You can use this document to collect Sysmon logs and send them to Armor’s Log and Data Management platform.


Configure Your Sysmon Service


Configuring Sysmon services uses the Command Line Interface (CLI) feature. For more information, see Security Service CLI Commands

The following arguments to install and uninstall Sysmon services.

COMMAND

ARGUMENTS

RESULT

sysmon

install

Installs the Sysmon service.

sysmon

uninstall

Removes the Sysmon service.

The following arguments are possible parameters for the Logging CLI feature.

COMMAND

ARGUMENTS

RESULT

add-event-logs

"Microsoft-Windows-Sysmon/Operational”

Add the event log to the logging service.

sync-event-logs


Syncs the logging config.

remove-event-logs

"Microsoft-Windows-Sysmon/Operational"

Remove the event log from the logging service


Installation of Sysmon


Install the sysmon service

C:\.armor\opt\armor.exe sysmon install

Add the event log, specific to Sysmon, to the Armor logging service.

C:\.armor\opt\armor.exe logging add-event-logs "Microsoft-Windows-Sysmon/Operational"

Sync the logging config

C:\.armor\opt\armor.exe logging sync-event-logs


Removal of Sysmon


Remove the sysmon service

C:\.armor\opt\armor.exe sysmon uninstall

Remove the event log from the logging service

C:\.armor\opt\armor.exe logging remove-event-logs "Microsoft-Windows-Sysmon/Operational"

Sync the logging config

C:\.armor\opt\armor.exe logging sync-event-logs


Accessing The Datalake


The Armor data lake is a centralized repository for storing Armor collected data.

Log Search In AMP

  1. Navigate to Security -> Log Search and SSO into Chaos Search.

  2. Create a filter by doing the following:

    1. Click on Add filter.

    2. In Field select wineventlog.log_name

    3. Select is for Operator.

    4. Enter the value Microsoft-Windows-Sysmon/Operational into the Value field.

    5. Click Save.

    6. Now set the date range and click Refresh.


Data Presentation


Data consists of documents stored in the datalake. Each document contains all the data related to that particular rule and resource. Below are examples of the table and JSON views:

 Table Example

FIELDS

VALUES

@timestamp

Jan 8, 2021 @ 05:22:23.536

#@version

1

t_id

63691655

t_index

1_2177_customer

#_score

1

t_type

doc

tarmor_metadata.customer.account_name

330IncAnywhereGen4Dec6

tarmor_metadata.customer.hostname

EC2AMAZ-V8SB0VH

tarmor_metadata.customer.os_name

Windows 2019

tarmor_metadata.customer.product_name

AA

tarmor_metadata.customer.service_provider

Armor Anywhere

tarmor_metadata.customer.tenant_id

2177

tarmor_metrics.input_port

5515

#armor_metrics.latency.processing

0.105

tarmor_metrics.processing_chain

["KVN_V4_collector_i-029bcb4147f0cd297|2021-01-07T23:52:23Z","KVN_V4_processor_i-0ebc8bdf5058e3486|2021-01-07T23:52:23Z"]

tbeat.hostname

EC2AMAZ-V8SB0VH

tbeat.name

EC2AMAZ-V8SB0VH

tbeat.version

6.7.1

tdata_type

wineventlog

#document_size

2,108

tevent_uuid

b478b96d-9bdd-42e4-8a0b-a16878dc5406

texternal_id

6010ee52-85a8-456e-8dea-a7ad32ebc0fd

thostname

EC2AMAZ-V8SB0VH

tindex_type

customer-known

tlabels.parent_id

1

tlogsource.hostname

EC2AMAZ-V8SB0VH

tlogsource.origin

core

tmessage

Network connection detected: RuleName: RDP UtcTime: 2021-01-07 23:52:12.422 ProcessGuid: {5b5555e6-ed17-5fe0-1400-00000000f300} ProcessId: 1048 Image: C:\Windows\System32\svchost.exe User: NT AUTHORITY\NETWORK SERVICE Protocol: tcp Initiated: false SourceIsIpv6: false SourceIp: 87.251.67.18 SourceHostname: - SourcePort: 23570 SourcePortName: - DestinationIsIpv6: false DestinationIp: 172.31.80.8 DestinationHostname: EC2AMAZ-V8SB0VH.ec2.internal DestinationPort: 3389 DestinationPortName: ms-wbt-server

