Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/jurelou/epagneul

Graph Visualization for windows event logs
https://github.com/jurelou/epagneul

blueteam dfir-automation evtx forensics forensics-tools hunting security security-tools threat-hunting

Last synced: 21 days ago
JSON representation

Graph Visualization for windows event logs

Host: GitHub
URL: https://github.com/jurelou/epagneul
Owner: jurelou
Created: 2021-12-30T15:15:06.000Z (almost 3 years ago)
Default Branch: master
Last Pushed: 2022-11-20T18:21:10.000Z (about 2 years ago)
Last Synced: 2024-08-05T17:44:10.271Z (4 months ago)
Topics: blueteam, dfir-automation, evtx, forensics, forensics-tools, hunting, security, security-tools, threat-hunting
Language: Python
Homepage:
Size: 51.4 MB
Stars: 228
Watchers: 9
Forks: 33
Open Issues: 0
Metadata Files:
- Readme: README.md
- Changelog: CHANGELOG.md

Awesome Lists containing this project

awesome-hacking-lists - jurelou/epagneul - Graph Visualization for windows event logs (Python)

README

        


epagneul




 

  

    Epagneul is a tool to visualize and investigate windows event logs.

  

 

 

  

  

  

  

  

 



![layout](https://github.com/jurelou/epagneul/blob/master/images/layout.png?raw=true)

## Deployment

Requires docker and docker-compose to be installed.

### Installing

```

make

```

## Offline deployment

On a machine connected to internet, build an offline release:

```

make release

```

This will create a `release` folder containing ready to go docker images.

Copy the project to your air gapped machine then run:

```

make load

make

```

This will install:

- epagneul web UI (port 8080)

- epagneul backend (port 8000)

- neo4j (port 7474)

## todos

- [x] Better SID corelations

- [x] add edge tips

- [x] Label propagation algorithm

- [x] PageRank

- [x] Add missing events IDs (sysmon)

- [x] Proper conversion of known SIDS / security principals, ...

- [ ] hidden markov chains

- [ ] Display a timeline of logons / at least a summary graph

- [ ] check out: https://github.com/ahmedkhlief/APT-Hunter

- [ ] Import data from ELK / splunk

- [ ] detect communities using louvain

- [ ] Document evtx filtering method using filter `3,4648,4624,4625,4672,4768,4769,4771,4776,4728,4732,4756`

## Known bugs

- The `count` value on edges does not update based on the selected timeline

## References:

- https://adsecurity.org/wp-content/uploads/2017/04/2017-BSidesCharm-DetectingtheElusive-ActiveDirectoryThreatHunting-Final.pdf

- https://github.com/JPCERTCC/LogonTracer

## Built With

* [Vue.js](https://v3.vuejs.org/) - The web framework used

* [Cytoscape.js](https://js.cytoscape.org/) - Library used for graph visualisation and analysis

* [d3](https://d3js.org/) - Used to display the timeline

* [neo4j](https://neo4j.com/) - Backend database

* [evtx](https://github.com/omerbenamram/evtx) - Parser for the windows XML EventLog format

## Authors

* **jurelou** - *Initial work* - [jurelou](https://github.com/jurelou)