sysmon - mirpag/SEC-350-Final-Project GitHub Wiki

Installing Sysmon

Sysmon is extremely easy to install on Windows systems, especially with this automated script.

To install, open PowerShell as an administrator. Copy and paste the following command line. Then, you're done!

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; . { iwr -useb http://dl.blumira.com/agent/poshim.ps1 }| iex; Blumira-Agent -Install -Sensor A.B.C.D

Sysmon logs can be found in this location in Event Viewer: Applications and Services\Microsoft\Windows\Sysmon.

Integrating Sysmon with Graylog

First, we are going to create a new beat for windows.

  1. Navigate to System->Inputs.
  2. Select the Input dropdown and select Beats. Click the launch new input button
  3. Now, configure the beat to look like the following:

image

Next, we are going configure a Graylog sidecar for windows.

  1. Go go System->sidecars and click the text: Create or reuse a token for the graylog-sidecar user
  2. Enter "Windows" in the Token Name field
  3. Click the Create token button. Save this token somewhere safe so you can use it later

Now, we need to configure the sidecar service on Windows. You can do this two ways: through the installer or powershell. We will be installing this through PowerShell. Run the following commands

wget https://github.com/Graylog2/collector-sidecar/releases/download/1.1.0/graylog_sidecar_installer_1.1.0-1.exe
./sidecar.exe /S -SERVERURL=http://log01:9000/api -APITOKEN=yourapitoken

Then, install the service and start it

cd 'C:\Program Files\Graylog\sidecar\'
./graylog-sidecar.exe -service install
./graylog-sidecar.exe -service start

If everything went correctly, you will see srv1 in the sidecars overview. image

If not, you might need to edit the sidecar.yml file to have the correct address and token. This can be found at C:\Program Files\Graylog\sidecar\sidecar.yml

Now, it's time to configure the winlogbeat collector.

  1. Navigate to System->sidecars
  2. Select the configuration tab in the left hand corner, and then select the create configuration tab
  3. Input a name -> I used winlogbeat.
  4. change the configuration color if desired
  5. Change the collector to winlogbeat on Windows
  6. In your configuration field, you should have the following already:
# Needed for Graylog
fields_under_root: true
fields.collector_node_id: ${sidecar.nodeName}
fields.gl2_source_collector: ${sidecar.nodeId}
output.logstash:
   hosts: ["<your_graylog_ip>:5044"]
path:
  data: C:\Program Files\Graylog\sidecar\cache\winlogbeat\data
  logs: C:\Program Files\Graylog\sidecar\logs
tags:
 - windows
winlogbeat:
  event_logs:
   - name: Application
   - name: System
   - name: Security

We will modify this so we only get the sysmon logs. It will look like this:

# Needed for Graylog
fields_under_root: true
fields.collector_node_id: ${sidecar.nodeName}
fields.gl2_source_collector: ${sidecar.nodeId}
output.logstash:
   hosts: ["<your_graylog_ip>:5044"]
path:
  data: C:\Program Files\Graylog\sidecar\cache\winlogbeat\data
  logs: C:\Program Files\Graylog\sidecar\logs
tags:
 - windows
winlogbeat:
  event_logs:
   - name: Microsoft-Windows-Sysmon/Operational

Save this, and that's it! Graylog will now be receiving more verbose logs from Sysmon!

image

Creating a Windows files Stream

  1. First, navigate to `System->indices.
  2. Click the Create index set button
  3. Set the index name and description. You may have to also set the index prefix as well - I typically just name it the same as the title of my index. Save this.

image

Navigate to Streams in Graylog. Click the Create Stream button. Add a title and description. Then, select the index set you made earlier.

image

Scroll down to your newly created stream. Click "Manage rules". Then, select the Message ID tab. Now, copy and paste the message ID for a file related sysmon log, and add the index. My logs were being pulled from the index graylog_0.

Now we can add stream rules. I searched up Sysmon's event IDs and added any ID related to file deletion/creation/etc to the rules. Now there is no way a single log will have all of these event IDs. Make sure your messages match at least one of the following rules My rules looked like the following:

image

Make sure to hit the I'm done! button after entering your rules! Now, you can test your stream against the windows logs!

image

Sysmon Dashboard

To create a dashboard, go to the dashboard section in Graylog. Then, click the plus button on the left-hand side of the screen. Now, you can add different values to your dashboard!

Here is how the sysmon dashboard turned out:

image

References

https://www.blumira.com/integration/poshim-automate-windows-log-collection/ https://docs.graylog.org/docs/sidecar#step-by-step-guide https://www.graylog.org/post/back-to-basics-enhance-windows-security-with-sysmon-and-graylog https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon