Linux.Sysinternals.Sysmon

Parses syslog for Sysmon events on Linux

Reference: https://github.com/Sysinternals/SysmonForLinux

This artifact can also be modified to forward events (as a client event artifact), similar to Windows.Sysinternals.SysmonLogForward.


name: Linux.Sysinternals.Sysmon
author: Wes Lambert -- @therealwlambert
description: |
  Parses syslog for Sysmon events on Linux

  **Reference**: https://github.com/Sysinternals/SysmonForLinux

  This artifact can also be modified to forward events (as a client
  event artifact), similar to Windows.Sysinternals.SysmonLogForward.

type: CLIENT

precondition: SELECT OS From info() where OS = 'linux'

parameters:
  - name: syslogPath
    default: /var/log/syslog

  - name: sysmonGrok
    description: A Grok expression for parsing Sysmon events from syslog on Linux machines
    default: >-
      %{SYSLOGTIMESTAMP:Timestamp} (?:%{SYSLOGFACILITY} )?%{SYSLOGHOST:logsource} %{SYSLOGPROG}: %{GREEDYDATA:event}
  - name: StartDate
    type: timestamp
    description: "Parse events on or after this date (YYYY-MM-DDTmm:hh:ssZ)"
  - name: EndDate
    type: timestamp
    description: "Parse events on or before this date (YYYY-MM-DDTmm:hh:ssZ)"
  - name: IDRegex
    default: "."

sources:
  - queries:
      # Basic syslog parsing via GROK expressions.
      - LET UnparsedEvents = SELECT * FROM foreach(
          row={
              SELECT *  FROM glob(globs=syslogPath)
          }, query={
              SELECT grok(grok=sysmonGrok, data=Line) AS Event,
              FullPath
              FROM parse_lines(filename=FullPath)
              WHERE Event.program = "sysmon" AND Event.event =~ "<Event>"
          })
      - LET ParsedEvents = SELECT parse_xml(accessor='data', file=Event.event).Event AS Event FROM UnparsedEvents
      - SELECT timestamp(string=Event.System.TimeCreated.AttrSystemTime) AS TimeCreated,
           Event.System.EventID AS EventID,
           Event.System.Channel AS _Channel,
           Event.System.EventRecordID AS EventRecordID,
           Event.System.EventID AS EventID,
           Event.System.Computer AS Computer,
           Event.System AS System,
           to_dict(item={SELECT AttrName AS _key, `#text` AS _value FROM Event.EventData.Data}) AS EventData
         FROM ParsedEvents
         WHERE
            if(condition=StartDate, then=TimeCreated >= timestamp(string=StartDate), else=true)
            AND if(condition=EndDate, then=TimeCreated <= timestamp(string=EndDate), else=true)
            AND str(str=EventID) =~ IDRegex