LSO - MS Windows Event Logging XML - Sysmon 7.01
This document explains the changes required to switch over and upgrade to MS Windows Event Logging XML - Sysmon log source type to enable new Message Processing Engine (MPE) rules developed during the Log Source Optimization (LSO) project.
Prerequisites
Download and apply the Knowledge Base. For more information, see KB Synchronization Settings for LSO.
- Enable the new MPE rules in the LogRhythm System Monitor.
Select log source type MS Windows Event Logging XML - Sysmon.
Ensure that you select the the log source type with "XML" in the name.
Enable log processing policy LogRhythm Default v2.0.
For details on how to enable LogRhythm Default v2.0, see Apply LogRhythm Default v2.0 on a Log Source.
Supported Log Messages
The following table lists the log message types supported in the current MPE rules. Each linked page contains detailed information on parsing changes and new log processing settings.
1 Catch All is not available in LSO policy because all EVIDs for the new log source type MS Windows Event Logging XML - Sysmon have dedicated LSO rules.
Log Processing Policy Updates
This section details log processing policy updates made to AIE Rules, system reports and templates, tails, and investigations as part of LSO.
Updates to AIE Rules
The table below indicates changes made to AIE Rules using the new policy LogRhythm Default v2.0 with the new log source type MS Windows Event Logging XML - Sysmon. The Change Details column indicates where the new log source type was added.
AIE Rules | Change Details |
---|---|
T1003 : OS Credential Dumping | Primary Criteria of rule block 1 |
T1007 : System Service Discovery | Primary Criteria of rule block 1 |
T1012 : Query Registry | Primary Criteria of rule block 1 |
T1016 : System Network Configuration Discovery | Primary Criteria of rule block 1 |
T1018 : Remote System Discovery | Primary Criteria and Include Filter of rule block 1 |
T1033 : System Owner-User Discovery | Primary Criteria of rule block 1 |
T1036 : Masquerading | Primary Criteria of rule block 1 |
T1047 : Windows Management Instrumentation | Primary Criteria of rule block 1 |
T1053 : Scheduled Task/Job | Primary Criteria of rule block 1 |
T1057 : Process Discovery | Primary Criteria of rule block 1 |
T1059 : Command and Scripting Interpreter | Primary Criteria of rule block 1 |
T1059.001 : PowerShell | Primary Criteria of rule block 1 |
T1069 : Permission Groups Discovery | Primary Criteria of rule block 1 |
T1070.006 : Timestomp | Primary Criteria of rule block 1 & 2 |
T1082 : System Information Discovery | Primary Criteria of rule block 1 |
T1083 : File and Directory Discovery | Primary Criteria of rule block 1 |
T1087 : Account Discovery | Primary Criteria of rule block 1 |
T1090 : Proxy | Primary Criteria of rule block 1 & 2 |
T1105 : Ingress Tool Transfer | Primary Criteria of rule block 1, 2 & 3, and to Include Filter of rule block 1 |
T1218.010 : Regsvr32 | Primary Criteria of rule block 1 |
T1218.011 : Rundll32 | Primary Criteria of rule block 1 |
T1543.003 : Windows Service | Primary Criteria and Include Filter of rule block 1 |
T1547.001 : Registry RunKeys/Startup Folder | Primary Criteria of rule block 1 |
T1550.002 : Pass the Hash | Primary Criteria and Include Filter of rule block 1 |
T1550.003 : Pass the Ticket | Primary Criteria and Include Filter of rule block 1 |
T1558.003 : Kerberoasting | Primary Criteria and Include Filter of rule block 1 |
T1566.001 : Spearphishing Attachment | Primary Criteria of rule block 1 |
T1566.002 : Spearphishing Link | Primary Criteria of rule block 1 |
T1569.002 : Service Execution | Primary Criteria of rule block 1 & 2 |
Updates to System Reports
The table below indicates changes made to system reports using the new policy LogRhythm Default v2.0 with the new log source type MS Windows Event Logging XML - Sysmon.
Report Name | Change Details |
---|---|
FISMA : Processes By User | Added a new line to the Include Filter:
|
NEI : Processes By User | Added a new line to the Include Filter:
|
NRC : Processes By User | Added a new line to the Include Filter:
|
PCI-DSS : Invalid CDE => Internet Comm Details | Added a new line to the Include Filter:
|
PCI-DSS : Invalid DMZ => Internal Comm Details | Added a new line to the Include Filter:
|
PCI-DSS : Invalid Inet => Intrn Comm Details | Added a new line to the Include Filter:
|
PCI-DSS : Invalid Internet => CDE Comm Details | Added a new line to the Include Filter:
|
PCI-DSS : Invalid Internet => DMZ Comm Details | Added a new line to the Include Filter:
|
Updates to System Report Templates
The table below details changes made to system report templates using the new policy LogRhythm Default v2.0 with the new log source type MS Windows Event Logging XML - Sysmon.
Template Name | Change Details |
---|---|
Log Summary by Entity, Log Host, iApp, Event, Login, Object |
|
Updates to System Tails
- No changes
Updates to System Investigations
- No changes