自动为Azure Sentinel生成Sysmon解析器

作者：Sec-Labs | 发布时间：2023-04-17 10:58:03

项目地址

https://github.com/olafhartong/sysmon-parser

sysmon-parser

自动生成的 Azure Sentinel Sysmon 解析器

可以将 Sysmon-AllVersions_Parser.txt 作为 Azure Sentinel 中的函数加载，以解析所有事件。

// KQL Sysmon Event Parser
// Last Updated Date: 04/17/2023 01:38:19
// Sysmon Version: Applicable to all versions
Event
| where Source == "Microsoft-Windows-Sysmon"
| extend RenderedDescription = tostring(split(RenderedDescription, ":")[0])
| extend EventData = parse_xml(EventData).DataItem.EventData.Data
| mv-expand bagexpansion=array EventData
| evaluate bag_unpack(EventData)
| extend Key = tostring(column_ifexists('@Name', "")), Value = tostring(column_ifexists('#text', ""))
| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, _ResourceId)
| extend TimeGenerated = column_ifexists("TimeGenerated", ""), Source = column_ifexists("Source", ""), EventLog = column_ifexists("EventLog", ""), Computer = column_ifexists("Computer", ""), EventLevel = column_ifexists("EventLevel", ""), EventLevelName = column_ifexists("EventLevelName", ""), EventID = column_ifexists("EventID", ""), UserName = column_ifexists("UserName", ""), RenderedDescription = column_ifexists("RenderedDescription", ""), MG = column_ifexists("MG", ""), ManagementGroupName = column_ifexists("ManagementGroupName", ""), _ResourceId = column_ifexists("_ResourceId", ""), UtcTime = column_ifexists("UtcTime", ""), ID = column_ifexists("ID", ""), Description = column_ifexists("Description", ""), RuleName = column_ifexists("RuleName", ""), ProcessGuid = column_ifexists("ProcessGuid", ""), ProcessId = column_ifexists("ProcessId", ""), Image = column_ifexists("Image", ""), FileVersion = column_ifexists("FileVersion", ""), Product = column_ifexists("Product", ""), Company = column_ifexists("Company", ""), OriginalFileName = column_ifexists("OriginalFileName", ""), CommandLine = column_ifexists("CommandLine", ""), CurrentDirectory = column_ifexists("CurrentDirectory", ""), User = column_ifexists("User", ""), LogonGuid = column_ifexists("LogonGuid", ""), LogonId = column_ifexists("LogonId", ""), TerminalSessionId = column_ifexists("TerminalSessionId", ""), IntegrityLevel = column_ifexists("IntegrityLevel", ""), Hashes = column_ifexists("Hashes", ""), ParentProcessGuid = column_ifexists("ParentProcessGuid", ""), ParentProcessId = column_ifexists("ParentProcessId", ""), ParentImage = column_ifexists("ParentImage", ""), ParentCommandLine = column_ifexists("ParentCommandLine", ""), ParentUser = column_ifexists("ParentUser", ""), TargetFilename = column_ifexists("TargetFilename", ""), CreationUtcTime = column_ifexists("CreationUtcTime", ""), PreviousCreationUtcTime = column_ifexists("PreviousCreationUtcTime", ""), Protocol = column_ifexists("Protocol", ""), Initiated = column_ifexists("Initiated", ""), SourceIsIpv6 = column_ifexists("SourceIsIpv6", ""), SourceIp = column_ifexists("SourceIp", ""), SourceHostname = column_ifexists("SourceHostname", ""), SourcePort = column_ifexists("SourcePort", ""), SourcePortName = column_ifexists("SourcePortName", ""), DestinationIsIpv6 = column_ifexists("DestinationIsIpv6", ""), DestinationIp = column_ifexists("DestinationIp", ""), DestinationHostname = column_ifexists("DestinationHostname", ""), DestinationPort = column_ifexists("DestinationPort", ""), DestinationPortName = column_ifexists("DestinationPortName", ""), State = column_ifexists("State", ""), Version = column_ifexists("Version", ""), SchemaVersion = column_ifexists("SchemaVersion", ""), ImageLoaded = column_ifexists("ImageLoaded", ""), Signed = column_ifexists("Signed", ""), Signature = column_ifexists("Signature", ""), SignatureStatus = column_ifexists("SignatureStatus", ""), SourceProcessGuid = column_ifexists("SourceProcessGuid", ""), SourceProcessId = column_ifexists("SourceProcessId", ""), SourceImage = column_ifexists("SourceImage", ""), TargetProcessGuid = column_ifexists("TargetProcessGuid", ""), TargetProcessId = column_ifexists("TargetProcessId", ""), TargetImage = column_ifexists("TargetImage", ""), NewThreadId = column_ifexists("NewThreadId", ""), StartAddress = column_ifexists("StartAddress", ""), StartModule = column_ifexists("StartModule", ""), StartFunction = column_ifexists("StartFunction", ""), SourceUser = column_ifexists("SourceUser", ""), TargetUser = column_ifexists("TargetUser", ""), Device = column_ifexists("Device", ""), SourceProcessGUID = column_ifexists("SourceProcessGUID", ""), SourceThreadId = column_ifexists("SourceThreadId", ""), TargetProcessGUID = column_ifexists("TargetProcessGUID", ""), GrantedAccess = column_ifexists("GrantedAccess", ""), CallTrace = column_ifexists("CallTrace", ""), EventType = column_ifexists("EventType", ""), TargetObject = column_ifexists("TargetObject", ""), Details = column_ifexists("Details", ""), NewName = column_ifexists("NewName", ""), Hash = column_ifexists("Hash", ""), Contents = column_ifexists("Contents", ""), Configuration = column_ifexists("Configuration", ""), ConfigurationFileHash = column_ifexists("ConfigurationFileHash", ""), PipeName = column_ifexists("PipeName", ""), Operation = column_ifexists("Operation", ""), EventNamespace = column_ifexists("EventNamespace", ""), Name = column_ifexists("Name", ""), Query = column_ifexists("Query", ""), Type = column_ifexists("Type", ""), Destination = column_ifexists("Destination", ""), Consumer = column_ifexists("Consumer", ""), Filter = column_ifexists("Filter", ""), QueryName = column_ifexists("QueryName", ""), QueryStatus = column_ifexists("QueryStatus", ""), QueryResults = column_ifexists("QueryResults", ""), IsExecutable = column_ifexists("IsExecutable", ""), Archived = column_ifexists("Archived", ""), Session = column_ifexists("Session", ""), ClientInfo = column_ifexists("ClientInfo", "")
// Fix for wrong casing in EventID10
| extend SourceProcessGuid=iff(isnotempty(SourceProcessGUID),SourceProcessGUID,SourceProcessGuid), TargetProcessGuid=iff(isnotempty(TargetProcessGUID),TargetProcessGUID,TargetProcessGuid)
| project-away SourceProcessGUID, TargetProcessGUID  
// end fix
| parse RuleName with * 'technique_id=' TechniqueId ',' * 'technique_name=' TechniqueName
| parse Hashes with * 'SHA1=' SHA1 ',' * 'MD5=' MD5 ',' * 'SHA256=' SHA256 ',' * 'IMPHASH=' IMPHASH

