Sysmon Framework is a set of rules and dashboards for visualization of multiple security checks on Sysmon’s events on Windows hosts. Sysmon is a de-facto standard to extend Microsoft Windows audit which allows to detect anomalies, suspicious events on Windows hosts, gather SHA-256 hashes from every running executable etc. Further analysis is needed to check if they are caused by malware, user’s data leakage intentions or other reasons. Sysmon Framework contains 26 scenarios which are recommended for monitoring in SOC and early detection of APT activity.
Top 5 value points of Sysmon Framework:
- Content is developed and tested at SOC Prime.
- It can be deployed in matter of minutes.
- Requires low tuning effort. Sysmon itself requires thorough configuration during deployment. Our recommendation is to start with minimal auditing parameters enabled. Please use caution when logging URLs! Our favorite configuration for Sysmon is by SwiftOnSecurity https://github.com/SwiftOnSecurity/sysmon-config
- Package provides actionable dashboards along with SOC channel which highlights events of interest for SOC Analysts.
- Can be combined with Hash analytics content to check all discovered hashes against baselines and threat intelligence.
The means to collect data are the ArcSight Windows Native Connector (WINC for short) with addition of Flex Connector developed by Kevin Quinlan, a seasoned ArcSight expert formerly an HPE team member (now DXC). Kevin has developed and freely shares Flex connector at his personal GitHub https://github.com/S3COPS/ArcSight-Sysmon-FlexConnector and Micro Focus ArcSight Marketplace: https://marketplace.microfocus.com/arcsight/content/microsoft-sysmon-flexconnector
Sysmon Framework contains total of 26 correlation rules. 6 of the correlation rules were made based on Sigma rules available on https://github.com/Neo23x0/sigma Sigma is a new revolutionary way to make threat detection content for SIEMs. It is a high level language like Snort is for IDS or Yara for malicious files. Sigma standard is free and open-source developed independently by Florian Roth and Thomas Patzke.
Sysmon itself is a work of Mark Russinovich and Thomas Garnier. They provide extensive configuration guidelines at https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
It can be rolled out to organization with GPO in very automated and efficient manner as an additional Windows driver.