 | // size: 1000, 45 | body: searchObj 46 | }); 47 | 48 | if (el_result){ 49 | console.log(el_result); 50 | //var results = []; 51 | var hits = el_result.aggregations.group_by.buckets; 52 | var category = [ 53 | "create_process", 54 | "file_create_time", 55 | "net_access", 56 | //"process_terminated", 57 | //"driver_loaded", 58 | "image_loaded", 59 | "remote_thread", 60 | //"raw_access_read", 61 | //"process_access", 62 | "create_file", 63 | "registry", 64 | //"pipe", 65 | "wmi", 66 | "dns", 67 | //"error", 68 | "other" 69 | ]; 70 | var results = {"items":[], "groups":category}; 71 | for (var index in hits) { 72 | var item = hits[index]; 73 | var cnt = {}; 74 | for(var i in category){cnt[category[i]] = 0;} 75 | for (var i in item['event_id']['buckets']) { 76 | var event = item['event_id']['buckets'][i]; 77 | if (event['key'] == 1) { 78 | cnt["create_process"] += event['doc_count']; 79 | } else if (event['key'] == 2) { 80 | cnt["file_create_time"] += event['doc_count']; 81 | } else if (event['key'] == 3) { 82 | cnt["net_access"] += event['doc_count']; 83 | //} else if (event['key'] == 5) { 84 | // cnt["process_terminated"] += event['doc_count']; 85 | //} else if (event['key'] == 6) { 86 | // cnt["driver_loaded"] += event['doc_count']; 87 | } else if (event['key'] == 7) { 88 | cnt["image_loaded"] += event['doc_count']; 89 | } else if (event['key'] == 8) { 90 | cnt["remote_thread"] += event['doc_count']; 91 | //} else if (event['key'] == 9) { 92 | // cnt["raw_access_read"] += event['doc_count']; 93 | //} else if (event['key'] == 10) { 94 | // cnt["process_access"] += event['doc_count']; 95 | } else if (event['key'] == 11) { 96 | cnt["create_file"] += event['doc_count']; 97 | } else if (event['key'] == 12 || event['key'] == 13 || event['key' == 14]) { 98 | cnt["registry"] += event['doc_count']; 99 | //} else if (event['key'] == 17 || event['key'] == 18) { 100 | // cnt["pipe"] += event['doc_count']; 101 | } else if (event['key'] == 19 || event['key'] == 20 || event['key'] == 21) { 102 | cnt["wmi"] += event['doc_count']; 103 | } else if (event['key'] == 22) { 104 | cnt["dns"] += event['doc_count']; 105 | //} else if (event['key'] == 255) { 106 | // cnt["error"] += event['doc_count']; 107 | } else { 108 | cnt["other"] += event['doc_count']; 109 | } 110 | 111 | } 112 | 113 | if (typeof date === "string"){ 114 | // return piechart data 115 | var data = {"count":cnt}; 116 | return data; 117 | }else{ 118 | results["count"] = cnt; 119 | } 120 | 121 | let gid = 0; 122 | for (let [key, value] of Object.entries(cnt)) { 123 | var tmp = { 124 | "group": gid, 125 | "x":item['key_as_string'], 126 | "y": value, 127 | "label":{ 128 | "content":key, 129 | "yOffset":20 130 | } 131 | }; 132 | results["items"].push(tmp); 133 | gid++; 134 | } 135 | 136 | } 137 | // return 2dgraph data 138 | return results; 139 | } 140 | return; 141 | } 142 | 143 | module.exports = events; 144 | -------------------------------------------------------------------------------- /sysmon_search_plugin/server/routes/search/hosts.js: -------------------------------------------------------------------------------- 1 | async function searchHosts(sysmon, params) { 2 | 3 | var search_items_and_date_query = [{ 4 | "match": sysmon.channel 5 | }]; 6 | if (typeof params !== "undefined" 7 | && params !== null 8 | && Object.keys(params).length !== 0) 9 | { 10 | if ("keyword" in params 11 | && typeof params.keyword !== "undefined" 12 | && params.keyword !== "") 13 | { 14 | var wildcard = {}; 15 | //wildcard[sysmon.computer_name] = "*" + params['keyword'].toLowerCase() + "*"; 16 | wildcard[sysmon.computer_name] = "*" + params['keyword'] + "*"; 17 | search_items_and_date_query.push({ 18 | "wildcard": wildcard 19 | }); 20 | } 21 | if (("fm_start_date" in params 22 | && typeof params.fm_start_date !== "undefined") 23 | || ("fm_end_date" in params 24 | && typeof params.fm_end_date !== "undefined") 25 | ){ 26 | var timestamp_range = {}; 27 | if ("fm_start_date" in params 28 | && typeof params.fm_start_date !== "undefined") 29 | { 30 | timestamp_range["gte"] = params.fm_start_date; 31 | } 32 | 33 | if ("fm_end_date" in params 34 | && typeof params.fm_end_date !== "undefined" 35 | ) { 36 | timestamp_range["lte"] = params.fm_end_date; 37 | } 38 | 39 | search_items_and_date_query.push({ 40 | "range": { "@timestamp": timestamp_range } 41 | }); 42 | } 43 | } 44 | 45 | var searchObj = { 46 | //"size": 0, 47 | "query": { 48 | "bool": { 49 | "must": search_items_and_date_query 50 | } 51 | }, 52 | "aggs": { 53 | "group_by": { 54 | "date_histogram": { 55 | "field": "@timestamp", 56 | "interval": "1d", 57 | "format": "yyyy-MM-dd" 58 | }, 59 | "aggs": { 60 | "computer_names": { 61 | "terms": { 62 | "size": 1000, 63 | //"field": sysmon.computer_name + ".keyword" 64 | "field": sysmon.computer_name 65 | } 66 | } 67 | } 68 | } 69 | } 70 | }; 71 | console.log("[search hosts] " + JSON.stringify(searchObj)); 72 | 73 | const el_result = await sysmon.client.search({ 74 | index: sysmon.index, 75 | // size: 1000, 76 | body: searchObj 77 | }); 78 | //console.log("result: " + JSON.stringify(el_result)) 79 | 80 | var results = []; 81 | //var hits = el_result.aggregations.group_by.buckets; 82 | var hits = el_result.aggregations?el_result.aggregations.group_by.buckets:[]; 83 | 84 | for (var index in hits) { 85 | var item = hits[index]; 86 | var tmp = { 87 | "date": item['key_as_string'], 88 | "result": item['computer_names']['buckets'] 89 | }; 90 | results.push(tmp); 91 | } 92 | 93 | return results; 94 | 95 | } 96 | 97 | module.exports = searchHosts; 98 | -------------------------------------------------------------------------------- /sysmon_search_plugin/server/routes/search/import_search.js: -------------------------------------------------------------------------------- 1 | const request = require('request'); 2 | import {conf as config} from '../../../conf.js'; 3 | const sprintf = require('sprintf-js').sprintf; 4 | 5 | async function doRequest(options) { 6 | return new Promise(function (resolve, reject) { 7 | request(options, function (err, res, body) { 8 | if (!err && res.statusCode == 200) resolve(res.body); 9 | else reject(err); 10 | }); 11 | }); 12 | } 13 | 14 | async function importSearchKeywords(params) { 15 | console.log(params); 16 | //var url = 'http://localhost:56020' + params.part_url; 17 | var url = 'http://' + config.import_server_url + ':' + config.import_server_port + params.part_url; 18 | var formData = { 19 | file: { 20 | value: new Buffer.from(params.contents), 21 | options: { 22 | filename: params.filename, 23 | contentType: params.contenttype 24 | } 25 | } 26 | }; 27 | console.log("#---------- request to STIX/IoC analyze server ----------"); 28 | const req_str = sprintf( 29 | '{ url: \'%1$s\', formData: { file: { value: <...>, options: { filename: \'%2$s\', contentType: \'%3$s\' } } } }', 30 | url, params.filename, params.contenttype 31 | ); 32 | console.log(req_str); 33 | const requestOptions = { 34 | url: url, 35 | method: "POST", 36 | formData: formData, 37 | json: true 38 | }; 39 | const result = await doRequest(requestOptions); 40 | /* 41 | const result = await request.post({ 42 | url: url, formData: formData 43 | }, 44 | function(error, response) { 45 | console.log("#---------- response from STIX/IoC analyze server ----------"); 46 | if (error) { 47 | console.error(util.inspect(error)); 48 | return; 49 | } else { 50 | var res = { 51 | 'status': response.statusCode, 52 | 'message': response.statusMessage, 53 | 'data': response.body 54 | }; 55 | console.log(res); 56 | return res; 57 | } 58 | } 59 | ); 60 | */ 61 | console.log("#---------- response from STIX/IoC analyze server ----------"); 62 | console.log(JSON.stringify(result)); 63 | return result; 64 | } 65 | 66 | module.exports = importSearchKeywords; 67 | -------------------------------------------------------------------------------- /sysmon_search_plugin/server/routes/search/sm_search.js: -------------------------------------------------------------------------------- 1 | const Utils = require('./Utils'); 2 | const makeQuery = require('./make_query'); 3 | 4 | function set_wildcard_value(search_items, key, params, num) { 5 | var match = {}; 6 | if ("search_value_" + num in params 7 | && typeof params["search_value_" + num] !