Enabling Windows Sysmon Analysis

1. Initially, the Elastic server connection setting should be set from the SUPERORG settings for on-premise deployments. Please switch to SUPERORG from the top left organization selector and select "Security Management" -> "Settings". From this section, configure the Elastic username and password. By default, Elastic uses port 9200.

2. From "Rules & Policies" -> "Artifact Collection Parameters" -> "Windows Sysmon Rules" menu, rules for collecting logs are configured. The rules specify how sysmon logs are collected. Sysmon log collection takes place through a sysmon configuration file. The rules in this section are used to construct the configuration file. Based on the rules in this section, policies are used to define which sysmon rules will be used to enable sysmon log collection. The system provides built-in rules for sysmon collection. The “…” button allows the cloning of a rule for customization. It is recommended to clone the rules for modification. A new rule can be created by clicking the “+” button.

3. A sysmon rule consists of the below sections for configuration:

a. Events: The sysmon events the rule will be applied. A rule can be used for different events for inclusion or exclusion.

b. Name: The name given to a rule.

c. Description: An optional description is given to the rule.

d. Filtering Level: An optional value to specify the filtering level for the rule can be configured. This value is used to group rules for easier separation.

e. Condition: Conditions for the rules are defined in this section. The selector can be used to add a condition. The rule is edited using the edit button. It is also recommended to expand the rules for easier editing/viewing with the expand button.

f. Type: A rule can be used for inclusion or exclusion and is configured using the type parameter.

4. Through the sysmon analysis screen accessed from "Threat Hunting" -> "Analysis & Investigation" -> "Windows Sysmon Analysis", sysmon rules can be modified. The right-click action on the value to be added enables the direct addition of a log property to the rule. Right-click -> "Sysmon Rules Mgmt." -> "Add to Image & Network Access Exclusions" action is used to add the value to a sysmon rules.

5. When sysmon is enabled, the system deploys the sysmon service with specific configuration parameters. It is recommended to leave them with the default settings but it can be changed from the "Threat Hunting" -> "Hunting Settings" -> "Agent & Sensor Settings".

6. Once the rules are configured, a policy should be created to select which Sysmon rules will be used to construct the Sysmon configuration file. Create a policy from "Rules & Policies" -> "Policy Management" -> "Policy Rules" with the type "Windows Sysmon Analysis" available from "Windows" -> "Windows Sysmon Analysis" selectors. From the policy settings, set the time interval for log collection and the rules for config file creation. The policy “Exclusion Filters” can also be used to exclude specific logs from collection through a string match. “,” can be used to specify multiple string values.

7. The final step is to assign the policy to the groups. From "Policy Management" -> "Group Management" settings, choose the created policy. The group members will retrieve the policy and start the log collection.

8. The Agent or broker will install the Sysmon service and apply the configuration file for collection.