Beagle是一个事件响应和数字取证工具,它将数据源和日志转换为图形。支持的数据源包括FireEye HX分类、Windows EVTX文件、Sysmon日志和原始Windows内存映像。生成的图形可以发送到图形数据库(如NEO4J或DGraph),也可以作为python networkx对象保存在本地。
Beagle 可作为一个 Python 开发包直接使用,或者通过其 Web 接口使用。
也可以作为函数调用:
>>> from beagle.datasources import SysmonEVTX
>>> graph = SysmonEVTX("malicious.evtx").to_graph()
>>> graph
<networkx.classes.multidigraph.MultiDiGraph at 0x12700ee10>
>>> from beagle.backends import NetworkX
>>> from beagle.datasources import SysmonEVTX
>>> from beagle.transformers import SysmonTransformer
>>> datasource = SysmonEVTX("malicious.evtx")
# Transformers take a datasource, and transform each event
# into a tuple of one or more nodes.
>>> transformer = SysmonTransformer(datasource=datasource)
>>> nodes = transformer.run()
# Transformers output an array of nodes.
[
(<SysMonProc> process_guid="{0ad3e319-0c16-59c8-0000-0010d47d0000}"),
(<File> host="DESKTOP-2C3IQHO" full_path="C:\Windows\System32\services.exe"),
...
]
# Backends take the nodes, and transform them into graphs
>>> backend = NetworkX(nodes=nodes)
>>> G = backend.graph()
<networkx.classes.multidigraph.MultiDiGraph at 0x126b887f0>
评论