Installing and Configuring Sysmon for Windows
- Integration Service Account
This document describes how to install sysmon in Windows. It will configure sysmon to log messages for effective security monitoring.
What is Sysmon?
Sysmon is part of the Sysinternals suite and is useful for extending the default Windows logs with higher-level monitoring of events and process creations. Sysmon contains detailed information about process creations, networks connections, and file changes.
More Information on Sysmon - Windows Sysinternals | Microsoft Docs
Interesting data available:
Process Information
Network connections tracking
Drivers and DLL loading
WMI monitoring
File Events
Registry Operations
DNS Queriesolafhartong did publish a nice map of interesting data that we can gather from sysmon.
Sysmon Event ID’s
Event ID 1: Process creation
Event ID 2: A process changed a file creation time
Event ID 3: Network connection
Event ID 4: Sysmon service state changed
Event ID 5: Process terminated
Event ID 6: Driver loaded
Event ID 7: Image loaded
Event ID 8: CreateRemoteThread
Event ID 9: RawAccessRead
Event ID 10: ProcessAccess
Event ID 11: FileCreate
Event ID 12: RegistryEvent (Object create and delete)
Event ID 13: RegistryEvent (Value Set)
Event ID 14: RegistryEvent (Key and Value Rename)
Event ID 15: FileCreateStreamHash
Event ID 16: ServiceConfigurationChange
Event ID 17: PipeEvent (Pipe Created)
Event ID 18: PipeEvent (Pipe Connected)
Event ID 19: WmiEvent (WmiEventFilter activity detected)
Event ID 20: WmiEvent (WmiEventConsumer activity detected)
Event ID 21: WmiEvent (WmiEventConsumerToFilter activity detected)
Event ID 22: DNSEvent (DNS query)
Event ID 23: FileDelete (File Delete archived)
Event ID 24: ClipboardChange (New content in the clipboard)
Event ID 25: ProcessTampering (Process image change)
Event ID 26: FileDeleteDetected (File Delete logged)
Event ID 255: Error
Each Event Id's emit different fields, olafhartong publish a very good Sysmon cheat sheet
Limitation
This knowledge base as well as the files and rules only applies to Sysmon 13 and above, Sysmon below 13 will not be completely supported although will still work.
Setting up Sysmon on Windows
Pre-requisites
Note: We recommend using Armor Security Sysmon rules but you can also create your own and or download the ones that are readily available like BlueTeamsLabs (useful for the Sentinel workbook)
Installation
For installing Sysmon use the installer from the pre-requisite section. Once Sysmon is installed, we can configure the Microsoft Sentinel connector to collect the Sysmon events from the machines.
# sysmon.exe -accepteula -i [sysmon rules xml]
sysmon.exe -accepteula -i quantum-sysmonconfig.xmlOnce Sysmon is installed and starts logging actions, you can find the event log by opening the local Event Viewer and going to the event path: Windows Logs – Applications and Services Logs – Microsoft – Windows -Sysmon
Onboarding to Microsoft Sentinel
Pre-requisites
Permission: - Workspace - read/write permission
Workspace data sources - read/write permission
Id/Token - Workspace ID
Primary key
Installation of Windows Agent into the client
Microsoft Monitoring Agent collects the data from the machines. With the Microsoft Monitoring Agent it is possible to collect logs from a machine and push it into the Log Analytics workspace (Sentinel).
Multiple ways are available to connect the server with the Log Analytics gateway. In this case the explanation of the Microsoft Monitoring Agent event collector. From the Security Event connector page, it is possible to download the Windows Agent or direct from the Log Analytics workspace view.
One of the easiest way to onboard is to use the Log analytics agent - Download Windows Agent (64 bit)
Or you can explore this from Sentinel under Log Analytics. 1. Go to Azure Portal
Search for
Log Analytics workspaceOpen the created or existing
Log Analytics workspacewhere you want to onboardOpen
Agent ManagementClick on
Windows servers
Configure Sentinel Sysmon Event’s
It is required to configure the Agent configuration for collecting the Sysmon event log. For configuring the Sysmon events: Or you can explore this from Sentinel under Log Analytics. 1. Go to Azure Portal
Search for
Log Analytics workspaceOpen the created or existing
Log Analytics workspacewhere you are onboardingOpen
Agents configurationClick on
Add Windows event logsBy default
Sysmonis not listed, just type the followingMicrosoft-Windows-Sysmon/OperationalEnsure that
Error,WarningandInformationare checkedApply the configuration
Verifying your setup
It would take time for the first sysmon to appear in Sentinel, but if everything works correctly you can use the query below to check if there are any logs received
Event
| where Source == 'Microsoft-Windows-Sysmon'
| limit 10Example of a specific event check, Example for Event ID: 1 (Process Creation) “` Event | where Source == ‘Microsoft-Windows-Sysmon’ | where EventID == 1 | project TimeGenerated, Computer, EventID, RenderedDescription | limit 100
Sysmon_Security | where Source == ‘Microsoft-Windows-Sysmon’ | limit 10
Sysmon_Security | where ((TargetProcessName endswith ‘powershell.exe’) and
”`
Run query every: 12 Hours
Lookup data from the last: 12 Hours
Create rule
Once you created a rule, you can test this in one of the clients that has been on-boarded: 1. Open a powershell prompt
Run the command:
powershell -command "Test-NetConnection test-sentinel-process-alert.com -TraceRoute"
This should create an entry into Sentinel and in 12 hours would create an alert (you can shorten this time).
Explanation of the commands
The command would use powershell commands to test the connection and do a trace route to test-sentinel-process-alert.com which is a non-existent site but would still generate an event that would be forwarded to Sentinel.
Test-NetConnection - Displays diagnostic information for a connection.
-TraceRoute- Indicates that Tracert runs to test connectivity to the remote host.