Analyzing sysmon events with graph

Hello colleagues, this is an example I promised answering this tweet. I used sysmon config to capture activities happening on my system. Unfortunately it did not capture a lot of network-related activities, perhaps I need to change it to extend network-level filters. But on the other hand it captured a lot of process level activities, so in this example i’d like to try to graph process creation events.
So first thing to do in this case is create a graph object

$g = New-Graph -Type BidirectionalGraph

And now we can fill in the graph with some data right from the event log. It may take few seconds until all events will be processed

Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | ? {$ -eq 1} |
    % { if ($[3]) {Add-Edge -From $_.Properties[-2].value -To $[3].value -Graph $g}} |

And then we just display the graph

Show-GraphLayout -Graph $g

This is how it looks like


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s