microsoft/sysmon

VendorMicrosoft Corporation
AuthorCrowdStrike
Version1.1.0
Minimum LogScale Version1.82.0

Monitor system changes and set up alerts for anomalous events by ingesting Microsoft Sysmon logs into LogScale.

System Monitor (Sysmon) is a Windows system service and device driver that once installed remains resident across system reboots to monitor and log system activity to the Windows event log. It provides detailed information about process creations, network connections, and changes to file creation time. Sysmon logs provide a more detailed view of system activity than what users can get out of the endpoint sensor. This includes information on process creation and termination, network connections, file creation, and more.

This package provides a parser for Sysmon events in JSON format.

Breaking Changes

This update includes parser changes, which means that data ingested after upgrade will not be backwards compatible with logs ingested with the previous version.

Updating to version 1.0.0 or newer will therefore result in issues with existing queries in for example dashboards or alerts created prior to this version.

See CrowdStrike Parsing Standard (CPS) 1.0 for more details on the new parser schema.

Follow the CPS Migration to update your queries to use the fields and tags that are available in data parsed with version 1.0.0.

Configuration and Sending The Logs to LogScale

See Microsoft's Specification manual for information on how to send Sysmon logs to Falcon Log Collector.

Installing the Sysmon Package in LogScale

  1. Download and install sysmon on your Windows machine: sysmon download.

  2. Use the default configuration, or make changes based on your individual needs. Here is a sample configuration.

  3. Find the repository where you want to send the logs, or create a new one.

    1. Navigate to your repository in the LogScale interface, click Settings and then Packages on the left.

    2. Click Marketplace and install the LogScale package for Windows System Monitor (i.e. microsoft/sysmon).

    3. When the package has finished installing, click Ingest tokens on the left (still under the Settings, see Ingest Tokens).

    4. In the right panel, click + Add Token to create a new token. Give the token an appropriate name (e.g.the name of the server and the name of the server the token is ingesting logs for), and leave the parser unassigned. You can assign the microsoft-sysmon parser to the LogScale Collector Configuration as described in the documentation Sources & Examples.

      Before leaving this page, view the ingest token and copy it to your clipboard — to save it temporarily elsewhere.

    Now that you have a repository set up in LogScale along with an ingest token you're ready to send logs to LogScale.

    Next, configure the Falcon LogScale Collector to ship the logs into LogScale. Follow LogScale Collector Install Falcon Log Collector and Configure Falcon Log Collector. LogScale Collector documentation also provides an example of how you can configure your datasource, see Windows Event Log Example.

Enrolling Log Collector on a Windows Machine

To enroll a LogCollector on a Windows machine, use the following configuration: 

sources:
  windows_sysmon:
    type: wineventlog
    channels:
      - name: Microsoft-Windows-Sysmon/Operational
    ## Set language to en-US
    language: 1033
    ## Don't send the raw XML
    includeXML: false
    sink: logscale
sinks:
  logscale:
    type: humio
    ## ingest token, replace with token assigned to the sysmonparser microsoft-sysmon
    token:  <ingest token>
    ## Replace with the "Ingest URL" on the FLC download page. It must include the "https://" at the beginning.
    url: https://cloud.community.humio.com/
    ## Keep this option as "none" unless you actually need a proxy.
    proxy: none
    ## This sets the maximum allowed single event size to 1 MB;larger messages will be truncated
    maxEventSize: 1048576

Note

You will need to replace the token and ingest URL with values relevant to your environment. See Ingest Tokens for more information.

Note

The type must be wineventlog and channel must be set to: Microsoft-Windows-Sysmon/Operational

Verify Data is Arriving in LogScale

Once you have completed the above steps the data should be arriving in your LogScale repository.

You can verify this by doing a simple search for #Vendor = "microsoft" | #event.module = "sysmon"| #event.dataset := "windows.sysmon" to see the events.