Microsoft Sysmon is a free agent that can be installed on Windows systems and configured to provide rich details about events of particular interest when performing security monitoring of systems. This technology pack will process all Sysmon event log messages produced by recent and current versions of Sysmon. This technology pack will process Sysmon logs, providing normalization and enrichment of common events of interest.
Requirements
-
Sysmon event logs delivered to Graylog via a supported Winlogbeat or NXlog agent
Supported Versions
-
Sysmon version 12 or later.
Log Collection and Delivery
The log delivery agent, either Winlogbeat or NXLog, must be configured to collect Sysmon events from the Windows event log service. Examples are listed below but please refer to the agent's configuration documentation to properly configure the log delivery agent to support your requirements.
Agent Configuration - Winlogbeat
Under the event_logs: section of the Winlogbeat configuration, add the line:
-
name: Microsoft-Windows-Sysmon/Operational
Agent Configuration - NXlog
In the QueryXML section of the NXLog configuration, add the following:
-
<Select Path='Microsoft-Windows-Sysmon/Operational'>*</Select>
Stream Configuration
This technology pack includes 1 stream:
- "Illuminate:Sysmon Messages"
Index Set Configuration
This technology pack includes 1 index set definition:
- "Sysmon Event Log Messages"
What is Provided
-
Parsing rules to extract Sysmon logs into Graylog schema compatible fields
-
Graylog Information Model message categorization
GIM Categorization
GIM categorization is provided for the following messages:
GIM Categorization ▼
| Sysmon Event IDs | Additional Details | gim_event_type_code | gim_event_class | gim_event_category | gim_event_subcategory | gim_event_type |
|---|---|---|---|---|---|---|
| 1 | 190000 | endpoint | process | process.execute | process started | |
| 2 | 201001 | endpoint | file | file.modify | file timestamp modified | |
| 3 | 120000 | network | network.network connection | network connection | ||
| 4 | service_state: Started | 210100 | endpoint | service | service.stop | service stopped |
| 4 | service_state: Stopped | 210000 | endpoint | service | service.start | service started |
| 5 | 190100 | endpoint | process | process.end | process stopped | |
| 6 | 270000 | endpoint | driver | driver.loaded | system driver loaded | |
| 7 | 191001 | endpoint | process | process.action | image loaded | |
| 8 | 190501 | endpoint | process | process.interaction | remote thread created | |
| 9 | 201501 | endpoint | file | file.access | raw file access | |
| 10 | 190500 | endpoint | process | process.interaction | process accessed | |
| 11 | 200000 | endpoint | file | file.create | file created | |
| 12 | event_type: DeleteValue | 250002 | endpoint | registry | registry.value_change | registry value deleted |
| 12 | event_type: CreateValue | 250001 | endpoint | registry | registry.value_change | registry value added |
| 12 | event_type: DeleteKey | 250501 | endpoint | registry | registry.key_change | registry key deleted |
| 12 | event_type: CreateKey | 250500 | endpoint | registry | registry.key_change | registry key added |
| 13 | 250000 | endpoint | registry | registry.value_change | registry value set | |
| 14 | 251000 | endpoint | registry | registry.object_renamed | registry object renamed | |
| 15 | 201002 | endpoint | file | file.modify | file stream created | |
| 16 | 211000 | endpoint | service | service.configuration | service configuration change | |
| 17 | 230000 | endpoint | pipe | pipe.add | pipe created | |
| 18 | 230500 | endpoint | pipe | pipe.state | pipe connected | |
| 19 | 240000 | endpoint | wmi | wmi.filter | wmi filter created | |
| 20 | 240500 | endpoint | wmi | wmi.consumer | wmi consumer created | |
| 21 | 241000 | endpoint | wmi | wmi.binding | wmi binding created | |
| 22 | 140000 | protocol | name resolution | name resolution.dns request | dns query | |
| 22 | 140200 | protocol | name resolution | name resolution.dns answer | dns response | |
| 23 | 200100 | endpoint | file | file.delete | file deleted | |
| 25 | 191000 | endpoint | process | process.action | process altered | |
| 25 | 301002 | detection | detection.host_detection | hips_detection | ||
| 27 | 301002 | detection | detection.host_detection | hips_detection | ||
| 28 | 301002 | detection | detection.host_detection | hips_detection | ||
| 29 | 301002 | detection | detection.host_detection | hips_detection | ||
| 255 | 211504 | endpoint | service | service.state | service error |
Fields Extracted by This Pack
General Parsing
These are the fields common to all Sysmon events.
Parsed Fields ▼
| Field Name | Description |
|---|---|
| host_hostname | The name of the device that generated the event |
| host_ip | The IP address of the host. If the log agent provides a list of IPs, the host_ip field will use the first value from the list. |
| host_ip_list | If the agent reports a list of IPs assigned to the host it will be assigned to this field. |
| host_mac | The MAC address of the host. If the log agent provides a list of MACs, the host_mac field will use the first value from the list. |
| host_mac_list | If the agent reports a list of MACs assigned to the host it will be assigned to this field. |
