Managing Sysmon Rules
Last updated
Last updated
Sysmon rules are managed through Sysmon Rules. The created rules are then used in policies. Sysmon policy creates the Sysmon configuration file dynamically based on the selected rules.
The rules are defined in "Rules & Policies" -> "Artifact Classification Parameters" -> "Windows Sysmon Rules". Each rule consists of the following parameters:
· Events: Sysmon event IDs are included in the rules. The conditions are added to the event setting in the sysmon configuration based on the events selected.
· Name: Name given to rule.
· Description: Description given to rules.
· Rule Tags: Policies use TAGS to select which rules will be active. TAGS enable easier selection of rule sets.
· Filtering Level: Filtering levels guide users on the level of filtering the rule will execute. It can be low, medium or high.
· Origin: Global rules are synchronized from the threat intelligence db. When a user creates a new rule, they are set as "User Defined."
· Condition: Condition defines the Sysmon configuration to be applied. More information is available from https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon.
· Type: Sysmon configuration has two parts for every event id in the configuration file. The rule can be used for inclusion or exclusion. The purpose of the rule is defined here.
The rules can be edited directly from the Windows Sysmon Rules or the sysmon analysis grid. The sysmon analysis grid provides an easier way to add new items to the rules, as detailed below.
From the sysmon analysis grid, when right-clicking a value, the values can be added to the sysmon rules by selecting the "Rule Management" -> "Add to Sysmon" action. The system will request which rule the user will add the value. The users can also choose which parameters will be used. Upon completion, the new value will be added to the end of the "Condition" section of the rule.
The sysmon analysis grid can also add value to the built-in rules. This method is easier. The selected rule is added to the built-in rules, enabling users to add exclusions more easily. There are five built-in rules:
Sysmon Rules -> Add to Image Exclusions (Event ID 1,2,5,7,9,11,12,15,26 adds <Image>)
Sysmon Rules -> Add to Process Access Exclusions (Event ID 10 adds <SourceImage>)
Sysmon Rules -> Add to Network Access Exclusion Rules (Event ID 3,22 adds <Image>)
Sysmon Rules -> Add to Process Creation Exclusions (Event ID 1 adds <Image>. <CommandLine>, <ParentImage>, <ParentCommandLine>)
Sysmon Rules -> Add to IP Address Exclusions (Event ID 3 adds <DestinationIp>)
Sysmon Rules -> Add to Process DNS Query Exclusions (Event ID 22 adds <QueryName> )