#message_size

504

original_timestamp

Jan 8, 2021 @ 05:22:20.639

received_timestamp

Jan 8, 2021 @ 05:22:23.536

tsyslog_timestamp

01-01-2007 23:52

ttags

["core","oslogs","windows","customer","confirmed_external_id"]

ttenant_id

2177

ttype

wineventlog

twineventlog.computer_name

EC2AMAZ-V8SB0VH

twineventlog.event_data.target_user_name

-

twineventlog.event_id

3

twineventlog.level

Information

twineventlog.log_name

Microsoft-Windows-Sysmon/Operational

twineventlog.opcode

Info

twineventlog.process_id

6136

twineventlog.provider_guid

{5770385f-c22a-43e0-bf4c-06f5698ffbd9}

twineventlog.record_number

4196814

twineventlog.source_name

Microsoft-Windows-Sysmon

twineventlog.task

Network connection detected (rule: NetworkConnect)

twineventlog.thread_id

5680

twineventlog.user.domain

NT AUTHORITY

twineventlog.user.identifier

S-1-5-18

twineventlog.user.name

SYSTEM

twineventlog.user.type

User

twineventlog.version

5

 JSON Example
{
  "_score": 1,
  "_type": "doc",
  "_source": {
    "document_size": 2108,
    "@timestamp": "2021-01-07T23:52:23.536Z",
    "tenant_id": "2177",
    "armor_metadata.customer.tenant_id": "2177",
    "hostname": "EC2AMAZ-V8SB0VH",
    "wineventlog.provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}",
    "wineventlog.process_id": "6136",
    "message_size": 504,
    "wineventlog.computer_name": "EC2AMAZ-V8SB0VH",
    "_id": 63691655,
    "tags": "[\"core\",\"oslogs\",\"windows\",\"customer\",\"confirmed_external_id\"]",
    "armor_metrics.processing_chain": "[\"KVN_V4_collector_i-029bcb4147f0cd297|2021-01-07T23:52:23Z\",\"KVN_V4_processor_i-0ebc8bdf5058e3486|2021-01-07T23:52:23Z\"]",
    "armor_metadata.customer.hostname": "EC2AMAZ-V8SB0VH",
    "wineventlog.opcode": "Info",
    "armor_metrics.input_port": "5515",
    "original_timestamp": "2021-01-07T23:52:20.639Z",
    "logsource.origin": "core",
    "wineventlog.user.domain": "NT AUTHORITY",
    "wineventlog.user.identifier": "S-1-5-18",
    "wineventlog.log_name": "Microsoft-Windows-Sysmon/Operational",
    "wineventlog.version": "5",
    "wineventlog.level": "Information",
    "wineventlog.thread_id": "5680",
    "wineventlog.user.name": "SYSTEM",
    "received_timestamp": "2021-01-07T23:52:23.536Z",
    "data_type": "wineventlog",
    "armor_metadata.customer.account_name": "330IncAnywhereGen4Dec6",
    "event_uuid": "b478b96d-9bdd-42e4-8a0b-a16878dc5406",
    "wineventlog.task": "Network connection detected (rule: NetworkConnect)",
    "syslog_timestamp": "Jan 7 23:52:23",
    "labels.parent_id": "1",
    "armor_metadata.customer.service_provider": "Armor Anywhere",
    "beat.version": "6.7.1",
    "external_id": "6010ee52-85a8-456e-8dea-a7ad32ebc0fd",
    "message": "Network connection detected: RuleName: RDP UtcTime: 2021-01-07 23:52:12.422 ProcessGuid: {5b5555e6-ed17-5fe0-1400-00000000f300} ProcessId: 1048 Image: C:\\Windows\\System32\\svchost.exe User: NT AUTHORITY\\NETWORK SERVICE Protocol: tcp Initiated: false SourceIsIpv6: false SourceIp: 87.251.67.18 SourceHostname: - SourcePort: 23570 SourcePortName: - DestinationIsIpv6: false DestinationIp: 172.31.80.8 DestinationHostname: EC2AMAZ-V8SB0VH.ec2.internal DestinationPort: 3389 DestinationPortName: ms-wbt-server",
    "armor_metrics.latency.processing": 0.10485601425170898,
    "wineventlog.record_number": "4196814",
    "wineventlog.event_data.target_user_name": "-",
    "type": "wineventlog",
    "armor_metadata.customer.product_name": "AA",
    "beat.name": "EC2AMAZ-V8SB0VH",
    "beat.hostname": "EC2AMAZ-V8SB0VH",
    "armor_metadata.customer.os_name": "Windows 2019",
    "@version": 1,
    "wineventlog.event_id": "3",
    "index_type": "customer-known",
    "logsource.hostname": "EC2AMAZ-V8SB0VH",
    "wineventlog.user.type": "User",
    "wineventlog.source_name": "Microsoft-Windows-Sysmon"
  },
  "_id": "63691655",
  "_index": "1_2177_customer"
}