== "undefined") { 8 | match[key] = "*" + str_escape(params["search_value_" + num].toLowerCase()) + "*"; 9 | search_items.push({"wildcard": match}); 10 | } 11 | return search_items; 12 | } 13 | 14 | function str_escape(str) { 15 | if(str == null || typeof str === "undefined") return ""; 16 | var entityMap = { 17 | "\\" : "\\\\", 18 | "\"" : "\\\"", 19 | "\'" : "\\\'" 20 | }; 21 | return String(str).replace(/[\\\"\']/g, function(s) { 22 | return entityMap[s]; 23 | }); 24 | } 25 | 26 | async function smSearch(sysmon, params) { 27 | const search_items_and_date_query = await makeQuery(params, sysmon.map); 28 | search_items_and_date_query.push({"match":sysmon.channel}); 29 | 30 | var sort_item = {}; 31 | sort_item[params.sort_item] = params.sort_order; 32 | 33 | //if(params.sort_item != "winlog.event_id") sort_item[params.sort_item + ".keyword"] = params.sort_order; 34 | //else sort_item[params.sort_item] = params.sort_order; 35 | 36 | var sort = []; 37 | sort.push(sort_item); 38 | 39 | var searchObj = { 40 | "size": 10000, 41 | "query": { 42 | "bool": {"must": search_items_and_date_query} 43 | }, 44 | "sort": sort, 45 | //"_source": ["record_number", "event_id", "level", "event_record_id", "computer_name", "user", "event_data", "@timestamp"] 46 | "_source": ["winlog", "log", "@timestamp"] 47 | }; 48 | 49 | console.log("[smSearch] " + JSON.stringify(searchObj, null, 2)); 50 | 51 | const el_result = await sysmon.client.search({ 52 | index: sysmon.index, 53 | // size: 1000, 54 | body: searchObj 55 | }); 56 | //console.log(JSON.stringify(el_result)); 57 | 58 | var results = []; 59 | var results_count = 0; 60 | //if (el_result !== null) { 61 | if ("hits" in el_result) { 62 | results_count = el_result.hits.total; 63 | var hits = el_result.hits.hits; 64 | //console.log(JSON.stringify(hits)); 65 | for (let index in hits) { 66 | var hit = hits[index]._source; 67 | var description = Utils.eventid_to_type(hit.winlog.event_id); 68 | var tmp = { 69 | "number": hit.winlog.record_id, 70 | "utc_time": hit.winlog.event_data.UtcTime, 71 | "event_id": hit.winlog.event_id, 72 | "level": hit.log.level, 73 | "computer_name": hit.winlog.computer_name, 74 | "user_name": hit.winlog.user?hit.winlog.user.name:"", 75 | "image": hit.winlog.event_data.Image, 76 | "date": hit["@timestamp"], 77 | "process_guid": hit.winlog.event_data.ProcessGuid, 78 | "description" : description, 79 | "task": hit.winlog.task, 80 | "_id" : hits[index]._id 81 | }; 82 | if(hit.winlog.event_id == 8){ 83 | tmp["process_guid"] = hit.winlog.event_data.SourceProcessGuid; 84 | tmp["image"] = hit.winlog.event_data.SourceImage; 85 | } 86 | results.push(tmp); 87 | } 88 | } 89 | //console.log(results); 90 | const res = {"total": results_count, "hits": results}; 91 | 92 | return res; 93 | } 94 | 95 | module.exports = smSearch; 96 | -------------------------------------------------------------------------------- /sysmon_search_plugin/server/routes/search/sm_unique_hosts.js: -------------------------------------------------------------------------------- 1 | const makeQuery = require('./make_query'); 2 | 3 | async function sm_unique_hosts(sysmon, params) { 4 | var query = await makeQuery(params, sysmon.map); 5 | query.push({"match":sysmon.channel}); 6 | var uniqueHostObj = { 7 | //"size": 0, 8 | "query": { 9 | "bool": {"must": query} 10 | }, 11 | "aggs": { 12 | "unique_hosts": { 13 | "terms": { 14 | //"field": sysmon.computer_name + ".keyword" 15 | "field": sysmon.computer_name 16 | } 17 | } 18 | } 19 | }; 20 | console.log("[search unique host] " + JSON.stringify(uniqueHostObj, null, 2)) 21 | const el_result = await sysmon.client.search({ 22 | index: sysmon.index, 23 | // size: 1000, 24 | body: uniqueHostObj 25 | }); 26 | 27 | //console.log(JSON.stringify(el_result)); 28 | if (el_result) { 29 | var unique_hosts = el_result.aggregations.unique_hosts.buckets; 30 | return unique_hosts; 31 | } 32 | return; 33 | } 34 | 35 | module.exports = sm_unique_hosts; 36 | -------------------------------------------------------------------------------- /sysmon_search_plugin/server/routes/test.js: -------------------------------------------------------------------------------- 1 | 2 | var fs = require('fs'); 3 | 4 | const Sysmon_Search_Logic = require('./Sysmon_Search_Logic'); 5 | 6 | function get_test( hostname, date ) { 7 | var obj = new Sysmon_Search_Logic('localhost', 9200); 8 | 9 | var searchObj = { 10 | "size": 1000, 11 | "query": { 12 | "bool": { 13 | "must": [{ 14 | "match": { "computer_name": hostname, } 15 | }, 16 | { 17 | "match": { "event_id": 1 } 18 | }, 19 | { 20 | "match": { "@timestamp": date } 21 | } ] 22 | } 23 | }, 24 | "sort": [{"@timestamp":"asc"}], 25 | "_source": ["record_number", "event_data"] 26 | }; 27 | 28 | function get_datas(el_result) { 29 | fs.writeFile('debug.json', JSON.stringify(el_result, null, ' ')); 30 | } 31 | 32 | obj.search(searchObj, get_datas); 33 | } 34 | 35 | function test() { 36 | var datas = require('./debug.json'); 37 | 38 | function make_process_list(el_result) { 39 | var hits = el_result.hits.hits; 40 | 41 | var process_array = {}; 42 | var p_process_array = {}; 43 | 44 | for (var index in hits) { 45 | var item = hits[index]._source; 46 | 47 | var key = item['event_data']['ProcessGuid']; 48 | var pkey = item['event_data']['ParentProcessGuid']; 49 | 50 | item['index'] = index + 1; 51 | item['key'] = key; 52 | item['pkey'] = pkey; 53 | 54 | var tmp = { 55 | "index": item.index, 56 | "key": item.key, 57 | "pkey": item.pkey, 58 | "number": item.record_number, 59 | "level": item.event_data.IntegrityLevel, 60 | "curdir": item.event_data.CurrentDirectory, 61 | "image": item.event_data.Image, 62 | "cmd": item.event_data.CommandLine, 63 | "guid": item.event_data.ProcessGuid, 64 | "date": item.event_data.UtcTime, 65 | "info":{ 66 | 'CurrentDirectory':item.event_data.CurrentDirectory, 67 | 'CommandLine':item.event_data.CommandLine, 68 | 'Hashes':item.event_data.Hashes, 69 | 'ParentImage':item.event_data.ParentImage, 70 | 'ParentProcessGuid':item.event_data.ParentProcessGuid, 71 | 'ParentCommandLine':item.event_data.ParentCommandLine, 72 | 'ProcessGuid':item.event_data.ProcessGuid, 73 | 'Image':item.event_data.Image 74 | } 75 | }; 76 | process_array[key] = tmp; 77 | if (pkey in p_process_array) { 78 | p_process_array[pkey].push(tmp); 79 | } else { 80 | p_process_array[pkey] = []; 81 | p_process_array[pkey].push(tmp); 82 | } 83 | } 84 | 85 | return [process_array, p_process_array] 86 | } 87 | 88 | function find_root_process(cur, list, p_list) { 89 | while( true ) { 90 | var tmp_key = cur['pkey']; 91 | 92 | var tmp = { 93 | "index": -1, 94 | "key": tmp_key, 95 | "pkey": "", 96 | "number": -1, 97 | "level": '', 98 | "curdir": '', 99 | "image":cur.info.ParentImage, 100 | "guid": cur.info.ParentProcessGuid, 101 | "date": '', 102 | "info":{ 103 | 'CurrentDirectory':'', 104 | 'CommandLine':cur.info.ParentCommandLine, 105 | 'ProcessGuid':cur.info.ParentProcessGuid, 106 | 'Hashes':'', 107 | 'ParentProcessGuid':'', 108 | 'ParentCommandLine':'', 109 | 'Image':cur.info.ParentImage 110 | } 111 | }; 112 | 113 | if (tmp_key in p_list) { 114 | if (tmp in list) { 115 | cur = list[tmp_key]; 116 | } else { 117 | return tmp; 118 | } 119 | } else { 120 | return tmp; 121 | } 122 | } 123 | } 124 | 125 | function make_process_tree(cur, list, p_list) { 126 | if(cur.current !=null && cur.current.key !=null){ 127 | var key = cur.current.key; 128 | delete list[key]; 129 | 130 | for (var index in p_list[key]) { 131 | var tmp = { 132 | 'current': p_list[key][index], 133 | 'parent': cur.current, 134 | 'child': [] 135 | } 136 | cur.child.push(tmp); 137 | make_process_tree(tmp, list, p_list); 138 | } 139 | } 140 | } 141 | 142 | [process_array, p_process_array] = make_process_list(datas); 143 | 144 | var process_tree = []; 145 | for (var index in process_array) { 146 | console.log( "================================" ); 147 | console.log( index ); 148 | var item = process_array[index]; 149 | var tmp = find_root_process(item, process_array, p_process_array); 150 | 151 | var root = { 152 | 'current': tmp, 153 | 'parent': null, 154 | 'child': [] 155 | } 156 | make_process_tree(root, process_array, p_process_array); 157 | process_tree.push( root ); 158 | } 159 | console.log( "================================" ); 160 | console.log( JSON.stringify(process_tree, null, ' ') ); 161 | 162 | // console.log( "================================" ); 163 | // for (var index in process_array) { 164 | // console.log( index ); 165 | // } 166 | 167 | //console.log( "process_array" ); 168 | //console.log( process_array ); 169 | //console.log( "p_process_array" ); 170 | //console.log( p_process_array ); 171 | } 172 | 173 | if (require.main === module) { 174 | function debug(result) { 175 | console.log("################################"); 176 | console.log(JSON.stringify(result, null, '\t')); 177 | }; 178 | 179 | //get_test('practice7test', '2018-02-14'); 180 | //test(); 181 | 182 | var obj = new Sysmon_Search_Logic('localhost', 9200); 183 | //obj.events("practice7test", debug); 184 | //obj.process_list("practice7test", "net", "2018-02-14", debug); 185 | //obj.process("practice7test", "2018-02-14", debug); 186 | //obj.process_overview("practice7test", "2017-11-14", "{B9BDBBFE-7304-5A0A-0000-00107E7F0500}", debug); 