From 43ab192f6354df768a0d16922cbcef40445bb4e3 Mon Sep 17 00:00:00 2001
From: Matthias Vallentin <vallentin@icir.org>
Date: Wed, 12 Dec 2018 23:21:35 +0100
Subject: [PATCH] Add XML parser to create JSON from sysmon

---
 sysmon-to-json.rb | 45 +++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 45 insertions(+)
 create mode 100755 sysmon-to-json.rb

diff --git a/sysmon-to-json.rb b/sysmon-to-json.rb
new file mode 100755
index 0000000..639c9c2
--- /dev/null
+++ b/sysmon-to-json.rb
@@ -0,0 +1,45 @@
+#!/usr/bin/env ruby
+
+require 'json'
+require 'nokogiri'
+
+def parse_xml(data)
+  # Extract all comments: <!-- .* -->
+  xml = Nokogiri::XML(data)
+  comments = xml.xpath('//comment()').map { |x| x.content }
+  # Accumulate sysmon event structure.
+  events = {}
+  ids = []
+  comments.each do |comment|
+    if comment.start_with?('SYSMON EVENT')
+      match = comment.match(/ID (.+) : (.+) \[(.+)\]/)
+      next unless match
+      id, desc, name = match.to_a.drop(1)
+      ids = id.split(' & ').map { |x| x.to_sym }
+      ids.each do |id|
+        events[id] = {
+          name: name,
+          desc: desc
+        }
+      end
+    end
+    if not ids.empty?
+      if comment.start_with?('EVENT')
+        id, details = comment.match(/EVENT (.+): "([^"]+)/).to_a.drop(1)
+        next unless events.has_key?(id.to_sym)
+        events[id.to_sym][:details] = details
+      end
+      if comment.start_with?('DATA')
+        args = comment[/DATA: (.*)/, 1].split(', ')
+        ids.each do |id|
+          events[id][:args] = args
+        end
+      end
+    end
+  end
+  return JSON[events]
+end
+
+if __FILE__ == $0
+  puts parse_xml(STDIN.read)
+end