Deploying Sysmon on Windows and Integrating with Elasticsearch SIEM

By on

 

First, let's install Sysmon on our Windows host by opening this link in a browser and downloading it: Sysmon - Sysinternals | Microsoft Learn. As of this writing, the latest version of Sysmon is 15.5


Once the download is complete, go ahead and unzip the file.


Sysmon configurations or rules are available on GitHub, with a well-known repository being SwiftOnSecurity's Sysmon config:

🔗 https://github.com/SwiftOnSecurity/sysmon-config

We will download this configuration for our setup.



We can place the downloaded configuration file in the same directory as Sysmon, then open PowerShell and follow the steps below.





We can use net start to start Sysmon64, and it will list all services that start afterward.

To further verify, go to Event Viewer > Applications and Services Logs > Microsoft > Windows > Sysmon > Operational, where you should see the corresponding event IDs.



And now let's ingest Sysmon and Windows Defender logs into elasticsearch.


Click the Add integrations and below page will appear.


From here, there are numerous integrations available for installing and collecting logs. Since we're focusing on Sysmon and Microsoft Defender, you can simply search for them in the search bar.



but we don't want this since we want the windows one instead let's search below.


and if we scroll down, we will see the available fields that is included in this package.


Let's now add this package and complete the required details to install it in our Elasticsearch.


Next, for the Channel Name, go to your Windows host: Event Viewer > Applications and Services Logs > Microsoft > Windows > Sysmon, right-click Operational, and select Properties.





And now add the agent for Windows that we created. And after that let's add another one for Windows Defender.



Similarly, for Windows Defender, go to your Windows host: Event Viewer > Applications and Services Logs > Microsoft > Windows > Windows Defender, right-click Operational, and select Properties.


We will also add event IDs 1116 and 1117, which are related to Windows Defender's activity. Event ID 1116 logs when a threat is detected, and Event ID 1117 records when a threat is successfully remediated. These events can provide valuable insights into the protection status and actions taken by Windows Defender.


so this will be triggered if there is a malware.

We will also add Event ID 5001, which logs when Microsoft Defender Antivirus is disabled. This ensures that any changes to Defender’s status will be captured and passed to our SIEM for further analysis.









After saving, click the hamburger menu and select Discover.


Using winlog.event_id: will display all Windows event logs. Now, let's restart the Elasticsearch service by navigating to Services.




and we can see the sysmon as event provider. Now let's test the microsoft defender by disbaling it







To conclude, we've successfully installed and enabled Sysmon on our Windows host, configured it to log critical system events, and ingested both Sysmon and Windows Defender logs into our Elasticsearch SIEM for centralized monitoring. This setup enhances our ability to track system activities and detect potential security incidents in real-time.







"Blending years of Network Engineering with a passion for Cybersecurity."

Comments

Post a Comment

Popular posts from this blog

Installing Suricata IDS/IPS and Triggering Rules with an Nmap Stealth Scan and XSS Attack on bWAPP Using Burp Suite

By on
Image
  We are enabling the IDS/IPS functionality on our OPNsense firewall to detect and alert on potential threats by analyzing incoming traffic against predefined rules. These rules act as "fingerprints" to identify known attacks and suspicious behaviors across the network. In this Lab, i will be using Suricata, a free and open-source cybersecurity tool that functions as both an Intrusion Detection System (IDS) and an Intrusion Prevention System (IPS). Widely adopted by organizations worldwide, Suricata monitors networks for suspicious activity and detects cyber threats. Suricata's rules analyze network packets for specific characteristics, such as source and destination IP addresses, ports, protocol types, and even packet content, to identify potential threats. When traffic matches a rule, Suricata generates an alert, notifying administrators of potential security incidents. Based on my research, it is essential to disable offloading features before enabling the IDS/IPS capa...
Read more

Boss of the SOC v1 (2015) Website Defacement

By on
Image
  Question #1 Based on the first question, the task is to identify the IP address of an individual conducting  reconnaissance using a scanning technique. I began my investigation with the search parameter  index=botv1, as provided in the instructions, and incorporated imreallynotbatman.com as  specified in question number 1. After running the search parameters, I identified the dest_header field in the left-side panel.  Upon expanding it, I analyzed the details within and discovered references to the Acunetix  Web Vulnerability Scanner, indicating its use in the reconnaissance activity. To enhance visibility and identify the IP address scanning the web server, I created a table that  included the fields src_ip, dest_ip, and dest_header. I then filtered the results by searching  for the keyword 'scan' within the dest_header field and applied a dedup command to the src_ip  field to remove duplicate entries, effectively narrowing down the source...
Read more