187 | //obj.child_process("practice7test", "2017-11-14", "{B9BDBBFE-7304-5A0A-0000-00107E7F0500}", debug); 188 | obj.process_start_end("practice7test", "2018-02-14", "1518570000000", "1518580859000", null, debug); 189 | } 190 | -------------------------------------------------------------------------------- /sysmon_search_plugin/winlogbeat.yml: -------------------------------------------------------------------------------- 1 | title: Elastic Winlogbeat (from 7.x) index pattern and field mapping 2 | order: 20 3 | backends: 4 | - es-qs 5 | - es-dsl 6 | - kibana 7 | - xpack-watcher 8 | - elastalert 9 | - elastalert-dsl 10 | logsources: 11 | windows: 12 | product: windows 13 | index: winlogbeat-* 14 | windows-application: 15 | product: windows 16 | service: application 17 | conditions: 18 | winlog.channel: Application 19 | windows-security: 20 | product: windows 21 | service: security 22 | conditions: 23 | winlog.channel: Security 24 | windows-sysmon: 25 | product: windows 26 | service: sysmon 27 | conditions: 28 | winlog.channel: 'Microsoft-Windows-Sysmon/Operational' 29 | windows-dns-server: 30 | product: windows 31 | service: dns-server 32 | conditions: 33 | winlog.channel: 'DNS Server' 34 | windows-driver-framework: 35 | product: windows 36 | service: driver-framework 37 | conditions: 38 | winlog.provider_name: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational' 39 | windows-dhcp: 40 | product: windows 41 | service: dhcp 42 | conditions: 43 | winlog.provider_name: 'Microsoft-Windows-DHCP-Server/Operational' 44 | defaultindex: winlogbeat-* 45 | # Extract all field names qith yq: 46 | # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: winlog.event_data.\1/g' 47 | # Keep EventID! Clean up the list afterwards! 48 | fieldmappings: 49 | EventID: winlog.event_id 50 | EventData: winlog.event_data 51 | RecordID: winlog.record_id 52 | AccessMask: winlog.event_data.AccessMask 53 | AccountName: winlog.event_data.AccountName 54 | AllowedToDelegateTo: winlog.event_data.AllowedToDelegateTo 55 | AttributeLDAPDisplayName: winlog.event_data.AttributeLDAPDisplayName 56 | AuditPolicyChanges: winlog.event_data.AuditPolicyChanges 57 | AuthenticationPackageName: winlog.event_data.AuthenticationPackageName 58 | CallingProcessName: winlog.event_data.CallingProcessName 59 | CallTrace: winlog.event_data.CallTrace 60 | CommandLine: winlog.event_data.CommandLine 61 | ComputerName: winlog.computer_name 62 | CurrentDirectory: winlog.event_data.CurrentDirectory 63 | Description: winlog.event_data.Description 64 | DestinationHostname: winlog.event_data.DestinationHostname 65 | DestinationIp: winlog.event_data.DestinationIp 66 | DestinationIsIpv6: winlog.event_data.DestinationIsIpv6 67 | DestinationPort: winlog.event_data.DestinationPort 68 | Details: winlog.event_data.Details 69 | EngineVersion: winlog.event_data.EngineVersion 70 | EventType: winlog.event_data.EventType 71 | FailureCode: winlog.event_data.FailureCode 72 | FileName: winlog.event_data.FileName 73 | GrantedAccess: winlog.event_data.GrantedAccess 74 | GroupName: winlog.event_data.GroupName 75 | GroupSid: winlog.event_data.GroupSid 76 | Hashes: winlog.event_data.Hashes 77 | HiveName: winlog.event_data.HiveName 78 | HostVersion: winlog.event_data.HostVersion 79 | Image: winlog.event_data.Image 80 | ImageLoaded: winlog.event_data.ImageLoaded 81 | ImagePath: winlog.event_data.ImagePath 82 | Imphash: winlog.event_data.Imphash 83 | IpAddress: winlog.event_data.IpAddress 84 | KeyLength: winlog.event_data.KeyLength 85 | LogonProcessName: winlog.event_data.LogonProcessName 86 | LogonType: winlog.event_data.LogonType 87 | NewProcessName: winlog.event_data.NewProcessName 88 | ObjectClass: winlog.event_data.ObjectClass 89 | ObjectName: winlog.event_data.ObjectName 90 | ObjectType: winlog.event_data.ObjectType 91 | ObjectValueName: winlog.event_data.ObjectValueName 92 | ParentCommandLine: winlog.event_data.ParentCommandLine 93 | ParentProcessGuid: winlog.event_data.ParentProcessGuid 94 | ParentProcessName: winlog.event_data.ParentProcessName 95 | ParentImage: winlog.event_data.ParentImage 96 | Path: winlog.event_data.Path 97 | PipeName: winlog.event_data.PipeName 98 | ProcessCommandLine: winlog.event_data.ProcessCommandLine 99 | ProcessGuid: winlog.event_data.ProcessGuid 100 | ProcessName: winlog.event_data.ProcessName 101 | Protocol: winlog.event_data.Protocol 102 | Properties: winlog.event_data.Properties 103 | QueryName: winlog.event_data.QueryName 104 | QueryStatus: winlog.event_data.QueryStatus 105 | QueryResults: winlog.event_data.QueryResults 106 | SecurityID: winlog.event_data.SecurityID 107 | ServiceFileName: winlog.event_data.ServiceFileName 108 | ServiceName: winlog.event_data.ServiceName 109 | ShareName: winlog.event_data.ShareName 110 | Signature: winlog.event_data.Signature 111 | Source: winlog.event_data.Source 112 | SourceHostname: winlog.event_data.SourceHostname 113 | SourceImage: winlog.event_data.SourceImage 114 | SourceIp: winlog.event_data.SourceIp 115 | SourceIsIpv6: winlog.event_data.SourceIsIpv6 116 | SourceProcessGuid: winlog.event_data.SourceProcessGuid 117 | StartAddress: winlog.event_data.StartAddress 118 | StartModule: winlog.event_data.StartModule 119 | Status: winlog.event_data.Status 120 | SubjectUserName: winlog.event_data.SubjectUserName 121 | SubjectUserSid: winlog.event_data.SubjectUserSid 122 | TargetFilename: winlog.event_data.TargetFilename 123 | TargetImage: winlog.event_data.TargetImage 124 | TargetObject: winlog.event_data.TargetObject 125 | TicketEncryptionType: winlog.event_data.TicketEncryptionType 126 | TicketOptions: winlog.event_data.TicketOptions 127 | User: winlog.event_data.User 128 | UtcTime: winlog.event_data.UtcTime 129 | WorkstationName: winlog.event_data.WorkstationName 130 | -------------------------------------------------------------------------------- /sysmon_search_r/.kibana-plugin-helpers.json: -------------------------------------------------------------------------------- 1 | { 2 | "styleSheetToCompile": "public/app.scss" 3 | } 4 | -------------------------------------------------------------------------------- /sysmon_search_r/conf.js: -------------------------------------------------------------------------------- 1 | var conf = { 2 | //elasticsearch server URL 3 | "elasticsearch_url": "localhost", 4 | //elasticsearch server Port 5 | "elasticsearch_port": "9200", 6 | //monitor rule file path 7 | "savepath": "/tmp/rule_files", 8 | //stixioc import server URL 9 | "import_server_url": "localhost", 10 | //stixioc import server port 11 | "import_server_port": "56020", 12 | //internal time (hour) 13 | "refine_time_range": "1", 14 | //maximum object number 15 | "max_object_num": "30", 16 | "elasticsearch_user": "elastic", 17 | "elasticsearch_password": "changeme", 18 | }; 19 | exports.conf = conf; 20 | -------------------------------------------------------------------------------- /sysmon_search_r/index.js: -------------------------------------------------------------------------------- 1 | import { resolve } from 'path'; 2 | import { existsSync } from 'fs'; 3 | 4 | //import Route from './server/routes/sysmon_search'; 5 | 6 | export default function (kibana) { 7 | return new kibana.Plugin({ 8 | require: ['elasticsearch'], 9 | name: 'sysmon_search_r', 10 | uiExports: { 11 | app: { 12 | title: 'SysmonSearch R', 13 | description: 'An awesome Kibana plugin', 14 | main: 'plugins/sysmon_search_r/app', 15 | }, 16 | }, 17 | 18 | config(Joi) { 19 | return Joi.object({ 20 | enabled: Joi.boolean().default(true), 21 | }).default(); 22 | }, 23 | 24 | init(server, options) { // eslint-disable-line no-unused-vars 25 | //Route(server); 26 | } 27 | }); 28 | } 29 | -------------------------------------------------------------------------------- /sysmon_search_r/package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "sysmon_search_r", 3 | "version": "0.0.0", 4 | "description": "An awesome Kibana plugin", 5 | "main": "index.js", 6 | "kibana": { 7 | "version": "kibana", 8 | "templateVersion": "1.0.0" 9 | }, 10 | "dependencies": { 11 | "lodash": "^4.17.15", 12 | "query-string": "^6.10.1" 13 | } 14 | } 15 | -------------------------------------------------------------------------------- /sysmon_search_r/public/app.js: -------------------------------------------------------------------------------- 1 | import React from 'react'; 2 | import { uiModules } from 'ui/modules'; 3 | import chrome from 'ui/chrome'; 4 | import { render, unmountComponentAtNode } from 'react-dom'; 5 | 6 | import 'ui/autoload/styles'; 7 | import { Main } from './components/main'; 8 | 9 | const app = uiModules.get('apps/sysmon_search_r'); 10 | 11 | app.config($locationProvider => { 12 | $locationProvider.html5Mode({ 13 | enabled: false, 14 | requireBase: false, 15 | rewriteLinks: false, 16 | }); 17 | }); 18 | app.config(stateManagementConfigProvider => 19 | stateManagementConfigProvider.disable() 20 | ); 21 | 22 | function RootController($scope, $element, $http) { 23 | const domNode = $element[0]; 24 | render(