Helpful Fields For Searching The Datalake


FIELD

FILTER BY

wineventlog.log_name

Microsoft-Windows-Sysmon/Operational

wineventlog.task

the task name

wineventlog.event_id

the event id eg : 1,2,3,4,5,6,7

wineventlog.source_name

Microsoft-Windows-Sysmon


Adding A Filter


To add additional filters, click on the Add Filter Button.

Then set the field to one of the helpful fields above, select the operator, put in the value and hit save. The data is now filtered on a specific log_name, event_id or other field selected.


Sysmon Rules


RULEDESCRIPTION
PsExec Process Observed on a Compromised HostThis rule triggers when a PsExec process has been detected on a host that has been identified as likely compromised.
Administrative Share Accessed from a Compromised HostDetects hosts that have been identified as likely compromised when they access Administrative shares.
Network Share Accessed from a Compromised HostDetects hosts that have been identified as likely compromised when they access networked shares.
Powershell Process Observed on a Compromised HostThis rule triggers when a powershell process has been detected on a host that has been identified as likely compromised.
Metasploit PSExec Module UsageDetects the Metasploit implementation of the PSExec tool.
Excessive System Tools Usage from a Single HostDetects a large volume of several system tools being used from a single system.
Excessive Network Share Access Failures from a Compromised HostDetects hosts that have been identified as likely compromised when they access several networked shares in a short time period.
Powershell Script Created by a Remote Management ServiceDetects if any remoting service, such as wsmprovhost, psexesvc, or wmiprvse, creates a PowerShell script file.
Unsigned Executable Loaded In Sensitive System ProcessThis rule is triggered on any attempt to load an unsigned executable file into sensitive system processes.
Mimikatz IMP Hash ObservedDetects successful process creation matching the hash of 'Invoke Mimikatz PowerShell (IMP)'.
Potential Keylogger DetectedThis rule triggers when a potential keylogger tool is detected.
Service Binary Path Update Followed by Remote Thread CreationThis rule triggers when a service binary path is updated and a remote thread is created by the same process.
Executable Loaded from Temp DirectoryThis rule triggers when an executable is loaded from a temp directory.
Remote Management Service Connected to lsass PipeDetects when a remote management service is connected to lsass pipe.
Unusual Value Size in Windows RegistryThis rule triggers when a value with an unusual size is set in Windows Registry.
Service Binary Path Update Followed by User or Group ModificationThis rule triggers when a service binary path is updated and a user or a group is modified on the same host.
Suspicious Access to lsass Process From Unknown Call TraceThis rule triggers when a suspicious access to lsass is initiated from an unknown call trace.
Fileless UAC Bypass using Windows Event ViewerDetects when a registry event uses Windows Event Viewer has been detected.
Process Launched from Unusual DirectoryThis rule triggers when a process is launched from an unusual directory.
Excessive Use of SC CommandThis rule triggers when the Service Control command is frequently used on a single host.
Service Installed on a Compromised HostThis rule triggers when a service has been created on a host that has been identified as likely compromised.
Thread Creation by a Process Launched from a Shared FolderDetects when a process launched from a shared folder is creating a thread into another process.
Group or Account DiscoveryDetects when a command related to group or account discovery is detected.
Unsigned Driver Loaded In Windows KernelThis rule triggers when any unsigned driver is loaded in Kernel.
UAC Bypass - Scheduled Task Configured to Run with Highest PrivilegesDetects a potential User Account Control bypass when a scheduled task is configured to run with the highest privileges.
Credential Dumping using SAM Registry KeyDetects when a resource is enumerating users sub-keys.
Download via Encoded Command InitiatedThis rule triggers when a download of a PowerShell script is initiated from cmd.exe or Powershell.
