Listen to this Post

Introduction:
In modern security operations, knowing exactly what software is installed and actively running on your endpoints is a foundational yet often elusive goal. Traditional asset management tools rely on installed applications lists that miss transient executables, unregistered binaries, or malicious implants. By leveraging Sysmon’s rich process‑creation telemetry and the reasoning capabilities of large language models like , defenders can programmatically infer a complete, categorized software inventory directly from endpoint activity—then output it into an Obsidian knowledge base for seamless, searchable documentation.
Learning Objectives:
- Understand how to configure Sysmon to capture the process telemetry needed for accurate software inventory.
- Learn to build a skill that queries Sysmon logs, infers software names and categories, and formats the output.
- Implement an automated workflow that transforms raw telemetry into a structured, human‑readable Obsidian note for continuous asset tracking.
1. Setting Up Sysmon for Comprehensive Telemetry
To generate an accurate software inventory, Sysmon must be configured to record the right events. The most critical event type is Event ID 1 (Process Creation), which logs every new process—including its executable path, command line, hash, and parent process. Without this data, you’ll miss software that runs only in memory or from temporary folders.
Windows: Install and Configure Sysmon
1. Download Sysmon from Microsoft Sysinternals.
- Use a configuration file that captures process creation, file creation time, and network connections if needed. A minimal inventory‑focused config:
<Sysmon schemaversion="4.22"> <EventFiltering> <ProcessCreate onmatch="exclude"/> <ProcessCreate onmatch="include"> <Image condition="begin with">C:\</Image> </ProcessCreate> </EventFiltering> </Sysmon>
3. Install with:
`Sysmon64.exe -accepteula -i sysmon-config.xml`
- Verify events are being written to the Windows Event Log under
Microsoft-Windows-Sysmon/Operational.
For Linux, consider using `osquery` or `auditd` to capture process execution logs (e.g., `execve` events). The same logic applies—you need a reliable source of process telemetry to feed into the AI pipeline.
2. Querying Sysmon Logs to Extract Process Data
Sysmon logs are stored in the Windows Event Log, which can be queried via PowerShell, wevtutil, or directly with the `Get-WinEvent` cmdlet. To build an inventory, we need to extract unique executable paths and correlate them with execution frequency.
PowerShell Query Example
Extract all process creation events from the last 7 days, grouping by image path:
$Events = Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Sysmon/Operational'; ID=1} -MaxEvents 5000
$Inventory = $Events | ForEach-Object {
$xml = [bash]$<em>.ToXml()
$image = $xml.Event.EventData.Data | Where-Object {$</em>.Name -eq 'Image'} | Select-Object -ExpandProperty 'text'
$hash = $xml.Event.EventData.Data | Where-Object {$_.Name -eq 'Hashes'} | Select-Object -ExpandProperty 'text'
[bash]@{ Image = $image; Hash = $hash }
} | Group-Object Image | Select-Object Name, Count
$Inventory | Export-Csv -Path "C:\inventory\raw_processes.csv" -NoTypeInformation
This exports a CSV of each executable path and how many times it has been launched. The CSV becomes the input for the skill. For Linux, you might use `ausearch` or `journalctl` to generate a similar list.
3. Building the Skill for Inference and Classification
The core of this workflow is a skill—a structured prompt that instructs the model to interpret raw process paths and categorize them. The skill uses a custom knowledge base (your classification rules) and outputs Markdown‑formatted content ready for Obsidian.
Skill Prompt Structure (Example)
You are an expert security analyst. Given a list of process paths and their execution counts, produce a software inventory note. For each entry, infer the software name, vendor, and category (e.g., "Browser", "Security Tool", "Developer Tool", "System Utility"). Use the following classification rules: - Executables under "C:\Program Files..." are installed applications. - "C:\Windows\System32\" entries are OS components. - Files in user temp folders are suspicious and should be flagged. - If the path contains "python", "node", "java", treat as development environment. Format the output as an Obsidian note with headings: Software Inventory Installed Applications | Software | Vendor | Category | Execution Count | Path | |-|--|-|--|| Suspicious/Unknown ... Now process the following CSV data: [CSV content]
The skill can be embedded into a script that calls the API, passing the CSV and the prompt. Alternatively, use Desktop’s skill feature to load this logic dynamically.