25 | ,domNode 26 | ); 27 | 28 | // unmount react on controller destroy 29 | $scope.$on('$destroy', () => { 30 | unmountComponentAtNode(domNode); 31 | }); 32 | } 33 | chrome.setRootController('sysmon_search_r', RootController); 34 | 35 | -------------------------------------------------------------------------------- /sysmon_search_r/public/app.scss: -------------------------------------------------------------------------------- 1 | #summary { 2 | padding:15px; 3 | max-width: 1280px; 4 | margin: 0 auto; 5 | } 6 | 7 | table.legend { 8 | float: left; 9 | } 10 | 11 | table.legend th { 12 | font-size:16px; 13 | padding:5px; 14 | 15 | } 16 | 17 | table.legend td { 18 | font-size:16px; 19 | padding:5px; 20 | } 21 | 22 | #piechart { 23 | float: left; 24 | } 25 | 26 | -------------------------------------------------------------------------------- /sysmon_search_r/public/components/main/dist/img/network/acceptDeleteIcon.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JPCERTCC/SysmonSearch/970a765fd8672f4060ff404d953acfa4e56f2ca8/sysmon_search_r/public/components/main/dist/img/network/acceptDeleteIcon.png -------------------------------------------------------------------------------- /sysmon_search_r/public/components/main/dist/img/network/addNodeIcon.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JPCERTCC/SysmonSearch/970a765fd8672f4060ff404d953acfa4e56f2ca8/sysmon_search_r/public/components/main/dist/img/network/addNodeIcon.png -------------------------------------------------------------------------------- /sysmon_search_r/public/components/main/dist/img/network/backIcon.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JPCERTCC/SysmonSearch/970a765fd8672f4060ff404d953acfa4e56f2ca8/sysmon_search_r/public/components/main/dist/img/network/backIcon.png -------------------------------------------------------------------------------- /sysmon_search_r/public/components/main/dist/img/network/connectIcon.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JPCERTCC/SysmonSearch/970a765fd8672f4060ff404d953acfa4e56f2ca8/sysmon_search_r/public/components/main/dist/img/network/connectIcon.png -------------------------------------------------------------------------------- /sysmon_search_r/public/components/main/dist/img/network/cross.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JPCERTCC/SysmonSearch/970a765fd8672f4060ff404d953acfa4e56f2ca8/sysmon_search_r/public/components/main/dist/img/network/cross.png -------------------------------------------------------------------------------- /sysmon_search_r/public/components/main/dist/img/network/cross2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JPCERTCC/SysmonSearch/970a765fd8672f4060ff404d953acfa4e56f2ca8/sysmon_search_r/public/components/main/dist/img/network/cross2.png -------------------------------------------------------------------------------- /sysmon_search_r/public/components/main/dist/img/network/deleteIcon.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JPCERTCC/SysmonSearch/970a765fd8672f4060ff404d953acfa4e56f2ca8/sysmon_search_r/public/components/main/dist/img/network/deleteIcon.png -------------------------------------------------------------------------------- /sysmon_search_r/public/components/main/dist/img/network/downArrow.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JPCERTCC/SysmonSearch/970a765fd8672f4060ff404d953acfa4e56f2ca8/sysmon_search_r/public/components/main/dist/img/network/downArrow.png -------------------------------------------------------------------------------- /sysmon_search_r/public/components/main/dist/img/network/editIcon.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JPCERTCC/SysmonSearch/970a765fd8672f4060ff404d953acfa4e56f2ca8/sysmon_search_r/public/components/main/dist/img/network/editIcon.png -------------------------------------------------------------------------------- /sysmon_search_r/public/components/main/dist/img/network/leftArrow.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JPCERTCC/SysmonSearch/970a765fd8672f4060ff404d953acfa4e56f2ca8/sysmon_search_r/public/components/main/dist/img/network/leftArrow.png -------------------------------------------------------------------------------- /sysmon_search_r/public/components/main/dist/img/network/minus.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JPCERTCC/SysmonSearch/970a765fd8672f4060ff404d953acfa4e56f2ca8/sysmon_search_r/public/components/main/dist/img/network/minus.png -------------------------------------------------------------------------------- /sysmon_search_r/public/components/main/dist/img/network/plus.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JPCERTCC/SysmonSearch/970a765fd8672f4060ff404d953acfa4e56f2ca8/sysmon_search_r/public/components/main/dist/img/network/plus.png -------------------------------------------------------------------------------- /sysmon_search_r/public/components/main/dist/img/network/rightArrow.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JPCERTCC/SysmonSearch/970a765fd8672f4060ff404d953acfa4e56f2ca8/sysmon_search_r/public/components/main/dist/img/network/rightArrow.png -------------------------------------------------------------------------------- /sysmon_search_r/public/components/main/dist/img/network/upArrow.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JPCERTCC/SysmonSearch/970a765fd8672f4060ff404d953acfa4e56f2ca8/sysmon_search_r/public/components/main/dist/img/network/upArrow.png -------------------------------------------------------------------------------- /sysmon_search_r/public/components/main/dist/img/network/zoomExtends.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JPCERTCC/SysmonSearch/970a765fd8672f4060ff404d953acfa4e56f2ca8/sysmon_search_r/public/components/main/dist/img/network/zoomExtends.png -------------------------------------------------------------------------------- /sysmon_search_r/public/components/main/dist/vis-timeline/standalone/esm/index.d.ts: -------------------------------------------------------------------------------- 1 | export * from "./vis-timeline-graph2d"; 2 | -------------------------------------------------------------------------------- /sysmon_search_r/public/components/main/dist/vis-timeline/standalone/esm/index.js: -------------------------------------------------------------------------------- 1 | export * from "./vis-timeline-graph2d"; 2 | -------------------------------------------------------------------------------- /sysmon_search_r/public/components/main/dist/vis-timeline/standalone/esm/vis-timeline-graph2d.d.ts: -------------------------------------------------------------------------------- 1 | export * from "../../declarations/entry-esnext"; 2 | -------------------------------------------------------------------------------- /sysmon_search_r/public/components/main/dist/vis-timeline/standalone/esm/vis-timeline-graph2d.min.d.ts: -------------------------------------------------------------------------------- 1 | export * from "../../declarations/entry-esnext"; 2 | -------------------------------------------------------------------------------- /sysmon_search_r/public/components/main/dist/vis-timeline/standalone/index.d.ts: -------------------------------------------------------------------------------- 1 | export * from "./esm"; 2 | -------------------------------------------------------------------------------- /sysmon_search_r/public/components/main/dist/vis-timeline/standalone/index.js: -------------------------------------------------------------------------------- 1 | export * from "./esm"; 2 | -------------------------------------------------------------------------------- /sysmon_search_r/public/components/main/dist/vis-timeline/standalone/umd/index.d.ts: -------------------------------------------------------------------------------- 1 | export * from "./vis-timeline-graph2d"; 2 | -------------------------------------------------------------------------------- /sysmon_search_r/public/components/main/dist/vis-timeline/standalone/umd/index.js: -------------------------------------------------------------------------------- 1 | export * from "./vis-timeline-graph2d"; 2 | -------------------------------------------------------------------------------- /sysmon_search_r/public/components/main/dist/vis-timeline/standalone/umd/vis-timeline-graph2d.d.ts: -------------------------------------------------------------------------------- 1 | export * from "../../declarations/entry-esnext"; 2 | -------------------------------------------------------------------------------- /sysmon_search_r/public/components/main/dist/vis-timeline/standalone/umd/vis-timeline-graph2d.min.d.ts: -------------------------------------------------------------------------------- 1 | export * from "../../declarations/entry-esnext"; 2 | -------------------------------------------------------------------------------- /sysmon_search_r/public/components/main/images/arrow01.