还有一个 Azure Devops 管道每天触发，安装最新的 Sysmon 版本，提取模式，并使用所有唯一字段填充解析器。

PowerShell 脚本也可以在已安装 Sysmon 的计算机上本地运行。

核心代码

generate-parser.ps1

[xml]$schema = Sysmon.exe -nologo -s
$sysmonColumnList = @()
$sysmonColumnList= $schema.manifest.events.event.data | select name -Unique | foreach {$_.name}
$date=Get-Date
$nativeColumnList = @("TimeGenerated", "Source", "EventLog", "Computer", "EventLevel", "EventLevelName", "EventID", "UserName", "RenderedDescription", "MG", "ManagementGroupName", "_ResourceId")
$header = @'
// KQL Sysmon Event Parser
// Last Updated Date: 
'@ + $date
$querybase = @'

// Sysmon Version: Applicable to all versions
Event
| where Source == "Microsoft-Windows-Sysmon"
| extend RenderedDescription = tostring(split(RenderedDescription, ":")[0])
| extend EventData = parse_xml(EventData).DataItem.EventData.Data
| mv-expand bagexpansion=array EventData
| evaluate bag_unpack(EventData)
| extend Key = tostring(column_ifexists('@Name', "")), Value = tostring(column_ifexists('#text', ""))
| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, _ResourceId)
'@
$extend = @'

| extend 
'@
$columnList = $nativeColumnList + $sysmonColumnList
foreach ($colum in $columnList)
{
    $extend += $colum + " = column_ifexists(`"$($colum)`", `"`"), "
}
$extend = $extend.substring(0, $extend.Length - 2)
$tail = @'

// Fix for wrong casing in EventID10
| extend SourceProcessGuid=iff(isnotempty(SourceProcessGUID),SourceProcessGUID,SourceProcessGuid), TargetProcessGuid=iff(isnotempty(TargetProcessGUID),TargetProcessGUID,TargetProcessGuid)
| project-away SourceProcessGUID, TargetProcessGUID  
// end fix
| parse RuleName with * 'technique_id=' TechniqueId ',' * 'technique_name=' TechniqueName
| parse Hashes with * 'SHA1=' SHA1 ',' * 'MD5=' MD5 ',' * 'SHA256=' SHA256 ',' * 'IMPHASH=' IMPHASH 
'@
$parser = $header + $querybase + $extend + $tail
$parser | Out-File Sysmon-AllVersions_Parser.txt

标签：工具分享