beagle
by yampelo
Beagle is an incident response and digital forensics tool that transforms security logs and data into interactive graphs for analysis.
Beagle is an incident response and digital forensics tool which transforms security logs and data into graphs.
Primary Use Case
Beagle is designed for incident responders and digital forensics analysts to convert diverse security data sources such as Windows EVTX logs, SysMon logs, and FireEye HX triages into graph representations. These graphs facilitate deeper investigation and visualization of security incidents, enabling users to explore relationships and patterns within their data effectively.
- Transforms multiple security data sources into graph structures
- Supports FireEye HX Triages, Windows EVTX, SysMon logs, and raw Windows memory images
- Outputs graphs compatible with Neo4J, DGraph, or as local NetworkX Python objects
- Provides both a Python library and a web interface for usage
- Interactive graph interface with node/edge inspection, expansion, hiding, and mutators
- Supports undo/redo and graph perspectives in the web UI
- Modular architecture with datasources, transformers, and backends
- Docker and PyPI packages available for easy installation
Installation
- Install via Docker by pulling the yampelo/beagle image from Docker Hub
- Install the Python package using pip: pip install pybeagle
- Configure the tool as needed following the documentation on ReadTheDocs
Usage
>_ from beagle.datasources import SysmonEVTX
graph = SysmonEVTX("malicious.evtx").to_graph()Load a SysMon EVTX log file and convert it directly into a NetworkX graph.
>_ from beagle.datasources import SysmonEVTX, HXTriage, PCAP
from beagle.backends import NetworkX
nx = NetworkX.from_datasources(datasources=[SysmonEVTX("malicious.evtx"), HXTriage("alert.mans"), PCAP("traffic.pcap")])
G = nx.graph()Generate a combined graph from multiple data sources including SysMon, FireEye HX triage, and PCAP files.
>_ from beagle.datasources import SysmonEVTX
from beagle.transformers import SysmonTransformer
from beagle.backends import NetworkX
datasource = SysmonEVTX("malicious.evtx")
transformer = SysmonTransformer(datasource=datasource)
nodes = transformer.run()
backend = NetworkX(nodes=nodes)
G = backend.graph()Manually run each step: load data source, transform events into nodes, and build a graph backend.
- Integrate Beagle with SIEM platforms to visualize and correlate alerts for faster incident triage.
- Use graph-based analysis to uncover hidden relationships between disparate log sources during forensic investigations.
- Leverage the modular architecture to extend support for additional data sources like cloud logs or endpoint telemetry.
- Incorporate Beagle into purple team exercises to visually demonstrate attack paths and detection gaps.
- Automate generation of graph snapshots at key incident response phases to document investigation progress and findings.
Docs Take 2 Hours. AI Takes 10 Seconds.
Ask anything about beagle. Installation? Config? Troubleshooting? Get answers trained on real docs and GitHub issues—not generic ChatGPT fluff.
This tool hasn't been indexed yet. Request indexing to enable AI chat.
Admin will review your request within 24 hours
Related Tools
mvt
mvt-project/mvt
MVT (Mobile Verification Toolkit) helps with conducting forensics of mobile devices in order to find signs of a potential compromise.
post-mortems
danluu/post-mortems
A collection of postmortems. Sorry for the delay in merging PRs!
Detect-It-Easy
horsicq/Detect-It-Easy
Program for determining types of files for Windows, Linux and MacOS.
howtheysre
upgundecha/howtheysre
A curated collection of publicly available resources on how technology and tech-savvy organizations around the world practice Site Reliability Engineering (SRE)
awesome-incident-response
meirwah/awesome-incident-response
A curated list of tools for incident response
chainsaw
WithSecureLabs/chainsaw
Rapidly Search and Hunt through Windows Forensic Artefacts