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JPCERTCC/SysmonSearch/970a765fd8672f4060ff404d953acfa4e56f2ca8/sysmon_search_r/public/components/main/images/arrow01.png -------------------------------------------------------------------------------- /sysmon_search_r/public/components/main/images/file.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JPCERTCC/SysmonSearch/970a765fd8672f4060ff404d953acfa4e56f2ca8/sysmon_search_r/public/components/main/images/file.png -------------------------------------------------------------------------------- /sysmon_search_r/public/components/main/images/file_create_time.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JPCERTCC/SysmonSearch/970a765fd8672f4060ff404d953acfa4e56f2ca8/sysmon_search_r/public/components/main/images/file_create_time.png -------------------------------------------------------------------------------- /sysmon_search_r/public/components/main/images/image_loaded.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JPCERTCC/SysmonSearch/970a765fd8672f4060ff404d953acfa4e56f2ca8/sysmon_search_r/public/components/main/images/image_loaded.png -------------------------------------------------------------------------------- /sysmon_search_r/public/components/main/images/net.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JPCERTCC/SysmonSearch/970a765fd8672f4060ff404d953acfa4e56f2ca8/sysmon_search_r/public/components/main/images/net.png -------------------------------------------------------------------------------- /sysmon_search_r/public/components/main/images/program.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JPCERTCC/SysmonSearch/970a765fd8672f4060ff404d953acfa4e56f2ca8/sysmon_search_r/public/components/main/images/program.png -------------------------------------------------------------------------------- /sysmon_search_r/public/components/main/images/reg.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JPCERTCC/SysmonSearch/970a765fd8672f4060ff404d953acfa4e56f2ca8/sysmon_search_r/public/components/main/images/reg.png -------------------------------------------------------------------------------- /sysmon_search_r/public/components/main/images/reg_category.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JPCERTCC/SysmonSearch/970a765fd8672f4060ff404d953acfa4e56f2ca8/sysmon_search_r/public/components/main/images/reg_category.png -------------------------------------------------------------------------------- /sysmon_search_r/public/components/main/images/rthread.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JPCERTCC/SysmonSearch/970a765fd8672f4060ff404d953acfa4e56f2ca8/sysmon_search_r/public/components/main/images/rthread.png -------------------------------------------------------------------------------- /sysmon_search_r/public/components/main/images/search_icon.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JPCERTCC/SysmonSearch/970a765fd8672f4060ff404d953acfa4e56f2ca8/sysmon_search_r/public/components/main/images/search_icon.png -------------------------------------------------------------------------------- /sysmon_search_r/public/components/main/images/wmi.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JPCERTCC/SysmonSearch/970a765fd8672f4060ff404d953acfa4e56f2ca8/sysmon_search_r/public/components/main/images/wmi.png -------------------------------------------------------------------------------- /sysmon_search_r/public/components/main/index.js: -------------------------------------------------------------------------------- 1 | export { Main } from './main'; 2 | -------------------------------------------------------------------------------- /sysmon_search_r/public/components/main/main.js: -------------------------------------------------------------------------------- 1 | import React from 'react'; 2 | 3 | import { 4 | BrowserRouter as Router, 5 | Switch, 6 | Route, 7 | Link, 8 | Redirect 9 | } from 'react-router-dom' 10 | 11 | import { SysmonSearchTabs } from './ss_tabs'; 12 | import { SysmonSummary } from './ss_summary'; 13 | import { SysmonStats } from './ss_stats'; 14 | import { SysmonProcess } from './ss_process'; 15 | import { SysmonProcessList } from './ss_processlist'; 16 | import { SysmonOverView } from './ss_overview'; 17 | import { SysmonDetail } from './ss_detail'; 18 | import { SysmonVisualize } from './ss_visualize'; 19 | 20 | export class Main extends React.Component { 21 | 22 | constructor(props) { 23 | super(props); 24 | this.state = {}; 25 | } 26 | 27 | render() { 28 | return ( 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | ); 42 | } 43 | 44 | } 45 | -------------------------------------------------------------------------------- /sysmon_search_r/public/components/main/network.css: -------------------------------------------------------------------------------- 1 | canvas { 2 | border: 1px solid lightgrey; 3 | } 4 | -------------------------------------------------------------------------------- /sysmon_search_r/public/components/main/pie_chart.js: -------------------------------------------------------------------------------- 1 | import * as d3 from './dist/d3.min'; 2 | 3 | function segColor(c) { 4 | var color = [ 5 | "#87CEFA", 6 | "#FFDEAD", 7 | "#7B68EE", 8 | "#8FBC8F", 9 | "#FF3366", 10 | "#33FFFF", 11 | "#666699", 12 | "#00FA9A", 13 | "#FF00FF", 14 | "#FFA500", 15 | //"#6B8E23", 16 | ]; 17 | var pointer = c % 10; 18 | return color[pointer]; 19 | } 20 | 21 | function pieChart(id, fData, legFlg, r) { 22 | 23 | function createChart(pD) { 24 | var pC = {}, 25 | pieDim = { 26 | w: r, 27 | h: r 28 | }; 29 | pieDim.r = Math.min(pieDim.w, pieDim.h) / 2; 30 | 31 | var piesvg = d3.select(id).append("svg") 32 | .attr("width", pieDim.w).attr("height", pieDim.h).append("g") 33 | .attr("transform", "translate(" + pieDim.w / 2 + "," + pieDim.h / 2 + ")"); 34 | 35 | var arc = d3.arc().outerRadius(pieDim.r - 10).innerRadius(0); 36 | 37 | var pie = d3.pie().sort(null).value(function(d) { 38 | return d.freq; 39 | }); 40 | 41 | piesvg.selectAll("path").data(pie(pD)).enter().append("path").attr("d", arc) 42 | .each(function(d) { 43 | this._current = d; 44 | }) 45 | .style("fill", function(d, i) { 46 | return segColor(i); 47 | }) 48 | 49 | return pC; 50 | } 51 | 52 | var keys = []; 53 | var keys = Object.keys(fData); 54 | 55 | var tF = keys.map(function(d) { 56 | return { 57 | type: d, 58 | freq: fData[d] 59 | }; 60 | }); 61 | 62 | //clear_graph(id); 63 | d3.select(id).selectAll("svg").remove(); 64 | d3.select(id).selectAll("table").remove(); 65 | 66 | var pC = createChart(tF); 67 | 68 | } 69 | 70 | module.exports = { 71 | pieChart:pieChart, 72 | segColor:segColor 73 | }; 74 | -------------------------------------------------------------------------------- /sysmon_search_r/public/components/main/react-graph-vis.js: -------------------------------------------------------------------------------- 1 | import React, { Component } from "react"; 2 | import defaultsDeep from "lodash/fp/defaultsDeep"; 3 | import isEqual from "lodash/isEqual"; 4 | import differenceWith from "lodash/differenceWith"; 5 | //import vis from "./dist/vis-network"; 6 | //import "./dist/vis-network.css"; 7 | import vis from "./dist/vis-network.min"; 8 | import "./dist/vis-network.min.css"; 9 | import uuid from "uuid"; 10 | import PropTypes from "prop-types"; 11 | 12 | class Graph extends Component { 13 | constructor(props) { 14 | super(props); 15 | const { identifier } = props; 16 | this.updateGraph = this.updateGraph.bind(this); 17 | this.state = { 18 | identifier: identifier !