Shipping Sysmon Logs to Logz.io Cloud SIEM

Sysmon logs and Logz.io Cloud SIEM

System Monitor (Sysmon) is Windows’ service for monitoring activity and recording it to the Windows event log. It is the go-to for logging anything on a PC. Sysmon will immediately log events, capturing vital info. The driver for Sysmon will install as a boot-start driver, enabling capture of any and all events from the get-go. Now, you can send Sysmon logs straight to Logz.io Cloud SIEM.

Sysmon is a Windows system service and device driver that, after installation, remains across system reboots after installation, constantly monitoring and logging activity to the Windows event log. Together with Windows Event Collection and other agents, it provides a deeper view of suspicious events on your machine.

As such, Sysmon brings tremendous visibility to PC users for their machines’ security. For instance, it displays the command line in conjunction with Windows system logs, which is not standard in Windows Event Collection. Sysmon’s hashing function also captures the unique hash of every process image file AND allows for use of different standards of hashes (SHA1, SHA256, MD5, and IMPHASH) simultaneously.

Other options include the recording of global unique identifiers (GUIDs), rule filtering, changes in file creation times (in order to detect malware trying to obscure its presence), process creation, event correlation, network connections, and attempts to identify malware-caused events malware. Important features also cover recording any raw reads of disks.

With Sysmon logs in Logz.io Cloud SIEM, you can take advantage of our rules and dashboards to optimize your alerts for Sysmon events and greater insight into the events it records.

Now, you can send your Sysmon logs to Logz.io via Winlogbeat (the Beats solution for Windows event logging) with simple setup and configuration. For a full work-through on installing and configuring, check out our new Winlogbeat tutorial.

Install & Configure Sysmon

Make sure to install the latest version of Winlogbeat. Sysmon should be configured according to the SwiftOnSecurity configuration.

Now, download the Logz.io public certificate to your PC at C:\ProgramData\Winlogbeat\COMODORSADomainValidationSecureServerCA.crt.

Either create a new winlogbeat.yml configuration file or find the default config file either at:

C:\ProgramData\Elastic\Beats\winlogbeat\winlogbeat.yml

or

C:\Program Files\Winlogbeat\winlogbeat.yml

Configuration Code Block

Now, paste the following code block either 1) directly into the new config file, or 2) by replacing the contents of the default config file:

File Content:
winlogbeat.event_logs:
  - name: Microsoft-windows-sysmon/Operational
    ignore_older: 72h
fields:
  logzio_codec: json
  token: <>
  type: wineventlog
fields_under_root: true
processors:
  - rename:
      fields:
      - from: "agent"
        to: "beat_agent"
      ignore_missing: true
  - rename:
      fields:
      - from: "log.file.path"
        to: "source"
      ignore_missing: true
  - rename:
      fields:
      - from: "log"
        to: "log_information"
      ignore_missing: true
output.logstash:
  hosts: ["<>:5015"]
  ssl:
    certificate_authorities: ['C:\ProgramData\Winlogbeat\COMODORSADomainValidationSecureServerCA.crt']

Replace <<SHIPPING-TOKEN>> and <<LISTENER-HOST>> with the appropriate values. Fetch the shipping token of the Logz.io account where you want to ship logs; replace the listener host with the appropriate one for your region.

Importantly, make sure Logz.io is the ONLY output destination AND only appears one time. Remove any and all other outputs in the configuration file if you haven’t already.

Then, restart Winlogbeat in PowerShell as an admin:

Restart-Service winlogbeat

Sysmon Examples in Logz.io

Logz.io provides two pre-fabricated dashboards for Sysmon, an Event Summary and a Log Summary.

A visual of the Events Summary dashboard

A visual of the Events Summary dashboard

For the given logs that Logz.io detects from Sysmon, there are various recommended courses of action depending on the context of the detection by Sysmon. For example, take the following two scenarios:

A CoinMiner process was detected

By default, Logz.io Cloud SIEM treats this type of event with medium severity. You will get the following message:

This can indicate that the host is infected by malware or riskware.

That is, either a cryptocurrency mining-related piece of software or something similar might have infected the system.

Suggested next steps that you will be told to consider are:

  1. Investigate the file. Its file path is shown in the field winlog.event_data.CommandLine.
  2. Investigate the origin of the file that created the process. Use forensic tools to determine when and how the file entered to the system.
  3. In case of a malware event, look for persistences and additional evidence for host infection.
  4. Extract the IOC and use it according to company policy.
  5. Remediate according to company policy.

Finally, an example of the alert log will look like this:

The following have met the alert condition:
[ {
 "winlog.event_data.CommandLine" : "\"cmd\" /c ExpCompose install \"ExpCompose\" conhosts.exe -o stratum+tcp://bcn.pool.minergate.com:45550 -u 24152514@dds.com -p x -t 1",
 "winlog.computer_name" : "DESKTOP-G7KD2RE",
 "winlog.event_data.Image" : "C:\\Windows\\System32\\cmd.exe",
 "count" : 1.0
}]


Suspicious registry persistence

You will get the following message:

An attempt to create a registry persistence was detected. This can indicate malware or attacker attempts  to ensure persistence and/or run a malware file with high permissions.

Subsequently, there will be a few suggestions for next steps forward:

  1. Investigate the field winlog.event_data.Image for bad reputation, a suspicious file path, etc.
  2. Click “Investigate” in the event log to drill down on the raw logs. Investigate the Image file hash and other related information.
  3. If the alerted process name appears legitimate, make sure it is found in its expected path.
  4. For any artifacts found, extract IOCs and use them according to company policy.

A sample of an alert might look like the following:

The following have met the alert condition:
[ {
"winlog.event_data.TargetObject" : "HKU\\S-1-5-21-18475724-796085606-2334334388-1001\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\EFlLGgkkkDZLVeP",
"winlog.event_data.Image" : "C:\\WINDOWS\\SysWOW64\\notepad.exe",
"winlog.computer_name" : "DESKTOP-G7KD2RE",
"count" : 1.0
} ]

Conclusion

Sysmon is an invaluable tool that enhances the clarity of Windows systems. Its advanced features make log organization easier and deeper analysis possible. In conjunction with Logz.io Cloud SIEM, you can quickly drill down into the raw logs to glean valuable data into your system’s inner workings.

Stay updated with us!

By submitting this form, you are accepting our Terms of Use and our Privacy Policy

Thank you for subscribing!

Internal