Visualize Windows Logs With Neo4j

2017-07-15 Read original →

I spend considerable time analyzing logs from SIEM devices, which typically display data in tabular or chart formats. Inspired by the impressive BloodHound project’s visualization capabilities, I sought to create similar graph-based representations for other log types, specifically Sysmon logs using Neo4j.

Getting Started

The initial setup requires:

  1. Neo4j Installation: Download the free community edition from neo4j.com. After installation, access the interface at http://127.0.0.1:7474/browser/ using default credentials (neo4j/neo4j), which must be changed on first login.

  2. Sysmon Configuration: Install Sysmon with an appropriate configuration file.

Data Preparation

A PowerShell script extracts network connection events from Windows Event Logs:

Import-Module C:\Users\Anton\Downloads\Get-WinEventData.ps1
$File = "C:\Users\Anton\Desktop\logs.csv"
Clear-Content "C:\Users\Anton\Desktop\logs.csv"
Add-Content $File -Value "Source,Destination,DestinationPort,Application" -NoNewline
$EventsID3 = Get-WinEvent -FilterHashtable @{logname="Microsoft-Windows-Sysmon/Operational";id=3} |
  Get-WinEventData | select EventDataSourceIp,EventDataDestinationIp,EventDataDestinationPort,EventDataImage
foreach ($Event3 in $EventsID3) {
    $output = Write-Output "$($Event3.EventDataSourceIp),$($Event3.EventDataDestinationIp),$($Event3.EventDataDestinationPort),$($Event3.EventDataImage)"
    Add-Content $File -Value $output -NoNewline
}

Data Import and Cypher Query

The following Cypher query imports the CSV data and establishes relationships:

load csv with headers from "file:///logs.csv" AS csvLine
CREATE (source:address { address: csvLine.Source })
CREATE (destination:addressd { addressd: csvLine.Destination })
CREATE (DestinationPort:DestPort { destport: csvLine.DestinationPort })
CREATE (application:app { Application: csvLine.Application })
CREATE (source)-[:ConnectedTo]->(destination)-[:Using]->(application)-[:OnPort]->(DestinationPort)

Practical Investigation Example

To identify suspicious PowerShell network activity:

MATCH (a:app)-[:Used]-(connection) WHERE a.Application CONTAINS "powershell" RETURN connection

This reveals all network connections initiated by PowerShell, enabling investigators to spot potentially malicious downloads or command-and-control communications.

Key Advantages

  • Visual graph representations make pattern recognition intuitive compared to tabular logs
  • Relationship mapping clarifies connections between entities (IPs, ports, applications)
  • Can establish baselines for expected administrative account behavior
  • Enables rapid investigation of alerts and anomalies