== undefined ? identifier : uuid.v4() 19 | }; 20 | this.container = React.createRef(); 21 | } 22 | 23 | componentDidMount() { 24 | this.edges = new vis.DataSet(); 25 | this.edges.add(this.props.graph.edges); 26 | this.nodes = new vis.DataSet(); 27 | this.nodes.add(this.props.graph.nodes); 28 | this.updateGraph(); 29 | } 30 | 31 | shouldComponentUpdate(nextProps, nextState) { 32 | let nodesChange = !isEqual(this.props.graph.nodes, nextProps.graph.nodes); 33 | let edgesChange = !isEqual(this.props.graph.edges, nextProps.graph.edges); 34 | let optionsChange = !isEqual(this.props.options, nextProps.options); 35 | let eventsChange = !isEqual(this.props.events, nextProps.events); 36 | 37 | if (nodesChange) { 38 | const idIsEqual = (n1, n2) => n1.id === n2.id; 39 | const nodesRemoved = differenceWith(this.props.graph.nodes, nextProps.graph.nodes, idIsEqual); 40 | const nodesAdded = differenceWith(nextProps.graph.nodes, this.props.graph.nodes, idIsEqual); 41 | const nodesChanged = differenceWith( 42 | differenceWith(nextProps.graph.nodes, this.props.graph.nodes, isEqual), 43 | nodesAdded 44 | ); 45 | this.patchNodes({ nodesRemoved, nodesAdded, nodesChanged }); 46 | } 47 | 48 | if (edgesChange) { 49 | const edgesRemoved = differenceWith(this.props.graph.edges, nextProps.graph.edges, isEqual); 50 | const edgesAdded = differenceWith(nextProps.graph.edges, this.props.graph.edges, isEqual); 51 | const edgesChanged = differenceWith( 52 | differenceWith(nextProps.graph.edges, this.props.graph.edges, isEqual), 53 | edgesAdded 54 | ); 55 | this.patchEdges({ edgesRemoved, edgesAdded, edgesChanged }); 56 | } 57 | 58 | if (optionsChange) { 59 | this.Network.setOptions(nextProps.options); 60 | } 61 | 62 | if (eventsChange) { 63 | let events = this.props.events || {}; 64 | for (let eventName of Object.keys(events)) this.Network.off(eventName, events[eventName]); 65 | 66 | events = nextProps.events || {}; 67 | for (let eventName of Object.keys(events)) this.Network.on(eventName, events[eventName]); 68 | } 69 | 70 | return false; 71 | } 72 | 73 | componentDidUpdate() { 74 | this.updateGraph(); 75 | } 76 | 77 | patchEdges({ edgesRemoved, edgesAdded, edgesChanged }) { 78 | this.edges.remove(edgesRemoved); 79 | this.edges.add(edgesAdded); 80 | this.edges.update(edgesChanged); 81 | } 82 | 83 | patchNodes({ nodesRemoved, nodesAdded, nodesChanged }) { 84 | this.nodes.remove(nodesRemoved); 85 | this.nodes.add(nodesAdded); 86 | this.nodes.update(nodesChanged); 87 | } 88 | 89 | updateGraph() { 90 | let defaultOptions = { 91 | physics: { 92 | stabilization: false 93 | }, 94 | autoResize: false, 95 | edges: { 96 | smooth: false, 97 | color: "#000000", 98 | width: 0.5, 99 | arrows: { 100 | to: { 101 | enabled: true, 102 | scaleFactor: 0.5 103 | } 104 | } 105 | } 106 | }; 107 | 108 | // merge user provied options with our default ones 109 | let options = defaultsDeep(defaultOptions, this.props.options); 110 | 111 | this.Network = new vis.Network( 112 | this.container.current, 113 | Object.assign({}, this.props.graph, { 114 | edges: this.edges, 115 | nodes: this.nodes 116 | }), 117 | options 118 | ); 119 | 120 | if (this.props.getNetwork) { 121 | this.props.getNetwork(this.Network); 122 | } 123 | 124 | if (this.props.getNodes) { 125 | this.props.getNodes(this.nodes); 126 | } 127 | 128 | if (this.props.getEdges) { 129 | this.props.getEdges(this.edges); 130 | } 131 | 132 | // Add user provied events to network 133 | let events = this.props.events || {}; 134 | for (let eventName of Object.keys(events)) { 135 | this.Network.on(eventName, events[eventName]); 136 | } 137 | } 138 | 139 | render() { 140 | const { identifier } = this.state; 141 | const { style } = this.props; 142 | return React.createElement( 143 | "div", 144 | { 145 | id: identifier, 146 | ref: this.container, 147 | style 148 | }, 149 | identifier 150 | ); 151 | } 152 | } 153 | 154 | Graph.defaultProps = { 155 | graph: {}, 156 | style: { width: "100%", height: "100%" } 157 | }; 158 | Graph.propTypes = { 159 | graph: PropTypes.object, 160 | style: PropTypes.object, 161 | getNetwork: PropTypes.func, 162 | getNodes: PropTypes.func, 163 | getEdges: PropTypes.func, 164 | }; 165 | 166 | export default Graph; 167 | -------------------------------------------------------------------------------- /sysmon_search_r/public/components/main/search_rules.js: -------------------------------------------------------------------------------- 1 | import chrome from 'ui/chrome'; 2 | 3 | function is_key_exist(key, keywords) { 4 | return (key in keywords && keywords[key] !== "undefined" && keywords[key] !== null); 5 | }; 6 | 7 | function get_search_key_name(num) { 8 | const option_array = [ 9 | '', 10 | 'IpAddress', 11 | 'Port', 12 | 'HostName', 13 | 'ProcessName', 14 | 'FileName', 15 | 'RegistryKey', 16 | 'RegistryValue', 17 | 'Hash' 18 | ]; 19 | var num_obj = Number(num); 20 | if (num_obj === Number.NaN || num_obj <= 0 || num_obj >= option_array.length) return ''; 21 | return option_array[num_obj]; 22 | }; 23 | 24 | function save_rules (keywords) { 25 | var rules = {}; 26 | if (typeof keywords !== "undefined") { 27 | rules.operator = ''; 28 | if (is_key_exist("search_conjunction", keywords) 29 | && (keywords.search_conjunction === 1 30 | || keywords.search_conjunction === 2)) { 31 | rules.operator = (keywords.search_conjunction === 1) ? 'AND' : 'OR'; 32 | } 33 | 34 | rules.patterns = []; 35 | 36 | const search_key_prefix = "search_item_"; 37 | const search_val_prefix = "search_value_"; 38 | 39 | for (var keyname in keywords) { 40 | if (keyname.substr(0, search_key_prefix.length) == search_key_prefix 41 | && is_key_exist(keyname, keywords)) { 42 | var num = keyname.substr(search_key_prefix.length); 43 | var valname = search_val_prefix + num; 44 | if (is_key_exist(valname, keywords)) { 45 | var rule = { 46 | key: get_search_key_name(keywords[keyname]), 47 | value: keywords[valname] 48 | }; 49 | rules.patterns.push(rule); 50 | } 51 | } 52 | } 53 | 54 | } else { 55 | alert("Invalid rule."); 56 | return ; 57 | } 58 | 59 | console.log(rules); 60 | if(rules.patterns.length===0){ 61 | alert("Pattern is empty."); 62 | return; 63 | } 64 | const api = chrome.addBasePath('/api/sysmon-search-plugin/save_alert_rules'); 65 | fetch(api, { 66 | method:"POST", 67 | headers: { 68 | 'kbn-xsrf': 'true', 69 | 'Content-Type': 'application/json', 70 | }, 71 | body:JSON.stringify(rules) 72 | }) 73 | .then((response) => response.json()) 74 | .then((responseJson) => { 75 | console.log(JSON.stringify(responseJson)); 76 | if(responseJson.result) alert(responseJson.result); 77 | else alert("Save failed. Please check console."); 78 | }); 79 | }; 80 | 81 | module.exports = { 82 | saveRules: save_rules 83 | }; 84 | -------------------------------------------------------------------------------- /sysmon_search_r/public/components/main/ss_detail.css: -------------------------------------------------------------------------------- 1 | div.emphasis { 2 | background-color: rgba(255,155,155,0.9); 3 | } 4 | 5 | -------------------------------------------------------------------------------- /sysmon_search_r/public/components/main/ss_overview.js: -------------------------------------------------------------------------------- 1 | import React, { Component } from 'react'; 2 | import chrome from 'ui/chrome' 3 | 4 | import { 5 | EuiTitle, 6 | EuiPanel, 7 | EuiButton, 8 | EuiFlexGroup, 9 | EuiFlexItem, 10 | EuiFormRow, 11 | EuiFieldText, 12 | EuiSelect, 13 | } from '@elastic/eui'; 14 | 15 | const qs = require('query-string'); 16 | import {GraphOverView} from './overview_network'; 17 | 18 | export class SysmonOverView extends Component { 19 | constructor(props){ 20 | super(props); 21 | const params = qs.parse(this.props.location.search); 22 | this.api = chrome.addBasePath("/api/sysmon-search-plugin/process_overview"); 23 | this.api += "/" + params.host; 24 | this.api += "/" + params.date; 25 | this.api += "/" + params.guid; 26 | this.state = { 27 | host: params.host, 28 | date: params.date, 29 | guid: params.guid, 30 | tops:[], 31 | keyword:null, 32 | hash:null, 33 | firstflg:true, 34 | graph:{}, 35 | events:null, 36 | network:null, 37 | textarea:"", 38 | layout: "LR", 39 | }; 40 | 41 | this.layouts =[ 42 | {value:"LR", text:"Left to Right"}, 43 | {value:"UD", text:"Up to Down"}, 44 | {value:"default", text:"Default"}, 45 | ] 46 | 47 | this.handleChange = this.handleChange.bind(this); 48 | this.handleChangeHash = this.handleChangeHash.bind(this); 49 | 50 | } 51 | 52 | handleChange (event) { 53 | this.setState({ 54 | keyword: event.target.value 55 | }); 56 | } 57 | 58 | handleChangeHash (event) { 59 | this.setState({ 60 | hash: event.target.value 61 | }); 62 | } 63 | 64 | handleChangeLayout = event => { 65 | this.setState({ layout: event.target.value }); 66 | } 67 | 68 | componentDidMount(){ this.getProcess(); } 69 | 70 | clickSearch(){ this.getProcess(); } 71 | 72 | getProcess(){ 73 | fetch(this.api, { 74 | method:"GET", 75 | headers: { 76 | 'kbn-xsrf': 'true', 77 | 'Content-Type': 'application/json', 78 | }, 79 | }) 80 | .then((response) => response.json()) 81 | .then((responseJson) => { 82 | if(responseJson) this.setState({tops:responseJson}); 83 | console.log(JSON.stringify(responseJson)); 84 | }) 85 | .catch((error) =>{ 86 | console.error(error); 87 | }); 88 | } 89 | 90 | render() { 91 | //console.log(this.state) 92 | 93 | return ( 94 |
95 | 96 |

{this.state.guid} on {this.state.host}@{this.state.date}

97 | 98 | 99 | 100 | 101 | 102 | 107 | 108 | 109 | 110 | 111 | 112 | 115 | 116 | 117 | 118 | 119 | 121 | 122 | 123 | 124 | 125 | 126 | 127 | 135 | 136 |
