neo4j: importing processes from procmon csv

procmon_to_neo4j.cql

# delete all
MATCH (n)
OPTIONAL MATCH (n)-[r]-()
DELETE n,r;

# create process index
CREATE INDEX on :Process(pid);
CREATE INDEX on :File(path);
CREATE INDEX on :RegistryValue(path);

# import Processes
LOAD CSV WITH HEADERS FROM "file:///DesktopOSIRIS.CSV" as row
MERGE (:Process {pid: toInt(row.PID), name: row.`Process Name`})

# add command lines
LOAD CSV WITH HEADERS FROM "file:///DesktopOSIRIS.CSV" as row
WITH row WHERE row.Operation="Process Start"
MATCH (p:Process {pid: toInt(row.PID)})
SET p.cmdline=substring(split(row.Detail,",")[1],15)

# create process relations
LOAD CSV WITH HEADERS FROM "file:///DesktopOSIRIS.CSV" as row
WITH row WHERE row.Operation="Process Start"
MATCH (child:Process {pid: toInt(row.PID)})
MATCH (parent:Process {pid: toInt(substring(split(row.Detail,",")[0], 12))})
MERGE (parent)-[:CREATES]->(child)

# add file writes
LOAD CSV WITH HEADERS FROM "file:///DesktopOSIRIS.CSV" as row
WITH row WHERE row.Operation="WriteFile"
MERGE (:File {name: last(split(row.Path, "\\")), path: row.Path})

# create relations between processes and written files
LOAD CSV WITH HEADERS FROM "file:///DesktopOSIRIS.CSV" as row
WITH row WHERE row.Operation="WriteFile"
MATCH (p:Process {pid: toInt(row.PID)})
MATCH (f:File {path: row.Path})
MERGE (p)-[:WRITES_TO_FILE]->(f)

# add registry writes
LOAD CSV WITH HEADERS FROM "file:///DesktopOSIRIS.CSV" as row
WITH row WHERE row.Operation="RegSetValue"
MERGE (:RegistryValue {name: last(split(row.Path, "\\")), path: row.Path})

# create relations between processes and written registry values
LOAD CSV WITH HEADERS FROM "file:///DesktopOSIRIS.CSV" as row
WITH row WHERE row.Operation="RegSetValue" AND trim(split(row.Detail, 'Data:')[1]) IS NOT NULL
MATCH (p:Process {pid: toInt(row.PID)})
MATCH (r:RegistryValue {path: row.Path})
MERGE (p)-[:WRITES_TO_REGISTRY {Type: trim(split(split(row.Detail, ",")[0], ':')[1]), Data: trim(split(row.Detail, 'Data:')[1])} ]->(r)