A tool for working with and testing Sysmon configs.
Project description
sysmon_utils
Utilities for working with and testing Sysmon configs against Windows Event Logs. Works in combination with my atomic-datasets-utils to support my sysmon-modular work. My goal is to make it easier to modify, verify, and test Sysmon configs. Development is sponsored by my (Connor Shade) employer QOMPLX.
Commands
atomictests
Checks for techniques found or overruled. Designed to run against the output of atomic-datasets-utils to test Sysmon Config functionality.
emulate
Parses a provided log file as if it was just collected with the provided Sysmon config. Useful for determining the amount of "noise" you can remove from logs.
merge
A better implementation of my merge_sysmon_configs script, originally designed for Sysmon-Modular. This merge script organizes rules by priority.
overruled
Detects if an improperly-ordered rule overrules a specific pattern. I've seen this a lot with rules detecting PowerShell execution instead of focusing on what PowerShell was calling - it's more important to log Image is malware than ParentImage is PowerShell.
secdatasets :construction: WIP
Runs through a local copy of Security-Datasets, parses the metadata files for techniques, then runs verify and overruled on each.
techniques
Returns a list of techniques and their count in a provided Sysmon config. Useful for building a MITRE ATT&CK matrix.
verify
Filters LOGFILE with CONFIG, look for PATTERN within any RuleNames that pass the input.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for sysmon_utils-0.1.0-py3-none-any.whl
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | e5bbcf1c97c612a46772ef82cbdf4c083feb495938a08b0b15dacadd22b0bdf5 |
|
| MD5 | 8233d617742093503154c5f1128396a6 |
|
| BLAKE2b-256 | 5ff44cb8329767b8c302ed2d4e801dddf55310cabce9216e611ce1e2ffd6c67c |