137 | ) 138 | } 139 | }; 140 | -------------------------------------------------------------------------------- /sysmon_search_r/public/components/main/ss_stats.css: -------------------------------------------------------------------------------- 1 | .vis-timeline .vis-bar { 2 | fill-opacity: 1; 3 | } 4 | 5 | .visgroup0 { 6 | fill: #87CEFA; 7 | } 8 | 9 | .visgroup1 { 10 | fill: #FFDEAD; 11 | } 12 | 13 | .visgroup2 { 14 | fill: #7B68EE; 15 | } 16 | 17 | .visgroup3 { 18 | fill: #8FBC8F; 19 | } 20 | 21 | .visgroup4 { 22 | fill: #FF3366; 23 | } 24 | 25 | .visgroup5 { 26 | fill: #33FFFF; 27 | } 28 | 29 | .visgroup6 { 30 | fill: #666699; 31 | } 32 | 33 | .visgroup7 { 34 | fill: #00FA9A; 35 | } 36 | 37 | .visgroup8 { 38 | fill: #FF00FF; 39 | } 40 | 41 | .visgroup9 { 42 | fill: #FFA500; 43 | } 44 | 45 | .visgroup10 { 46 | fill: #6B8E23; 47 | } 48 | -------------------------------------------------------------------------------- /sysmon_search_r/public/components/main/ss_stats.js: -------------------------------------------------------------------------------- 1 | import React, {Component} from 'react'; 2 | import moment from 'moment'; 3 | import chrome from 'ui/chrome'; 4 | 5 | import { 6 | EuiTitle, 7 | EuiPanel, 8 | EuiLink, 9 | EuiSpacer, 10 | EuiButton, 11 | } from '@elastic/eui'; 12 | 13 | const qs = require('query-string'); 14 | import Timeline from './react-visjs-timeline' 15 | import './ss_stats.css' 16 | 17 | export class SysmonStats extends Component { 18 | constructor(props){ 19 | super(props); 20 | //const params = qs.parse(this.props.location.search); 21 | this.state = { 22 | //host: params.host, 23 | //date: params.date, 24 | host: this.props.host, 25 | date: this.props.date, 26 | items:[], 27 | options:{}, 28 | groups:[], 29 | category:[] 30 | }; 31 | this.top = chrome.addBasePath('/app/sysmon_search_r'); 32 | this.summary = this.top + "/visualize&type=summary&date=" + this.props.date + "&host=" + this.props.host; 33 | this.process = this.top + "/visualize&type=process&date=" + this.props.date + "&host=" + this.props.host; 34 | 35 | } 36 | 37 | componentDidMount(){ 38 | const api = chrome.addBasePath('/api/sysmon-search-plugin/events'); 39 | fetch(api, { 40 | method:"POST", 41 | headers: { 42 | 'kbn-xsrf': 'true', 43 | 'Content-Type': 'application/json', 44 | }, 45 | body:JSON.stringify({ 46 | hostname: this.state.host, 47 | period: { 48 | "gte": moment(this.state.date).add(-1, 'M'), 49 | "lte": moment(this.state.date).add(1, 'M'), 50 | } 51 | }) 52 | }) 53 | .then((response) => response.json()) 54 | .then((responseJson) => { 55 | console.log(JSON.stringify(responseJson)); 56 | var items = responseJson["items"]; 57 | var category = responseJson["groups"]; 58 | var groups = []; 59 | for (let index in category){ 60 | groups.push({ 61 | id: index, 62 | content: category[index], 63 | className: "visgroup" + index 64 | }) 65 | } 66 | var options = { 67 | style: 'bar', 68 | stack: true, 69 | barChart: { 70 | width: 40, 71 | align: 'center', 72 | }, // align: left, center, right 73 | drawPoints: false, 74 | dataAxis: {icons: false}, 75 | legend: {enabled:true}, 76 | start: moment(this.state.date).add(-1, 'M'), 77 | end: moment(this.state.date).add(1, 'M'), 78 | orientation: 'top', 79 | sort:true, 80 | zoomable: true 81 | }; 82 | 83 | this.setState({ 84 | items:items, 85 | options:options, 86 | groups:groups, 87 | category:category, 88 | }); 89 | }) 90 | .catch((error) =>{ 91 | console.error(error); 92 | }); 93 | } 94 | 95 | render() { 96 | //console.log(this.state) 97 | return ( 98 |
99 | 100 |

Host Statistics: {this.state.host}

101 | 102 | 103 | 104 | 105 | 112 | 113 | 114 |
115 | ) 116 | } 117 | 118 | }; 119 | 120 | -------------------------------------------------------------------------------- /sysmon_search_r/public/components/main/ss_summary.js: -------------------------------------------------------------------------------- 1 | import React, {Component, Fragment} from 'react'; 2 | import chrome from 'ui/chrome'; 3 | 4 | import { 5 | EuiLink, 6 | EuiTitle, 7 | EuiText, 8 | EuiFlexGroup, 9 | EuiFlexItem, 10 | EuiPanel, 11 | EuiSpacer, 12 | EuiButton, 13 | } from '@elastic/eui'; 14 | 15 | const qs = require('query-string'); 16 | import {pieChart, segColor} from './pie_chart'; 17 | import {SysmonProcessList} from './ss_processlist'; 18 | 19 | export class SysmonSummary extends Component { 20 | constructor(props){ 21 | super(props); 22 | /* 23 | const params = qs.parse(this.props.location.search) 24 | const host = this.props.host?this.props.host:params.host; 25 | const date = this.props.date?this.props.date:params.date; 26 | */ 27 | this.state = { 28 | host: this.props.host, 29 | date: this.props.date, 30 | items:[], 31 | total:0, 32 | category:this.props.category, 33 | processList:null, 34 | }; 35 | this.chartRef = React.createRef(); 36 | this.top = chrome.addBasePath('/app/sysmon_search_r'); 37 | this.stats = this.top + "/visualize&type=stats&date=" + this.props.date + "&host=" + this.props.host; 38 | this.process = this.top + "/visualize&type=process&date=" + this.props.date + "&host=" + this.props.host; 39 | 40 | this.setCategory = this.setCategory.bind(this); 41 | //this.summaryLegend = this.summaryLegend.bind(this); 42 | 43 | } 44 | 45 | componentDidMount(){ 46 | const api = chrome.addBasePath('/api/sysmon-search-plugin/events'); 47 | fetch(api, { 48 | method:"POST", 49 | headers: { 50 | 'kbn-xsrf': 'true', 51 | 'Content-Type': 'application/json', 52 | }, 53 | body:JSON.stringify({ 54 | hostname: this.state.host, 55 | period: this.state.date, 56 | }) 57 | }) 58 | .then((response) => response.json()) 59 | .then((responseJson) => { 60 | console.log(JSON.stringify(responseJson)); 61 | var item = responseJson["count"]; 62 | var freqData = item; 63 | pieChart(this.chartRef, freqData, false, 300); 64 | var items = []; 65 | var total = 0; 66 | for (let [key, value] of Object.entries(item)) { 67 | items.push({ 68 | "type":key, 69 | "value":value, 70 | }); 71 | total+=value; 72 | } 73 | this.setState({ 74 | items:items, 75 | total:total, 76 | }); 77 | }) 78 | .catch((error) =>{ 79 | console.error(error); 80 | }); 81 | } 82 | 83 | setCategory(category){ 84 | const processList = ( 85 | 90 | ) 91 | this.setState({ 92 | category:category, 93 | processList: processList, 94 | }); 95 | } 96 | 97 | summaryLegend = (items, total, host, date) => { 98 | const setCategory = this.setCategory; 99 | return items.map(function(item, i){ 100 | if (item.value<=0) return; 101 | let percentage = item.value / total * 100; 102 | let style= { 103 | width: "16px", 104 | height: "16px", 105 | float: "left", 106 | marginRight: "10px", 107 | background: item.value > 0?segColor(i):"" 108 | }; 109 | let processlist = "process_list?"; 110 | processlist += "host=" + host; 111 | processlist += "&date=" + date; 112 | processlist += "&category=" + item.type; 113 | return( 114 | 115 | 116 |
117 |
118 | setCategory(item.type)}>{item.type} 119 | 120 | {item.value} 121 | {percentage.toFixed(2)}% 122 | 123 | ); 124 | }); 125 | } 126 | 127 | render() { 128 | console.log(this.state); 129 | 130 | return ( 131 | 132 |
133 | 134 | 135 |

Event Summary: {this.state.host}@{this.state.date}

136 | 137 | 138 | 139 | 140 | 141 | 142 | 143 | 144 | 145 |
this.chartRef = cr}>
146 | 147 | 148 | 149 | 150 | 151 | 152 | 153 | 154 | 155 | 156 | {this.summaryLegend( 157 | this.state.items, 158 | this.state.total, 159 | this.state.host, 160 | this.state.date, 161 | )} 162 | 163 | 164 | 165 | 166 | 167 |
TypeCountPercentage
Total{this.state.total}
168 | 169 | 170 | 171 | 172 | 173 | 174 | 175 | {this.state.processList} 176 | 177 |
178 | ) 179 | } 180 | }; 181 | 182 | -------------------------------------------------------------------------------- /sysmon_search_r/public/components/main/ss_tabs.js: -------------------------------------------------------------------------------- 1 | import React, { Component, Fragment } from 'react'; 2 | 3 | import { 4 | EuiTabbedContent, 5 | EuiTitle, 6 | EuiText, 7 | EuiSpacer, 8 | } from '@elastic/eui'; 9 | 10 | import { SysmonEvents } from "./ss_events"; 11 | import { SysmonSearch } from "./ss_search"; 12 | import { SysmonAlert } from "./ss_alert"; 13 | 14 | export class SysmonSearchTabs extends Component { 15 | constructor(props) { 16 | super(props); 17 | 18 | this.tabs = [ 19 | { 20 | id: 'events', 21 | name: 'Events', 22 | content: ( 23 | 24 | ), 25 | }, 26 | { 27 | id: 'search', 28 | name: 'Search', 29 | content: ( 30 | 31 | ), 32 | }, 33 | { 34 | id: 'alert', 35 | name: 'Alert', 36 | content: ( 37 | 38 | ), 39 | }, 40 | ]; 41 | } 42 | 43 | render() { 44 | return ( 45 |
46 | 47 | 51 | 52 |
