Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/jpcertcc/sysmonsearch

Investigate suspicious activity by visualizing Sysmon's event log
https://github.com/jpcertcc/sysmonsearch

elasticsearch kibana security stix stix2 sysmon

Last synced: about 2 months ago
JSON representation

Investigate suspicious activity by visualizing Sysmon's event log

Host: GitHub
URL: https://github.com/jpcertcc/sysmonsearch
Owner: JPCERTCC
License: other
Created: 2018-07-31T23:25:24.000Z (about 6 years ago)
Default Branch: master
Last Pushed: 2023-12-22T05:30:48.000Z (9 months ago)
Last Synced: 2024-04-15T08:21:19.161Z (5 months ago)
Topics: elasticsearch, kibana, security, stix, stix2, sysmon
Language: JavaScript
Homepage:
Size: 6.75 MB
Stars: 408
Watchers: 44
Forks: 59
Open Issues: 15
Metadata Files:
- Readme: README.md
- License: LICENSE.txt

Awesome Lists containing this project

README

        # SysmonSearch

  SysmonSearch make event log analysis more effective and less time consuming, by aggregating event logs generated by Microsoft's Sysmon. 

  ![SysmonSearch system](images/SysmonSearch.png)  

## System Overview

  SysmonSearch uses Elasticserach and Kibana (and Kibana plugin).

  * **Elasticserach**  

    Elasticsearch collects/stores Sysmon's event log.

  * **Kibana**  

    Kibana provides user interface for your Sysmon's event log analysis. The following functions are implemented as Kibana plugin.

    * Visualizes Function  

      This function visualizes Sysmon's event logs to illustrate correlation of processes and networks.

    * Statistical Function  

      This function collects the statistics of each device or Sysmon's event ID.

    * Monitor Function  

      This function monitor incoming logs based on the preconfigured rules, and trigers alert.

  * **StixIoC server**  

    You can add search/monitor condition by uploading STIX/IOC file. From StixIoC server Web UI, you can upload STIXv1, STIXv2 and OpenIOC format files.

## Use SysmonSearch

  To try SysmonSearch, you can either 1)install softwares to your own linux enviroment with following instractions or 2)use docker image:

  1. [Install to your own linux box](https://github.com/JPCERTCC/SysmonSearch/wiki/Install)

  2. [Use docker image](https://github.com/JPCERTCC/SysmonSearch/wiki/Setup-with-Docker)

## Documentation  

For details, please check [the SysmonSearch wiki](https://github.com/JPCERTCC/SysmonSearch/wiki).