LSO - MS Windows Event Logging - Sysmon

This document explains the changes required to switch over and upgrade to MS Windows Event Logging XML - Sysmon log source type to enable new Message Processing Engine (MPE) rules developed during the Log Source Optimization (LSO) project..

Prerequisites

Download and apply the Knowledge Base. For more information, see KB Synchronization Settings for LSO.
Enable the new MPE rules in the LogRhythm System Monitor.
- Select log source type MS Windows Event Logging XML - Sysmon.
  
  Ensure that you select the the log source type with "XML" in the name.
- Enable log processing policy LogRhythm Default v2.0.
For details on how to enable LogRhythm Default v2.0, see Apply LogRhythm Default v2.0 on a Log Source.

Supported Log Messages

The following table lists the log message types supported in the current MPE rules. Each linked page contains detailed information on parsing changes and new log processing settings.

Log Message Type	Event Type	Event ID
Catch All : Level 1 (Sysmon)¹	General Logging Information	N/A¹
EVID 1 : Process Created (Sysmon)	Process/Service Started	1
EVID 2 : File Creation Time Changed (Sysmon)	Object Modified	2
EVID 3 : Network Connection Detected (Sysmon)	Network Connection Established	3
EVID 4 : Service State Change (Sysmon)	Service State Changed	4
EVID 5 : Process Terminated (Sysmon)	Process/Service Stopped	5
EVID 6 : Driver Loaded (Sysmon)	Configuration Loaded : System	6
EVID 7 : Image Loaded (Sysmon)	File Opened	7
EVID 8 : Create Remote Thread (Sysmon)	Thread Report	8
EVID 9 : Raw Access Read (Sysmon)	RAWDEVICES Information Message	9
EVID 10 : Process Access (Sysmon)	Object Accessed	10
EVID 11 : File Created (Sysmon)	Object Created	11
EVID 12 : Registry Event (Sysmon)	Registry Monitoring Event - Modify	12
EVID 13 : Registry Value Set (Sysmon)	Registry Value Information	13
EVID 15 : File Create Stream Hash (Sysmon)	Filestream Information	15
EVID 16 : Sysmon Configuration Change (Sysmon)	Configuration Modified : System	16
EVID 17 : Named Pipe Created (Sysmon)	Creating Named Pipe	17
EVID 18 : Named Pipe Connected (Sysmon)	Creating Named Pipe	18
EVID 22 : DNS Query (Sysmon)	DNS Query	22
EVID 1000: Faulting Application (Sysmon)	Faulting Application	1000

¹ _{Catch All is not available in LSO policy because all EVIDs for the new log source type MS Windows Event Logging XML - Sysmon have dedicated LSO rules.}

Log Processing Policy Updates

This section details log processing policy updates made to AIE Rules, system reports and templates, tails, and investigations as part of LSO.

Changes made for LSO may impact downstream analytical components in LogRhythm. It is recommended that you review MPE policies, parsing rules, and log processing settings to assess the potential impact to your environment and custom analytical components, including saved investigations, dashboards, and fields mapped with SmartResponse Plugins.

Updates to AIE Rules

The table below indicates changes made to AIE Rules using the new policy LogRhythm Default v2.0 with the new log source type MS Windows Event Logging XML - Sysmon. The Change Details column indicates where the new log source type was added.