53 | ); 54 | } 55 | } 56 | 57 | -------------------------------------------------------------------------------- /sysmon_search_r/public/components/main/ss_utils.js: -------------------------------------------------------------------------------- 1 | function splitByLength(str, length) { 2 | var resultArr = []; 3 | if (!str || !length || length < 1) return resultArr; 4 | var index = 0; 5 | var start = index; 6 | var end = start + length; 7 | while (start < str.length) { 8 | resultArr[index] = str.substring(start, end); 9 | index++; 10 | start = end; 11 | end = start + length; 12 | } 13 | return resultArr; 14 | } 15 | 16 | function local_search(data, keyword) { 17 | for (var key in data) { 18 | if (Array.isArray(data[key])) { 19 | if (local_search(data[key], keyword)) { 20 | return true; 21 | } 22 | } else if (data[key] instanceof Object) { 23 | if (local_search(data[key], keyword)) { 24 | return true; 25 | } 26 | } else { 27 | if (String(data[key]).indexOf(keyword) != -1) { 28 | return true; 29 | } 30 | } 31 | } 32 | return false; 33 | } 34 | 35 | //export default function search(data, keyword, hash) { 36 | function search(data, keyword, hash) { 37 | var flg1 = 1; 38 | var flg2 = 1; 39 | if (keyword != null && keyword !== "") { 40 | if (local_search(data, keyword)) { 41 | flg1 = 2; 42 | } 43 | } else { 44 | flg1 = 3; 45 | } 46 | 47 | if (hash != null && hash !== "") { 48 | if (data["Hashes"] != null) { 49 | if (data["Hashes"].indexOf(hash) != -1) { 50 | flg2 = 2; 51 | } 52 | } 53 | } else { 54 | flg2 = 3; 55 | } 56 | 57 | if ((flg1 == 2 && flg2 == 2) || (flg1 == 2 && flg2 == 3) || (flg1 == 3 && flg2 == 2)) { 58 | return true; 59 | } else { 60 | return false; 61 | } 62 | } 63 | 64 | module.exports = { 65 | search: search, 66 | local_search: local_search, 67 | splitByLength: splitByLength 68 | } 69 | 70 | -------------------------------------------------------------------------------- /sysmon_search_r/public/components/main/ss_visualize.js: -------------------------------------------------------------------------------- 1 | import React, { Component, Fragment } from 'react'; 2 | 3 | import { 4 | EuiTabbedContent, 5 | } from '@elastic/eui'; 6 | 7 | import { SysmonSummary } from "./ss_summary"; 8 | import { SysmonStats } from "./ss_stats"; 9 | import { SysmonProcess } from "./ss_process"; 10 | import { SysmonSearchTabs } from "./ss_tabs"; 11 | 12 | const qs = require('query-string'); 13 | 14 | export class SysmonVisualize extends Component { 15 | constructor(props) { 16 | super(props); 17 | const params = qs.parse(this.props.location.search); 18 | this.tabIndex = 1; 19 | if (params.type==="stats")this.tabIndex = 2; 20 | else if (params.type==="process")this.tabIndex = 3; 21 | this.state = { 22 | host: params.host, 23 | date: params.date, 24 | type: params.type, 25 | } 26 | 27 | this.tabs = [ 28 | { 29 | id: 'top', 30 | name: 'Top', 31 | content: ( 32 | 33 | ), 34 | }, 35 | { 36 | id: 'summary', 37 | name: 'Summary', 38 | content: ( 39 | 40 | ), 41 | }, 42 | { 43 | id: 'stats', 44 | name: 'Stats', 45 | content: ( 46 | 47 | ), 48 | }, 49 | { 50 | id: 'process', 51 | name: 'Process', 52 | content: ( 53 | 54 | ), 55 | }, 56 | ]; 57 | } 58 | 59 | render() { 60 | return ( 61 | 65 | ); 66 | } 67 | } 68 | 69 | -------------------------------------------------------------------------------- /sysmon_search_r/winlogbeat.yml: -------------------------------------------------------------------------------- 1 | title: Elastic Winlogbeat (from 7.x) index pattern and field mapping 2 | order: 20 3 | backends: 4 | - es-qs 5 | - es-dsl 6 | - kibana 7 | - xpack-watcher 8 | - elastalert 9 | - elastalert-dsl 10 | logsources: 11 | windows: 12 | product: windows 13 | index: winlogbeat-* 14 | windows-application: 15 | product: windows 16 | service: application 17 | conditions: 18 | winlog.channel: Application 19 | windows-security: 20 | product: windows 21 | service: security 22 | conditions: 23 | winlog.channel: Security 24 | windows-sysmon: 25 | product: windows 26 | service: sysmon 27 | conditions: 28 | winlog.channel: 'Microsoft-Windows-Sysmon/Operational' 29 | windows-dns-server: 30 | product: windows 31 | service: dns-server 32 | conditions: 33 | winlog.channel: 'DNS Server' 34 | windows-driver-framework: 35 | product: windows 36 | service: driver-framework 37 | conditions: 38 | winlog.provider_name: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational' 39 | windows-dhcp: 40 | product: windows 41 | service: dhcp 42 | conditions: 43 | winlog.provider_name: 'Microsoft-Windows-DHCP-Server/Operational' 44 | defaultindex: winlogbeat-* 45 | # Extract all field names qith yq: 46 | # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: winlog.event_data.\1/g' 47 | # Keep EventID! Clean up the list afterwards! 48 | fieldmappings: 49 | EventID: winlog.event_id 50 | EventData: winlog.event_data 51 | RecordID: winlog.record_id 52 | AccessMask: winlog.event_data.AccessMask 53 | AccountName: winlog.event_data.AccountName 54 | AllowedToDelegateTo: winlog.event_data.AllowedToDelegateTo 55 | AttributeLDAPDisplayName: winlog.event_data.AttributeLDAPDisplayName 56 | AuditPolicyChanges: winlog.event_data.AuditPolicyChanges 57 | AuthenticationPackageName: winlog.event_data.AuthenticationPackageName 58 | CallingProcessName: winlog.event_data.CallingProcessName 59 | CallTrace: winlog.event_data.CallTrace 60 | CommandLine: winlog.event_data.CommandLine 61 | ComputerName: winlog.computer_name 62 | CurrentDirectory: winlog.event_data.CurrentDirectory 63 | Description: winlog.event_data.Description 64 | DestinationHostname: winlog.event_data.DestinationHostname 65 | DestinationIp: winlog.event_data.DestinationIp 66 | DestinationIsIpv6: winlog.event_data.DestinationIsIpv6 67 | DestinationPort: winlog.event_data.DestinationPort 68 | Details: winlog.event_data.Details 69 | EngineVersion: winlog.event_data.EngineVersion 70 | EventType: winlog.event_data.EventType 71 | FailureCode: winlog.event_data.FailureCode 72 | FileName: winlog.event_data.FileName 73 | GrantedAccess: winlog.event_data.GrantedAccess 74 | GroupName: winlog.event_data.GroupName 75 | GroupSid: winlog.event_data.GroupSid 76 | Hashes: winlog.event_data.Hashes 77 | HiveName: winlog.event_data.HiveName 78 | HostVersion: winlog.event_data.HostVersion 79 | Image: winlog.event_data.Image 80 | ImageLoaded: winlog.event_data.ImageLoaded 81 | ImagePath: winlog.event_data.ImagePath 82 | Imphash: winlog.event_data.Imphash 83 | IpAddress: winlog.event_data.IpAddress 84 | KeyLength: winlog.event_data.KeyLength 85 | LogonProcessName: winlog.event_data.LogonProcessName 86 | LogonType: winlog.event_data.LogonType 87 | NewProcessName: winlog.event_data.NewProcessName 88 | ObjectClass: winlog.event_data.ObjectClass 89 | ObjectName: winlog.event_data.ObjectName 90 | ObjectType: winlog.event_data.ObjectType 91 | ObjectValueName: winlog.event_data.ObjectValueName 92 | ParentCommandLine: winlog.event_data.ParentCommandLine 93 | ParentProcessGuid: winlog.event_data.ParentProcessGuid 94 | ParentProcessName: winlog.event_data.ParentProcessName 95 | ParentImage: winlog.event_data.ParentImage 96 | Path: winlog.event_data.Path 97 | PipeName: winlog.event_data.PipeName 98 | ProcessCommandLine: winlog.event_data.ProcessCommandLine 99 | ProcessGuid: winlog.event_data.ProcessGuid 100 | ProcessName: winlog.event_data.ProcessName 101 | Protocol: winlog.event_data.Protocol 102 | Properties: winlog.event_data.Properties 103 | QueryName: winlog.event_data.QueryName 104 | QueryStatus: winlog.event_data.QueryStatus 105 | QueryResults: winlog.event_data.QueryResults 106 | SecurityID: winlog.event_data.SecurityID 107 | ServiceFileName: winlog.event_data.ServiceFileName 108 | ServiceName: winlog.event_data.ServiceName 109 | ShareName: winlog.event_data.ShareName 110 | Signature: winlog.event_data.Signature 111 | Source: winlog.event_data.Source 112 | SourceHostname: winlog.event_data.SourceHostname 113 | SourceImage: winlog.event_data.SourceImage 114 | SourceIp: winlog.event_data.SourceIp 115 | SourceIsIpv6: winlog.event_data.SourceIsIpv6 116 | SourceProcessGuid: winlog.event_data.SourceProcessGuid 117 | StartAddress: winlog.event_data.StartAddress 118 | StartModule: winlog.event_data.StartModule 119 | Status: winlog.event_data.Status 120 | SubjectUserName: winlog.event_data.SubjectUserName 121 | SubjectUserSid: winlog.event_data.SubjectUserSid 122 | TargetFilename: winlog.event_data.TargetFilename 123 | TargetImage: winlog.event_data.TargetImage 124 | TargetObject: winlog.event_data.TargetObject 125 | TicketEncryptionType: winlog.event_data.TicketEncryptionType 126 | TicketOptions: winlog.event_data.TicketOptions 127 | User: winlog.event_data.User 128 | UtcTime: winlog.event_data.UtcTime 129 | WorkstationName: winlog.event_data.WorkstationName 130 | --------------------------------------------------------------------------------