├── README.md
├── Sysmon-AllVersions_Parser.txt
└── generate-parser.ps1


/README.md:
--------------------------------------------------------------------------------
1 | # sysmon-parser
2 | Automatically generated Sysmon parser for Azure Sentinel
3 | 
4 | Sysmon-AllVersions_Parser.txt can be loaded as a function in Azure Sentinel to parse all your events.
5 | 
6 | There is an Azure Devops pipeline that triggers daily to install the latest Sysmon version, extracts the schema and populates the parser with all unique fields.
7 | 
8 | The PowerShell script can also be run locally on a box which has Sysmon installed
9 | 


--------------------------------------------------------------------------------
/Sysmon-AllVersions_Parser.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/olafhartong/sysmon-parser/90e51021b9af50816225a0c859adfa186fd69eeb/Sysmon-AllVersions_Parser.txt


--------------------------------------------------------------------------------
/generate-parser.ps1:
--------------------------------------------------------------------------------
 1 | [xml]$schema = Sysmon.exe -nologo -s
 2 | $sysmonColumnList = @()
 3 | $sysmonColumnList= $schema.manifest.events.event.data | select name -Unique | foreach {$_.name}
 4 | $date=Get-Date
 5 | $nativeColumnList = @("TimeGenerated", "Source", "EventLog", "Computer", "EventLevel", "EventLevelName", "EventID", "UserName", "RenderedDescription", "MG", "ManagementGroupName", "_ResourceId")
 6 | $header = @'
 7 | // KQL Sysmon Event Parser
 8 | // Last Updated Date: 
 9 | '@ + $date
10 | $querybase = @'
11 | 
12 | // Sysmon Version: Applicable to all versions
13 | Event
14 | | where Source == "Microsoft-Windows-Sysmon"
15 | | extend RenderedDescription = tostring(split(RenderedDescription, ":")[0])
16 | | extend EventData = parse_xml(EventData).DataItem.EventData.Data
17 | | mv-expand bagexpansion=array EventData
18 | | evaluate bag_unpack(EventData)
19 | | extend Key = tostring(column_ifexists('@Name', "")), Value = tostring(column_ifexists('#text', ""))
20 | | evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, _ResourceId)
21 | '@
22 | $extend = @'
23 | 
24 | | extend 
25 | '@
26 | $columnList = $nativeColumnList + $sysmonColumnList
27 | foreach ($colum in $columnList)
28 | {
29 |     $extend += $colum + " = column_ifexists(`"$($colum)`", `"`"), "
30 | }
31 | $extend = $extend.substring(0, $extend.Length - 2)
32 | $tail = @'
33 | 
34 | // Fix for wrong casing in EventID10
35 | | extend SourceProcessGuid=iff(isnotempty(SourceProcessGUID),SourceProcessGUID,SourceProcessGuid), TargetProcessGuid=iff(isnotempty(TargetProcessGUID),TargetProcessGUID,TargetProcessGuid)
36 | | project-away SourceProcessGUID, TargetProcessGUID  
37 | // end fix
38 | | parse RuleName with * 'technique_id=' TechniqueId ',' * 'technique_name=' TechniqueName
39 | | parse Hashes with * 'SHA1=' SHA1 ',' * 'MD5=' MD5 ',' * 'SHA256=' SHA256 ',' * 'IMPHASH=' IMPHASH 
40 | '@
41 | $parser = $header + $querybase + $extend + $tail
42 | $parser | Out-File Sysmon-AllVersions_Parser.txt
43 | 


--------------------------------------------------------------------------------