Data Formats¶
ReconGraph relies on two primary data inputs: forensic log timelines and Sigma detection rules.
Forensic Log Timeline¶
The primary input for ReconGraph is a CSV file generated by Plaso (log2timeline).
Required Columns¶
While the tool attempts to be flexible, it specifically looks for the following information:
Message/Description: The raw log message or event description (often found in the
messageordesccolumn of a Plaso CSV).Timestamp: The date and time of the event (
datetimeortimestampcolumn).
Other formats supported:¶
If not using a Plaso CSV, ReconGraph can also process raw text logs. In this case, the tool will treat each line as a description and use the current filename as the source.
Sigma Rules¶
ReconGraph uses Sigma rules to categorize log entries into high-level security events. You can download the official rules from the SigmaHQ repository.
Note
The Sigma rules are released under the Detection Rule License (DRL) 1.1. See the Licenses page for more details.
Structure¶
Rules should be in YAML (.yml) format and follow the standard Sigma specification. The tool specifically utilizes:
Logsource: To filter which rules apply to which type of log (e.g.,
category: webserver).Detection: The selection logic (strings, lists, or dictionaries) used to match log content.
Level: To assign severity (Critical, High, Medium, Low) to the resulting graph nodes.
Rule Location¶
When running ReconGraph, you must provide a path to a directory containing these rules. The tool will recursively search for all .yml files within that directory.
Supported Log Types¶
The tool includes heuristic detection for several common log types to improve Sigma matching:
Web Logs: Nginx, Apache, or generic Proxy access logs.
Authentication Logs: Linux SSH (auth.log) and PAM modules.
Syslog: General Linux system logs, including kernel and auditd events.