Enhance Windows Anomaly Detection with Sysmon
In my last post I covered how you can centralize your Windows logs on one system, send them as JSON for full detail, and use Immediate Insight's fast search and analytics to investigate alerts and discover the unknown. Now - let's take it a step further and use Sysinternals' Sysmon to capture rich details from your workstations and servers. Details like process creation/termination, file creation, driver load, network connections, and more. All of this data can then be rapidly queried, correlated, and alerted upon within Immediate Insight.
- Download Sysmon - I personally place all of my utilities in a folder called C:Util and then I add that folder to the system's path as shown below.
- You're now ready to install and configure Sysmon for your environment. This component requires some planning - as Sysmon generates a ton of log data. However, the quality of that data is quite high - so you'll want to balance the configuration between your storage retention capabilities and your security requirements.You can also chose to just load a quick default configuration:
sysmon -i - accepteula -h md5 -n -l
The above installs Sysmon as a service (so it will survive reboots) and will collect data on the loading of modules, log network connections, and record MD5 hashes for any processes created.
If you want to get more in-depth: here are links to two Sysmon configuration XML files that you can review and edit on your own, conveniently pre-configured for both servers and workstations. They are excellent starting points.
- Create a subscription for collecting remote Sysmon events (very much like what you did in the last blog post for standard Windows logs).
Select the computers from where you want to collect the Sysmon data:
Define the query filter to grab the Sysmon events:
Unfortunately, by default, Windows Event Collector will be unable to access the Sysmon logs in the same way as it does standard logs (Application, Security, System, etc.).
You will need to set additional permissions. For each server or workstation that will be running Sysmon and centralizing those logs you will need to add the Network Service local account and the event collector local computer account into the Event Log Readers local group:
You will also need to use your domain's (or if you lack a domain - set it locally on each machine) Group Policy Management Editor to give those same two accounts permission to Manage auditing and security log as shown:
Finally - reboot each changed machine. Hey - I didn't say this would be completely easy. :)
- The end result is great looking Sysmon data coming into your Immediate Insight system in JSON. Here they are under the Microscope in Immediate Insight (a great place to examine your data in great forensic-esque detail):
Use Association Analytics to examine patterns of frequency and infrequency within your dataset - entities, geolocated locations (at time of data ingestion), IP addresses, networks, and more...rapidly investigate what is outside of the normal.
Use Event Clusters to investigate a large dataset rapidly - Immediate Insight finds commonality in your data and puts it in buckets so you can find both common and unusual anomalies quickly. What data looks strange?
Visualize your data using the Timeline. Look for outliers - spikes in traffic or strange locations (either in the U.S. or in the World).
Check Activity & Change to investigate how your data has changed since other periods of time - is traffic significantly higher than a normal Monday at this time? Significantly lower? Dig in! Find new data that wasn't there before - is it just a new system or application coming online or is it something anomalous?
Take a look at the Firehose to see the data streaming in live - pause and filter to troubleshoot in real-time when there is an ongoing issue or incident:
Thanks for reading - I hope that you found this post useful. Sysmon is an incredibly powerful tool that makes Windows logs substantially more valuable - it is very worth the effort to deploy it where it makes sense within your organization.