Python Script Using API (Simplified)
import anthropic
import csv
client = anthropic.Anthropic(api_key="your-key")
with open("raw_processes.csv") as f:
csv_data = f.read()
prompt = f"""You are a security analyst. Based on this CSV of process paths and execution counts, build a software inventory with categories. Output as Markdown.
CSV:
{csv_data}
"""
response = client.messages.create(
model="-3-5-sonnet-20241022",
max_tokens=4000,
messages=[{"role": "user", "content": prompt}]
)
with open("inventory.md", "w") as f:
f.write(response.content[bash].text)
This script can be scheduled daily or weekly to keep the inventory fresh.
4. Integrating with Obsidian for Structured Documentation
Obsidian excels at turning Markdown into a searchable, linkable knowledge base. The output from the skill is already formatted with headings and tables. Save it in your Obsidian vault (e.g., Sysmon Inventory.md). You can enhance it with:
– Dataview queries to summarize counts.
– Tags like `software-inventory` for quick retrieval.
– Links to related security notes.
To automate, use a scheduled task (Windows Task Scheduler or cron) to run the Python script and copy the output to the vault folder. This gives you a continuously updated asset inventory without manual effort.
5. Automating the Workflow End‑to‑End
For a true set‑and‑forget solution, chain the steps:
- Collect – PowerShell exports raw process data every night.
- Process – Python script reads CSV, calls API, writes Markdown.
- Refresh – Script moves the file to your Obsidian vault.
Windows Task Scheduler Example
- Create a task that runs `powershell -File export_processes.ps1` at 2:00 AM.
- Run `python _inventory.py` after completion.
- Ensure the Obsidian vault is synced (e.g., OneDrive) for remote access.
For security, store the API key in environment variables or a secrets manager. Never hard‑code credentials.
6. Advanced Techniques and Custom Classifications
Refine the skill with more granular rules:
- Hash lookup – Compare hashes from Sysmon with VirusTotal or a local IOC database to flag malware.
- Parent‑child relationships – Use process tree information to detect unusual launch patterns (e.g., Word spawning PowerShell).
- User‑defined taxonomies – Inject your organization’s software categories (e.g., “Accounting”, “Engineering”) into the prompt for consistency.
You can also extend the script to handle multiple hosts by aggregating logs from a central SIEM (like Elastic or Splunk) and feeding that aggregate to for a network‑wide inventory.
7. Validation and Continuous Improvement
Once the inventory is in Obsidian, validate it against your actual software deployments:
– Compare with SCCM or Intune reports to catch gaps.
– Mark any mis‑categorized entries and feed corrections back into the skill prompt (few‑shot learning).
– Monitor for new processes appearing in the “Suspicious” table—this can serve as an early detection mechanism for unwanted software or lateral movement.
Over time, the skill’s classification accuracy improves, and your Obsidian vault becomes a living asset register that aligns with real‑world execution.
What Undercode Say:
- Key Takeaway 1: Sysmon’s process creation events provide the most reliable source of “what’s actually running” on a Windows endpoint—far more accurate than relying solely on installed apps lists.
- Key Takeaway 2: AI models like excel at translating raw telemetry into structured, human‑readable documentation when guided by a well‑crafted skill, turning a manual triage task into an automated asset management workflow.
Analysis: This approach bridges two critical gaps in security operations: incomplete asset visibility and the high cost of manual inventory. By combining Sysmon’s low‑level telemetry with the semantic understanding of an LLM, defenders gain an autonomous “documentation engineer.” The Obsidian integration ensures the output is not just a report but a living knowledge graph that can be queried, linked, and acted upon. As AI models continue to evolve, expect such skills to become standard in blue‑team toolkits—transforming how we maintain situational awareness across endpoints.
Prediction:
As AI‑powered automation matures, we will see a shift from reactive hunting to proactive “asset intelligence” where LLMs continuously ingest telemetry, correlate with threat intelligence, and automatically update documentation and detection rules. Tools like will be embedded directly into SIEM workflows, enabling natural‑language queries over raw logs and autonomous generation of remediation steps. The integration with note‑taking platforms like Obsidian hints at a future where security teams maintain a single source of truth that is both machine‑generated and human‑curated, reducing manual overhead and improving response times. Organizations that adopt such hybrid AI‑human workflows will outpace those still reliant on spreadsheets and manual asset inventories.
▶️ Related Video (80% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Antonovrutsky Claudeforblueteam – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


