Visualizing Windows logs with neo4j

Source: Internet
Author: User
Tags neo4j

Lead: Most of the time, these are in the form of data lines, and sometimes I look at the chart. When I saw the Bloodhound project, I felt my icon form was older. I want the same visual display.

Introduced

I spent a lot of time looking for logs in my Siem device. Most of the time, these are represented as rows of data, and sometimes I look at the chart. When I saw the Bloodhound project, I felt my icon form was older. I want the same visual display.

In this article, I want to show you how to visualize some Sysmon logs using neo4j.

Entry

My quick Google search, accidentally found this post, I learned the basics. The first step is to seize the free community version of neo4j, which can be found here

After the installation is complete, you should be able to browse http://127.0.0.1:7474/browser/access neo4j DB, the default user/password is neo4j/neo4j, and change the password when you first sign in.

The second step is to install Sysmon using the configuration file, which I introduced in the previous article Sysmon.

Prepare the Log

Now that you have configured the settings for Sysmon and neo4j, we need to convert the logs into a format that can be imported into the neo4j. I use the following PowerShell script:

This script creates a CSV file

Import-module c:usersantondownloadsget-wineventdata.ps1$file = "C:usersantondesktoplogs.csv" Clear-Content "C: Usersantondesktoplogs.csv "Add-content $File-value Source", "Destination", "Destinationport", "Application ' N- NONEWLINE$EVENTSID3 = get-winevent-filterhashtable @{logname= "microsoft-windows-sysmon/operational"; id=3} | Get-wineventdata | Select Eventdatasourceip,eventdatadestinationip,eventdatadestinationport,eventdataimageforeach ($Event 3 in $ EventsID3) {$output = Write-output $Event 3.EventDataSourceIp "," $Event 3.EventDataDestinationIp "," $ Event3.eventdatadestinationport "," $Event 3.EventDataImage ' n add-content $File-value $output-nonewline}

For the sake of simplicity, I put the file in the C:users<name>documentsneo4jdefault.graphdbimport directory

Import data and Cypher queries

Now that we have the file in the format we need, open the Neo4j interface and enter the following command in the input box:

Load CSV with headers from "File:///logs.csv" as Csvlinecreate (source:address {address:csvLine.Source}) CREATE (Destina TION:ADDRESSD {addressd:csvLine.Destination}) CREATE (Destinationport:destport {destport:csvLine.DestinationPort}) Create (Application:app {Application:csvLine.Application}) Create (source)-[:connectedto]-> (destination)-[: Using]-> (application)-[:onport]-> (Destinationport)

The first line loads our CSV,

The next four create statements make our graphical elements the source address, destination address, target port, and application

The last create statement builds our relationship. In this case, I want to know what source IP is connected to what destination IP and what application and destination port.

Click the Play button and you should see something similar to the following:

Now we can find something interesting, click on the database icon on the left, then click on the icon under "Relationship type":

The diagram you should now see is as follows:

We get a really clear front end show with what to connect to our system. In this case, we can see that the 192.168.1.123 is connected to 204.79.197.200, using IE on port 443.

Instance test

Let's take a closer look at how to use it to analyze some malicious activity.

Of course neo4j and this setting will not remind you of any malicious activity

We can write a simple query to see all of the PowerShell network connections:

Give you a list of results

We can double-click to extend it. Now we should see a demonstration of our attacks on PowerShell network activity:

Again, we can clearly see 192.168.1.123 connected to 151.101.124.133 (Github), using PowerShell via port 443.

This is obviously a simplified example, but I think it will be a super handy tool to get some extra insight from your logs. I use Sysmon here because it provides very rich data.

Conclusion

With the neo4j graphical database, it is easy to display data associations.

If the amount of data is too large, you can provide the NEO4J database in the same way as Bloodhound through the JSON API.

Visualizing Windows logs with neo4j

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.