Name: beagle
Author: yampelo

Primary Use Case

Beagle is designed for incident responders and digital forensics analysts to convert diverse security data sources such as Windows EVTX logs, SysMon logs, and FireEye HX triages into graph representations. These graphs facilitate deeper investigation and visualization of security incidents, enabling users to explore relationships and patterns within their data effectively.

Key Features

Transforms multiple security data sources into graph structures

Supports FireEye HX Triages, Windows EVTX, SysMon logs, and raw Windows memory images

Outputs graphs compatible with Neo4J, DGraph, or as local NetworkX Python objects

Provides both a Python library and a web interface for usage

Interactive graph interface with node/edge inspection, expansion, hiding, and mutators

Supports undo/redo and graph perspectives in the web UI

Modular architecture with datasources, transformers, and backends

Docker and PyPI packages available for easy installation

Insights & Recommendations

Beagle requires familiarity with Python and graph concepts for effective use, especially when using the library interface. The web interface simplifies interaction but may require Docker for deployment. Users should ensure input data formats are supported and consult the detailed documentation for configuring graph exports to external databases.

Install via Docker by pulling the yampelo/beagle image from Docker Hub Install the Python package using pip: pip install pybeagle Configure the tool as needed following the documentation on ReadTheDocs

Usage

from beagle.datasources import SysmonEVTX graph = SysmonEVTX("malicious.evtx").to_graph()

Load a SysMon EVTX log file and convert it directly into a NetworkX graph.

from beagle.datasources import SysmonEVTX, HXTriage, PCAP from beagle.backends import NetworkX nx = NetworkX.from_datasources(datasources=[SysmonEVTX("malicious.evtx"), HXTriage("alert.mans"), PCAP("traffic.pcap")]) G = nx.graph()

Generate a combined graph from multiple data sources including SysMon, FireEye HX triage, and PCAP files.

from beagle.datasources import SysmonEVTX from beagle.transformers import SysmonTransformer from beagle.backends import NetworkX datasource = SysmonEVTX("malicious.evtx") transformer = SysmonTransformer(datasource=datasource) nodes = transformer.run() backend = NetworkX(nodes=nodes) G = backend.graph()

Manually run each step: load data source, transform events into nodes, and build a graph backend.

Smart Usage Notes

Integrate Beagle with SIEM platforms to visualize and correlate alerts for faster incident triage.

Use graph-based analysis to uncover hidden relationships between disparate log sources during forensic investigations.

Leverage the modular architecture to extend support for additional data sources like cloud logs or endpoint telemetry.

Incorporate Beagle into purple team exercises to visually demonstrate attack paths and detection gaps.

Automate generation of graph snapshots at key incident response phases to document investigation progress and findings.

OpenSec Atlas

beagle

About This Tool

Primary Use Case

Key Features

Insights & Recommendations

Installation

Usage

Smart Usage Notes

Security Capability Profile

Tags

You Might Also Like