How to Zeek Sysmon logs.


Bro-Sysmon enables Bro to receive Windows Event Logs. This provide a method to associate Network Monitoring and Host Monitoring. The work was spurred by the need to associate JA3 and HASSH fingerprints with the application on the host. The example below shows the hostname, Process ID, connection information, JA3 fingerprints, Application Path, and binary hashes.

blocky-PC	3200	59356	443	
	e7901d17482da52152fff3e9afadfa57	85acb5f1aec131b9897ae1fc1f22aff3	C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe

How it works uses the Broker Python Bindings to establish peering with Bro. Bro subsribes to the /sysmon message bus. Windows event logs are received in JSON format by The script parses the JSON object and builds an event which is sent to the /sysmon message bus. Bro receives the events and makes them available to "script land". The provided Bro scripts will generate log files prepended with "sysmon_". Custom scrips can be added to handle the events like mapping JA3 fingerprints to client applications.					Bro
				|						|
				|    ------ Establish Peering  ------>		|
				|						|
				|    <----- Establish Peering  -------		|
				|						|
				|    <----- Subscirbe /sysmon  -------		|
				|						|
Receive Sysmon JSON	-->	|						|
				|						|
				| -- Parse JSON					|
				| -- Build Event				|
				|						|
				|						|
				|    ------ Publish to /sysmon ------>		|
				|						|
				|						|  --> Bro Scipt to Log 
				|						|
				|						|  --> Bro Script Build Map 
											JA3 to Appication

Getting Started

  • Install Sysmon on Windows host, tune config as you like.
  • Install WinLogBeat on Windows host and configure to forward to Logstash on a Linux box.
  • Install Logstash, Broker and Bro on the Linux host.
  • Configure Logstash on the Linux host as beats listener and write logs out to file.
    Example Logstash config:
    	input {
    		beats {
    		  port => 9000
    	output {
    		file {
    		  path => "/home/logstash/bro-sysmon/WindowsSysmon.json"
  • copy the sysmon folder to $bropath/share/bro/site/
  • modify local.bro to include sysmon directory `@load sysmon`
  • start Bro as you see fit, start in foreground until you're happy with it.
  • tail -f /home/logstash/WindowsEventLogs.json | python &


Bro-Sysmon events will now be available to Bro Scripts.

event sysmonProcNetConn(computerName: string, proto: string, 
			srcip: string, srcprt: string, dstip: string, dstprt: string, 
			processId: string, procImage: string) {
		print fmt("Host %s spawned ProcessID %s, %s", computerName, processId, procImage);
Output: Host blocky-PC spawned ProcessID 3968, C:\Users\blocky\Desktop\putty.exe

Bro-Sysmon logs will be written to file.

#fields computerName    processId       company currentDirectory        description     fileVersion     hashes  image   integrityLevel  logonGuid       logonId parentCommandline       parentImage
     parentProcessGuid       parentProcessId processGuid     product terminalSessionId       user    utcTime
A8A1831F0A2675351B5FF	C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe	Low	{7A15C4BA-936D-5BDC-0100-0020642C5435}	0x135542c64	"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe" 	C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe	{7A15C4BA-F08F-5BEE-0100-00109E978637}	4584	-	?	2	blocky-PC\\blocky	2018-11-16 16:30:09.143


Bro-Sysmon concept was conceived and developed by Jeff Atkinson (@4a7361). Special thanks goes out to Kevin Thompson (@bfist), @tenzir_company and @0xHosom.


Bro-Sysmon comes with a 3-Clause BSD license

Package Version :