A collection of utilities for analyzing, visualizing, and managing Microsoft Sysmon logs — designed for security analysts, DFIR specialists, and threat hunters.
- Sysmon View – offline Sysmon log visualization with multiple views, SQLite backend and VirusTotal integration.
- Sysmon Shell – GUI configuration editor with bundled templates, export/import options, and XML apply support.
- Sysmon Box – command-line utility to capture and correlate Sysmon + network events using
tshark.
- Sysmon View: v3.1 – can import and correlate network trace captures with Sysmon network events.
- Sysmon Box: v1.0 – new command-line utility to capture Sysmon and network events.
- Sysmon Shell: added command to upgrade configuration files to Sysmon schema v9.0 (temporary solution).
Sysmon View helps track and visualize Sysmon logs by logically grouping and correlating events.
It uses executables, session GUIDs, event creation times, and more to re-arrange data into multiple views.
Export Sysmon events to XML using WEVTUtil and import them into Sysmon View:
WEVTUtil query-events "Microsoft-Windows-Sysmon/Operational" /format:xml /e:sysmonview > eventlog.xml- Data is stored in a SQLite database file (SysmonViewDB) alongside the executable.
- The DB can be reused or shared; rename it to preserve prior imports.
- The DB also supports direct queries via any SQLite management tool.
- Process View – summarizes run sessions (per process GUID) and shows correlated events in a timeline-like flow.
- Map View – geo-locates network destinations (via ipstack) and pivots into correlated events.
- All Events View – full search through collected data, including standalone events (e.g., driver loads), supports grouping by machine, event type, or GUID.
Additional features:
- Double-click any event to access details (e.g., Process Creation, Event ID 1).
- VirusTotal API integration for hash/IP lookups (requires API key).
- Experimental Elasticsearch support for multi-machine imports.
Sysmon Shell provides a GUI to manage and apply Sysmon XML configurations.
Features:
- Load, edit, preview, and export Sysmon XML configuration files (all schemas supported).
- Apply configs directly via
Sysmon.exe -c(requires elevation). - Export Sysmon logs with options: export-only, export+clear, or export+backup.
- Descriptions of all event types included (sourced from Sysinternals Sysmon).
- Bundled with community-created configuration templates.
Sysmon Box is a lightweight utility to build a database of captured Sysmon and network traffic.
Run Sysmon Box (requires Sysmon + tshark installed and running):
SysmonBox -in Wi-FiWorkflow:
- Captures traffic using
tsharkon the selected interface. - On stop (
CTRL+C), dumps packets and exports Sysmon logs for the session. - Builds/updates a SysmonViewDB database combining Sysmon logs and traffic.
- Open the DB with Sysmon View for correlation.
For any customizations or business collaboration inquiries, please visit applyingcode.com.
For issues or feature requests, please file a GitHub issue.
Alternatively, email: [email protected]
Copyright Nader Shallabi. All rights reserved.
SYSMON TOOLS CAN BE COPIED AND/OR DISTRIBUTED WITHOUT ANY EXPRESS PERMISSION OF NADER SHALLABI.
THIS SOFTWARE IS PROVIDED BY NADER SHALLABI "AS IS" AND ANY EXPRESS OR IMPLIED
WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL NADER SHALLABI
OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
The views and conclusions contained in the software and documentation are those of the authors and
should not be interpreted as representing official policies, either expressed or implied, of Nader Shallabi.