Programming Environment Started with a Privileged AccountDetects when a programming environment has been started with a privileged account.
Suspicious Access to lsass ProcessThis rule triggers when a process connects to lsass that does not normally.
Process Launched by an Unusual ProcessThis rule triggers when a process that is not supposed to have child launches a process.
Excessive Administrative Share Access Failures from the Same HostDetects repeated failures to access administrative shares from the same host.
Thread Creation by a Process Launched from a Temp DirectoryThis rule triggers when a thread is created by a process launched from a temp directory.
Detected an Unquoted Service Binary Path with SpacesDetects if an unquoted service binary path contains spaces. A file path that is not enclosed within quotation marks and contains spaces in the path can be leveraged.
Service Binary Path Update Followed by Network ConnectionDetects if a process attempts to configure or add a service and detects if the same process creates an outbound connection.
PsExec Process MasqueradingThis rule triggers when PsExec IMP Hash is detected for another process name.
Process Launched from a Temp DirectoryThis rule triggers when a process is launched from a temp directory. Temporary directories are common staging locations for malware execution or data exfiltration.
Unusual Parent for a System ProcessThis rule triggers when an unusual parent is found for a system process.
Thread Creation into lsass ProcessThis rule triggers when a thread is created into lsass process.
Fileless UAC Bypass using sdcltThis rule triggers when a UAC bypass using sdclt has been detected.
Unsigned Executable Loaded in lsassThis rule triggers when an unsigned driver is loaded in lsass.
Rundll32 with qwerty Argument UsageThis rule triggers when rundll32 is executed with qwerty argument, which could indicate the presence of a Ransomware (type Locky).
Service Configured to Use a PipeThis rule triggers when a service is configured to use a pipe.
Remote Process Execution on Multiple HostsThis rule triggers when remote management service are creating process on multiple hosts.
Service Configured to Use PowershellThis rule triggers when a service is configured to use Powershell.
Scheduled Task Created on Multiple HostsThis rule triggers when a scheduled task has been created on mulitple hosts.
Service Binary Located in a Shared FolderThis rule triggers when a service binary is located in a shared folder.
Process Launched from a Shared FolderThis rule triggers when a process is launched from a shared folder.
Fileless UAC Bypass using FodhelperThis rule triggers when a UAC bypass using Fodhelper has been detected.
Shadow Copies DeletionThis rule triggers when deletion of shadow copies is detected.
Potential Credential Dumping Tool DetectedThis rule triggers when a potential credential dumping tool is detected.
Pipe Created Followed by Service Binary Path UpdateThis rule triggers when a pipe is created and the service binary path is updated to connect to it.
Scheduled Task Created on a Compromised HostThis rule triggers when a scheduled task has been created on a compromised host.
Lsass Process Connected to a PipeThis rule triggers when an lsass process is being connected to a pipe.
Thread Creation into a System ProcessThis rule triggers when a process is creating a thread into a system process.
Malicious Service InstalledThis rule triggers when a service categorized as malicious has been installed.
Hidden Network Share AddedThis rule triggers when a hidden Network Share has been added.
Thread Creation into a Process Different from the Initial OneThis rule triggers when a process is creating a thread into another process.
Network Share Added to a Compromised HostThis rule triggers when a network share has been added to a compromised host.
System Process Launched from Unusual DirectoryThis rule triggers when a system process is launched from an unusual directory.
Encoded Command Malicious Usage in a Programming EnvironmentThis rule triggers when an encoded command is used in a programming environment type cmd or Powershell.


Troubleshooting


  1. Make sure that winlogbeat is configured for sysmon.
  2. Make sure you have synched up the logs.

    C:\.armor\opt\armor.exe logging sync-event-logs