SysmonSearch – Investigate suspicious activity by visualizing Sysmon’s event log
Sysmon (System Monitor) is Microsoft service that allow user upon installation to continuously monitor operating system services. this will examine all operating system activity to identify suspicious or malicious activity and provide the method in which the malicious program were executed. so this is a little bit different than other security tools that analyze logs to detect brute force or logs related attack. over this week the JPCERT released a new set of tools called SysmonSearch which will visualize the logs generated by sysmon.
SysmonSearch can search Sysmon logs by Date , IP address, Port number ,Host name,Process name ,File name ,Registry key ,Registry value and Hash value.

SysmonSearch – Investigate suspicious activity by visualizing Sysmon’s event log
SysmonSearch uses Elasticserach and Kibana (and Kibana plugin).
- Elasticserach
Elasticsearch collects/stores Sysmon’s event log. - Kibana
Kibana provides user interface for your Sysmon’s event log analysis. The following functions are implemented as Kibana plugin.- Visualizes Function
This function visualizes Sysmon’s event logs to illustrate correlation of processes and networks. - Statistical Function
This function collects the statistics of each device or Sysmon’s event ID. - Monitor Function
This function monitor incoming logs based on the preconfigured rules, and trigers alert.
- Visualizes Function
- StixIoC server
You can add search/monitor condition by uploading STIX/IOC file. From StixIoC server Web UI, you can upload STIXv1, STIXv2 and OpenIOC format files.
You can read more and download the latest release over the following link: https://github.com/JPCERTCC/