sysmon-arangodb/arango_from_evtx.py at master · SecSamDev/sysmon-arangodb · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
from pyArango.connection import *
from pyArango.collection import Collection, Field
from pyArango.graph import Graph, EdgeDefinition
import json
from arango_sysmon import *
conn = Connection(username="root", password="openSesame")
import ntpath
from time import perf_counter
from random import randrange
from sysmon_ingest import SysmonIngest
from flatten_json import flatten

# Documentos
try:
    db = conn.createDatabase(name="sysmon")
except Exception as e:
    db = conn["sysmon"]

db.dropAllCollections()

# Grafos
name = 'Sysmon_PC_GRAPH_1'
customSysmonGraph(name)
PC_GRAPH_1 = db.createGraph(name, numberOfShards = 10, smartGraphAttribute = "provider_guid")

ingest = SysmonIngest(db,PC_GRAPH_1)

def clean_data(event_data):
    new_event = {}
    for key in event_data.keys():
        new_event[key.replace("Event.","").replace("System.","").replace("EventData.","").replace(".#attributes.","")] = event_data[key]
    return new_event

with open('evtx_syspce.jsonl', 'r') as json_file:
    line = json_file.readline()
    while line:
        data = json.loads(line)
        event_data = clean_data(flatten(data,separator="."))
        #print(json.dumps(event_data))
        #break
        ingest.process_event(event_data)
        line = json_file.readline()