JPCERT/CC

JPCERT/CC

SysmonSearch v2.0 Released

SysmonSearch is a tool developed by JPCERT/CC to analyse event logs generated on Sysmon (a Microsoft tool).

https://github.com/JPCERTCC/SysmonSearch

SysmonSearch is now compatible with Elastic Stack 7.x. Please note that the new version no longer supports Elastic Stack 6.x versions.

This article introduces the new version of SysmonSearch, changes from the previous versions and new functions.

Elastic Stack updates

Kibana

There was a change in Kibana plug-in due to the updates in Hapi framework in Elastic Stack 6.6 [1]. To align with this change, SysmonSearch plug-in script has been modified and divided into sections depending on the functions.

Winlogbeat

Elastic Stack version 7.0 introduced Elastic Common Schema for field names, which was a big change from version 6.x [2]. We changed the field names in SysmonSearch with reference to the configuration files for Sigma (a tool to generate SIEM search queries) that lists Winlogbeat field names [3].

In addition, Winlogbeat version 7.2.0 and onwards are compatible with EVTX file reading [4], which allows Elasticsearch to index existing event log file.

Sysmon event

Event ID 22 (DNS query) was added in Sysmon version 10.0, and this has also been added to SysmonSearch plug-in graphs and lists. Figure 1 shows a screen of DNS query event list. Sysmon Event ID 3 (Network Connection) records destination IP addresses. However, if a proxy server is configured in the environment, that proxy server IP address is recorded as a destination. This makes it difficult to identify the actual destination IP address. With this update, SysmonSearch now displays the resolved domain name, which helps tracking down to actual destination even in a proxy server environment.

Figure 1: DNS Query event
Figure 1: DNS Query event

React based plug-in

The client script of SysmonSearch plug-in is written in Angular JS. Considering the end of support for AngularJS 1.7.x (the last version) in June 2021 [5], SysmonSearch R plug-in written in React has been added in this release. SysmonSearch R can be installed on Kibana together with SysmonSearch plug-in. Figure 2 shows the parent-child processes on SysmonSearch R.

Figure 2: SysmonSearch R plug-in
Figure 2: SysmonSearch R plug-in

In closing

For instruction on how to install and use SysmonSearch, please refer to Wiki [6] on the GitHub repository. For any feedback, requests and reports, feel free to create a new issue on GitHub.

- Hiroshi Soeda
(Translated by Yukako Uchida)

Reference

[1] Elastic Blog - Kibana Plugin API Changes in 6.6
https://www.elastic.co/jp/blog/kibana-plugin-api-changes-in-6-6

[2] Elastic Blog - Migrating to Elastic Common Schema (ECS) in Beats environments
https://www.elastic.co/blog/migrating-to-elastic-common-schema-in-beats-environments

[3] GitHub - Neo23x0 /sigma
https://github.com/Neo23x0/sigma/blob/master/tools/config/winlogbeat.yml

[4] Elastic - Not sure how to read from .evtx files
https://www.elastic.co/guide/en/beats/winlogbeat/current/reading-from-evtx.html

[5] Angular Blog - Stable AngularJS and Long Term Support
https://blog.angular.io/stable-angularjs-and-long-term-support-7e077635ee9c

[6] GitHub – SysmonSearch Wiki
https://github.com/JPCERTCC/SysmonSearch/wiki

Author

JPCERT/CC

JPCERT/CC

Please use the below contact form for any inquiries about the article.

Back
Top
Next