AIE Rules	Change Details
T1003 : OS Credential Dumping	Primary Criteria of rule blocks 1
T1007 : System Service Discovery	Primary Criteria of rule block 1
T1012 : Query Registry	Primary Criteria of rule block 1
T1016 : System Network Configuration Discovery	Primary Criteria of rule block 1
T1018 : Remote System Discovery	Primary Criteria and Include Filter of rule block 1
T1033 : System Owner-User Discovery	Primary Criteria of rule block 1
T1036 : Masquerading	Primary Criteria of rule block 1
T1047 : Windows Management Instrumentation	Primary Criteria of rule block 1
T1053 : Scheduled Task/Job	Primary Criteria of rule block 1
T1057 : Process Discovery	Primary Criteria of rule block 1
T1059 : Command and Scripting Interpreter	Primary Criteria of rule block 1
T1059.001 : PowerShell	Primary Criteria of rule block 1
T1069 : Permission Groups Discovery	Primary Criteria of rule block 1
T1070.006 : Timestomp	Primary Criteria of rule blocks 1 & 2
T1082 : System Information Discovery	Primary Criteria of rule block 1
T1083 : File and Directory Discovery	Primary Criteria and Include Filter of rule block 1
T1087 : Account Discovery	Primary Criteria of rule block 1
T1090 : Proxy	Primary Criteria of rule blocks 1 & 2
T1105 : Ingress Tool Transfer	Primary Criteria of rule blocks 1, 2 & 3, and to Include Filter of rule block 1
T1218.010 : Regsvr32	Primary Criteria of rule block 1
T1218.011 : Rundll32	Primary Criteria of rule block 1
T1543.003 : Windows Service	Primary Criteria and Include Filter of rule block 1
T1547.001 : Registry RunKeys/Startup Folder	Primary Criteria of rule block 1
T1550.002 : Pass the Hash	Primary Criteria and Include Filter of rule block 1
T1550.003 : Pass the Ticket	Primary Criteria and Include Filter of rule block 1
T1558.003 : Kerberoasting	Primary Criteria and Include Filter of rule block 1
T1566.001 : Spearphishing Attachment	Primary Criteria of rule block 1
T1566.002 : Spearphishing Link	Primary Criteria of rule block 1
T1569.002 : Service Execution	Primary Criteria of rule blocks 1 & 2

Updates to System Reports

The table below indicates changes made to system reports using the new policy LogRhythm Default v2.0 with the new log source type MS Windows Event Logging XML - Sysmon.

Report Name	Change Details
FISMA : Processes By User	Added a new line to the Include Filter: Operator. Or Previous Field. Process Name Filter Mode. Is Not Filtered Values. NOTHING
NEI : Processes By User	Added a new line to the Include Filter: Operator. Or Previous Field. Process Name Filter Mode. Is Not Filtered Values. NOTHING
NRC : Processes By User	Added a new line to the Include Filter: Operator. Or Previous Field. Process Name Filter Mode. Is Not Filtered Values. NOTHING
PCI-DSS : Invalid CDE => Internet Comm Details	Added a new line to the Include Filter: Operator. Or Previous Field. IP Address (Impacted) Filter Mode. Is Not Filtered Values. NOTHING
PCI-DSS : Invalid DMZ => Internal Comm Details	Added a new line to the Include Filter: Operator. Or Previous Field. IP Address (Impacted) Filter Mode. Is Not Filtered Values. NOTHING
PCI-DSS : Invalid Inet => Intrn Comm Details	Added a new line to the Include Filter: Operator. Or Previous Field. IP Address (Impacted) Filter Mode. Is Not Filtered Values. NOTHING
PCI-DSS : Invalid Internet => CDE Comm Details	Added a new line to the Include Filter: Operator. Or Previous Field. IP Address (Impacted) Filter Mode. Is Not Filtered Values. NOTHING
PCI-DSS : Invalid Internet => DMZ Comm Details	Added a new line to the Include Filter: Operator. Or Previous Field. IP Address (Impacted) Filter Mode. Is Not Filtered Values. NOTHING

Updates to System Report Templates

The table below details changes made to system report templates using the new policy LogRhythm Default v2.0 with the new log source type MS Windows Event Logging XML - Sysmon.

Template Name	Change Details
Log Summary by Entity, Log Host, iApp, Event, Login, Object	Added Process field after Object. New Report name: Log Summary by Entity, Log Host, iApp, Event, Login, Object, Process

Updates to System Tails

No changes

Updates to System Investigations

No changes