Collect Sysmon data
Chris Bisnett
Chris Bisnett
Is there something specifically you’re looking to collect with Sysmon? We’ve got experience with Sysmon and one of the biggest challenges is how much data it can generate depending on the configuration. Some of the data can be really useful, but much of it is super verbose tracking of internal operating system activity that isn’t relevant to security detections.
J
Jonathan Pilkington
Chris Bisnett One of the bigger ones is SYSMON event ID 11 . This captures when new files are created. As there have been multiple occasions where Defender has caught something and quarantined it. Which is good however because of that I often cant figure out when the file was created and makes it harder to figure out where it came from. SYSMON event ID 1 could help with this as it captures when new files are created. Though understandably it does create a lot of noise around 16,000 events an hour. Though on say a file server I imagine this would be much higher than that.
Another would be SYSMON even ID 1. This captures when new processes are created. Similar to event ID 4688 but has a lot of extra details. However it appears that 4688 might be filtered now. Makes sense as EDR captures this information. However I feel it could be helpful to organizations who only want the SIEM and not EDR.
J
Joshua Strickland
Chris Bisnett Having the ability to query ingested Sysmon for powershell and cmd commands that are executed, and the ability to more closely monitor network connections (IP's and ports); that would be huge. Then having the ability to alert on it would invaluable. It could also be useful for new processes that are spawned and created.
Overall - being able to use the verbosity of Sysmon opens up the door for easy to query information with the potential to set up triggers and alerts from the SIEM.