Microsoft Sysmon, a component of Microsoft’s Sysinternals suite of Windows utilities, is a powerful host-level tool that can assist you in detecting advanced threats on your network by providing intricate host-operation details in real time. In contrast to common Antivirus/Host-Based Intrusion-detection (HIDS) solutions, Sysmon performs system activity deep monitoring and logs high-confidence indicators of advanced attacks.
Sysmon is capable of producing extensive details that are useful in the early detection of malicious code execution or other nefarious behavior. These include:
- Process executions, including parent/child relationships, user that launched process, and hash data
- File creations
- File creation time changes
- Network activity, down to the process level
- Image loads
- Creation of remote threads
- Interprocess accesses
- Windows registry modifications
- NTFS alternate data stream (ADS) creations
- Pipe creations and connections
- WMI event monitoring
How can I use this data?
When your Splunk deployment is ingesting Sysmon data, you can use the data to achieve the following objectives:
- Monitoring for signs of Windows privilege escalation attacks
- Recognizing improper use of system administration tools
- Monitoring command line interface actions
- Detecting techniques in the Orangeworm attack group
- Investigating a ransomware attack
- Reconstructing a website defacement
- Creating a timebound picture of network activity
The following sections provide information on configuring Splunk software to ingest this data source. To configure the device or software, we recommend that you leverage official Sysmon resources.
Getting Sysmon data in
Splunk Docs contains extensive guidance on getting data into your Splunk deployment. If your deployment is not already ingesting Sysmon data, the following topics can assist you in preparing to work with this data type:
- Splunk Enterprise
- Splunk Cloud
The recommended index is epintel.
The source type is XmlWinEventLog:Microsoft-Windows-Sysmon/Operational. If you have already started ingesting data with a different sourcetype, we recommend that you switch over to the standardized source types.
The supported input type is WinEventLog://Microsoft-Windows-Sysmon/Operational. If you have already started ingesting the data sources into another index, then you can usually proceed, though consider if you should separate sourcetypes into different indexes, based on who likely will need access or be prohibited access.
In addition, you will need the Splunk Add-on for Microsoft Sysmon. The add-on can be downloaded here and the add-on documentation can be accessed here. Read and follow the documentation carefully to understand all the essential information you need to work with this data source, including how to install the add-on, configure Sysmon, and configure Splunk.
A properly configured Windows endpoint running Sysmon will result in 2-4MB of Sysmon data ingested in Splunk daily—sometimes much less. Particularly busy or compromised machines may generate more data. You may also select “critical” machines or machines owned by “most likely targets” and voluntarily increase the verbosity of logging on these systems. For example, the NetworkConnect (Event Code 3) and Image Load (Event Code 7) logging may be increased for these systems. Universal Forwarder operation can also result in significant process-execution events.
After proper configuration, run the following Splunk search:
You should see data coming into Splunk. Verify correct timestamps, event breaking, and field extraction.