A comprehensive guide to navigate Sysmon logs

In the ever-evolving landscape of cybersecurity, it's important to stay ahead of threats. Sysmon logs play a crucial role in this endeavor by providing valuable insights and enabling organizations to strengthen their security posture.

Windows serves as a predominant operating system in corporate environments, and it is vital to gain a comprehensive understanding of Windows event logs, their distinctive characteristics and limitations, and the potential for enhancement through Sysmon.

What are Sysmon logs?

Sysmon logs are event logs generated by Microsoft System Monitor (Sysmon). These provide detailed information about system-level operations on Windows and record activities such as process initiation, network connections, file and registry modifications, driver and service activity, and WMI actions. By analyzing Sysmon logs, security experts can detect potential risks, spot anomalies, and respond to security incidents to enhance overall system monitoring and security.

Where are Sysmon logs stored?

Sysmon logs are stored in the Windows Event Log. Specifically, they are located within the Microsoft-Windows-Sysmon/Operational event log channel.

To obtain the Sysmon logs:

• Open Event viewer on the Windows system.
• Expand Applications and Services Logs.
• Find the Microsoft-Windows-Sysmon/Operational log and view the Sysmon log entries.

Why are Sysmon logs important?

Sysmon logs are important because they play a crucial role in enhancing system security and enabling effective incident response. Let's explore a real-life example to understand the significance of Sysmon logs:

In an organization characterized by a complex network infrastructure and a multitude of endpoints, the security team one day detects unusual network activity indicating a potential security violation. To investigate the incident, they use Sysmon logs, which have been carefully configured and distributed across the network. They find a process creation event in the Sysmon logs with an unusual image file name and suspicious command-line inputs. Further examination reveals that the process is in communication with suspicious external IP addresses.

The security team can piece together the sequence of events by using the data recorded in the Sysmon logs. They become aware that the network of the company has been infiltrated and that a hacker has gained access to the system. The logs provide crucial evidence of the malicious process and its activity, enabling the team to trace the origin of the attack, understand its impact, and devise an effective response strategy.

Key events logged by Sysmon

Process creation

Process creation, denoted by Event ID 1, in Sysmon logs offer valuable insights into the creation of processes on a Windows system. These logs provide key details like process ID, parent process ID, image name, command-line parameters, creation options, file hashes, digital signatures, parent process info, and network connections. Sysmon's configuration options enable customization of the logged information to align with specific requirements.

A process changed a file creation time

Event ID 2 in Sysmon logs indicates that a process has altered the creation time of a file. This event provides insights into instances where a process has changed the metadata associated with the file, specifically the creation timestamp. The modification of the time creation time could be an intentional action performed by an authorized user for legitimate purposes. However, it could also be an indication of suspicious activity or a potential security breach.

Network connection

Event ID 3 in Sysmon logs represents network connection events. It provides essential information such as the process ID (PID) of the program initiating the connection, the source IP and port of the local endpoint, the destination IP and port of the remote endpoint, and the protocol used. Analyzing network connections helps in monitoring network traffic, identifying suspicious connections, tracking application behavior, and investigating security incidents. Remember that the structure and fields of Sysmon logs may vary based on the Sysmon version and configuration settings.

Sysmon service state changed

The state change event, denoted by Event ID 4, can indicate either the successful start or stop of the Sysmon service. The start of the service indicates that the Sysmon service has been started and the system activity is now being monitored and logged. The stop of a service occurs when it is manually stopped by an administrator or if there is an issue with the service itself.

Driver loaded

When a driver is installed, it becomes an integral part of the kernel of the operating system, allowing it to communicate with hardware devices and carry out low-level tasks. The Driver loaded event, denoted by Event ID 6, records specifics about the procedure in charge of loading the driver as well as information on the driver file itself.

File creation and modification

Sysmon records events whenever files are added, changed, or removed from the system. Event ID 11 contains details about the file's path, the operation that created or modified the file, and the file's hash. This facilitates the detection of unauthorized file modifications or suspicious behavior.

WMI activity

Windows' WMI management architecture enables developers and administrators to remotely view and modify system data, configuration settings, and execute instructions. The Sysmon logs contain entries with the Event IDs 19 (WmiEventFilter) and 20 (WmiEventConsumer), which respectively collect information about WMI event filtering and event consumption.

Understanding the lifecycle of Sysmon log management

The process of collecting and analyzing Sysmon logs involves several key steps.

• Deployment: Deploy Sysmon on your Windows systems to start capturing event information. You can use automated deployment techniques like Group Policy or scripting for bulk installation, or you can download the Sysmon software from the Microsoft website and install it on each machine separately.
• Configuration: Configure Sysmon to specify the desired events to monitor and the destination for logging. A configuration file, which specifies the events to monitor and log, can be used to set up Sysmon. You can adjust the configuration file to meet your unique needs by activating or deleting particular event kinds as necessary.
• Log collection: Sysmon logs are normally published in XML format to the Windows Event Log. To collect the Sysmon logs, you can use various methods such as Windows Event Forwarding (WEF), a centralized logging solution, or a SIEM solution. Using these techniques, you may consolidate the logs from several systems in one place for further analysis.
• Log storage and retention: It's important to establish an appropriate log storage and retention strategy to ensure you have enough capacity to store the logs and retain them for an adequate period. Depending on your organization's needs and compliance requirements, you may choose to store logs locally on each system or centrally in a log management system.
• Log analysis: Analyze the collected Sysmon logs using manual techniques and automated tools. Sysmon logs contain various types of events, including process creation, network connections, file creation or modification, registry modifications, and more, to identify suspicious activity, indicators of compromise, and understand system behavior.
• Threat hunting: Sysmon logs can be an incredibly useful tool for proactive threat hunting. Create queries or rules in your SIEM or log management system to look for indicators of unusual activity or recognized attack patterns. With this method, you can spot security flaws or possible risks that aren't always obvious.
• Incident response and forensics: Utilize the analyzed Sysmon logs during incident response and forensic investigations to reconstruct timelines, track attacker actions, and determine the impact of security incidents.

How does EventLog Analyzer support the monitoring and examination of Sysmon logs?

ManageEngine EventLog Analyzer is a log management and SIEM solution that enhances Sysmon log monitoring by providing centralized collection, analysis, and reporting capabilities. It serves as an unified platform for gathering, analyzing, archiving, and reporting on Sysmon logs produced by Windows systems.

EventLog Analyzer:

• Tracks various processes, offering detailed insights.
• Discovers attack trends in logs effectively.
• Preserves log data for future forensic investigation.
• Provides a comprehensive understanding of system operations by combining Sysmon logs from multiple sources, including event log files and Sysmon collectors.
• Actively monitors and captures changes to registry keys and values.

To learn more about why EventLog Analyzer is a good choice for Sysmon log analysis, click here.