SysmonSearch – Investigate suspicious activity by visualizing Sysmon’s event log


Sysmon (System Monitor) is Microsoft service that allow user upon installation to continuously monitor operating system services. this will examine all operating system activity to identify suspicious or malicious activity and provide the method in which the malicious program were executed. so this is a little bit different than other security tools that analyze logs to detect brute force or logs related attack. over this week the JPCERT released a new set of tools called SysmonSearch which will visualize the logs generated by sysmon.

SysmonSearch can search Sysmon logs by Date , IP address, Port number ,Host name,Process name ,File name ,Registry key ,Registry value and Hash value.

 SysmonSearch - Investigate suspicious activity by visualizing Sysmon's event log

SysmonSearch – Investigate suspicious activity by visualizing Sysmon’s event log

SysmonSearch uses Elasticserach and Kibana (and Kibana plugin).

  • Elasticserach
    Elasticsearch collects/stores Sysmon’s event log.
  • Kibana
    Kibana provides user interface for your Sysmon’s event log analysis. The following functions are implemented as Kibana plugin.

    • Visualizes Function
      This function visualizes Sysmon’s event logs to illustrate correlation of processes and networks.
    • Statistical Function
      This function collects the statistics of each device or Sysmon’s event ID.
    • Monitor Function
      This function monitor incoming logs based on the preconfigured rules, and trigers alert.
  • StixIoC server
    You can add search/monitor condition by uploading STIX/IOC file. From StixIoC server Web UI, you can upload STIXv1, STIXv2 and OpenIOC format files.

You can read more and download the latest release over the following link: