Sysmon (System Monitor) is a system monitoring and logging tool that is a part of the Windows Sysinternals Suite. It generates much more detailed and expansive logs than the default Windows logs, and it provides a great, free alternative to many of the Endpoint Detection and Response (EDR) solutions available. If you are curious about the potential of Sysmon, I did a short talk showing some of its capabilities.
This blog series will help prepare you to get Sysmon up and running, deploy it in your environment, and forward the event logs to your Splunk indexers.
Configuration and installation
Sysmon has a simple installation, although there are a few decisions you will need to make before you prepare to install it in your environment. You’ll need to decide on an initial configuration, deployment method, and forwarding mechanism.
The first major choice is the initial configuration of your Sysmon build. It is possible to make your own configuration, but it takes a good understanding of what logs you want to generate and can create a decent amount of unpredictable logs.
There are two popular configurations that are easy to deploy and have done a lot of the initial legwork, and both are great choices to start with.
SwiftOnSecurity has a simplified one file configuration that is great to start out with to see what is possible with Sysmon. You can download it on GitHub and easily install Sysmon with it to be up and running in a few minutes.
The advantages of this configuration are that it is simple to modify, roll out changes, and keep up to date. The main disadvantage is that, as you tune your configuration to your environment, the one file deployment makes it difficult to keep track of those changes. So for a very simple, one-shot configuration it works great, but the second popular configuration is much better suited to a well-tuned environment.
If you decide to use SwiftOnSecurity’s configuration, I would recommend the following configuration additions, as the default configuration will not exclude Splunk processes and can create a large amount of events:
To the section titled:
Modular Sysmon, by Olaf Hartong, is more complex than Swift’s, but is not overwhelming. An important aspect of Modular Sysmon is that many of the rules are mapped to the Mitre ATT&CK framework. So each event will have a RuleName field showing the ATT&CK mapping like below: