Skip to main content
Skip table of contents

LSO - MS Windows Event Logging XML - Sysmon 8/9/10

This document explains the changes required to switch over and upgrade to MS Windows Event Logging XML - Sysmon log source type to enable new Message Processing Engine (MPE) rules developed during the Log Source Optimization (LSO) project.

Prerequisites

  • Download and apply the Knowledge Base. For more information, see KB Synchronization Settings for LSO.

  • Enable the new MPE rules in the LogRhythm System Monitor.
    • Select log source type MS Windows Event Logging XML - Sysmon.

      Ensure that you select the the log source type with "XML" in the name.

    • Enable log processing policy LogRhythm Default v2.0.

    For details on how to enable LogRhythm Default v2.0, see Apply LogRhythm Default v2.0 on a Log Source.

Supported Log Messages

The following table lists the log message types supported in the current MPE rules. Each linked page contains detailed information on parsing changes and new log processing settings.

Log Message TypeEvent TypeEvent ID
Catch All (Sysmon 8/9/10)1General InformationN/A1
Catch All : Level 1 (Sysmon 8/9/10)1General InformationN/A1
EVID 1 : Process Created (Sysmon 8/9/10)Process/Service Started1
(KB 695) EVID 2 : File Creation Time Changed (Sysmon 8/9/10)Object Modified2
EVID 3 : Network Connection Detected (Sysmon 8/9/10)General Network Traffic3
EVID 4 : Service State Changed (Sysmon 8/9/10)Process/Service Startup Or Shutdown Activity4
EVID 5 : Process Terminated (Sysmon 8/9/10)Process/Service Stopped5
EVID 6 : Driver Loaded (Sysmon 8/9/10)Configuration Loaded : System6
EVID 7 : Image Loaded (Sysmon 8/9/10)Object Accessed7
EVID 8 : Create Remote Thread (Sysmon 8/9/10)Process/Service Started8
EVID 9 : Raw Access Read (Sysmon 8/9/10)Object Accessed9
EVID 10 : Process Access (Sysmon 8/9/10)Process/Service Started10
EVID 11 : File Created (Sysmon 8/9/10)Object Added11
EVID 12 : Registry Event (Sysmon 8/9/10)Object Added12
EVID 13 : Registry Value Set (Sysmon 8/9/10)Object Modified13
EVID 14 : Key and Value Rename (Sysmon 8/9/10)Object Modified14
EVID 15 : File Create Stream Hash (Sysmon 8/9/10)Object Downloaded15
EVID 16 : Sysmon Configuration Change (Sysmon 8/9/10)Configuration Modified : Security16
EVID 17 : Named Pipe Created (Sysmon 8/9/10)Interprocess Communication17
EVID 18 : Named Pipe Connected (Sysmon 8/9/10)Interprocess Communication18
EVID 19 : WMI Event Filter Registered (Sysmon 8/9/10)Object Created19
EVID 20 : WMI Consumer Registration (Sysmon 8/9/10)Object Created20
EVID 21 : WMI Consumer To Filter Activity (Sysmon 8/9/10)Object Accessed21
EVID 22 : DNS Query (Sysmon 8/9/10)DNS Query22
EVID 255 : Internal Error2Internal Error2552

1 Catch All is not available in LSO policy because all EVIDs for the new log source type MS Windows Event Logging XML - Sysmon have dedicated LSO rules.

EVID 255 : Internal Error is not available in LSO policy.

Log Processing Policy Updates

This section details log processing policy updates made to AIE Rules, system reports and templates, tails, and investigations as part of LSO.

Changes made for LSO may impact downstream analytical components in LogRhythm. It is recommended that you review MPE policies, parsing rules, and log processing settings to assess the potential impact to your environment and custom analytical components, including saved investigations, dashboards, and fields mapped with SmartResponse Plugins.

Updates to AIE Rules

The table below indicates changes made to AIE Rules using the new policy LogRhythm Default v2.0 with the new log source type MS Windows Event Logging XML - Sysmon. The Change Details column indicates where the new log source type was added.

AIE RulesChange Details
NERC-CIP : Account Locked or Disabled RuleRemoved Group by of Host (Origin) to make it backward compatible
T1003 : OS Credential DumpingPrimary Criteria of rule block 1
T1007 : System Service DiscoveryPrimary Criteria of rule block 1
T1012 : Query RegistryPrimary Criteria of rule block 1
T1016 : System Network Configuration DiscoveryPrimary Criteria of rule block 1
T1018 : Remote System DiscoveryPrimary Criteria and Include Filter of rule block 1
T1033 : System Owner-User DiscoveryPrimary Criteria of rule block 1
T1036 : MasqueradingPrimary Criteria of rule block 1
T1047 : Windows Management InstrumentationPrimary Criteria of rule block 1
T1053 : Scheduled Task/JobPrimary Criteria of rule block 1
T1057 : Process DiscoveryPrimary Criteria of rule block 1
T1059 : Command and Scripting InterpreterPrimary Criteria of rule block 1
T1059.001 : PowerShellPrimary Criteria of rule block 1
T1069 : Permission Groups DiscoveryPrimary Criteria of rule block 1
T1070.006 : TimestompPrimary Criteria of rule block 1 & 2
T1082 : System Information DiscoveryPrimary Criteria of rule block 1
T1083 : File and Directory DiscoveryPrimary Criteria and Include Filter of rule block 1
T1087 : Account DiscoveryPrimary Criteria of rule block 1
T1090 : ProxyPrimary Criteria of rule block 1 & 2
T1105 : Ingress Tool TransferPrimary Criteria of rule block 1, 2 & 3, and Include Filter of rule block 1
T1218.010 : Regsvr32Primary Criteria of rule block 1
T1218.011 : Rundll32Primary Criteria of rule block 1
T1543.003 : Windows ServicePrimary Criteria and Include Filter of rule block 1
T1547.001 : Registry RunKeys/Startup FolderPrimary Criteria of rule block 1
T1550.002 : Pass the HashPrimary Criteria and Include Filter of rule block 1
T1550.003 : Pass the TicketPrimary Criteria and Include Filter of rule block 1
T1558.003 : KerberoastingPrimary Criteria and Include Filter of rule block 1
T1566.001 : Spearphishing AttachmentPrimary Criteria of rule block 1
T1566.002 : Spearphishing LinkPrimary Criteria of rule block 1
T1569.002 : Service ExecutionPrimary Criteria of rule block 1 & 2

Updates to System Reports

The table below indicates changes made to system reports using the new policy LogRhythm Default v2.0 with the new log source type MS Windows Event Logging XML - Sysmon.

Report Name

Change Details

FISMA : Processes By User

Added a new line to the Include Filter:

  • Operator. Or Previous
  • Field. Process Name
  • Filter Mode. Is Not
  • Filtered Values. NOTHING
NEI : Processes By User

Added a new line to the Include Filter:

  • Operator. Or Previous
  • Field. Process Name
  • Filter Mode. Is Not
  • Filtered Values. NOTHING
NRC : Processes By User

Added a new line to the Include Filter:

  • Operator. Or Previous
  • Field. Process Name
  • Filter Mode. Is Not
  • Filtered Values. NOTHING
PCI-DSS : Invalid CDE => Internet Comm Details

Added a new line to the Include Filter:

  • Operator. Or Previous
  • Field. IP Address (Impacted)
  • Filter Mode. Is Not
  • Filtered Values. NOTHING
PCI-DSS : Invalid DMZ => Internal Comm Details

Added a new line to the Include Filter:

  • Operator. Or Previous
  • Field. IP Address (Impacted)
  • Filter Mode. Is Not
  • Filtered Values. NOTHING
PCI-DSS : Invalid Inet => Intrn Comm Details

Added a new line to the Include Filter:

  • Operator. Or Previous
  • Field. IP Address (Impacted)
  • Filter Mode. Is Not
  • Filtered Values. NOTHING
PCI-DSS : Invalid Internet => CDE Comm Details

Added a new line to the Include Filter:

  • Operator. Or Previous
  • Field. IP Address (Impacted)
  • Filter Mode. Is Not
  • Filtered Values. NOTHING
PCI-DSS : Invalid Internet => DMZ Comm Details

Added a new line to the Include Filter:

  • Operator. Or Previous
  • Field. IP Address (Impacted)
  • Filter Mode. Is Not
  • Filtered Values. NOTHING

Updates to System Report Templates

The table below details changes made to system report templates using the new policy LogRhythm Default v2.0 with the new log source type MS Windows Event Logging XML - Sysmon.

Template Name

Change Details

Log Summary by Entity, Log Host, iApp, Event, Login, Object
  • Added Process field after Object.
  • New Report name: Log Summary by Entity, Log Host, iApp, Event, Login, Object, Process

Updates to System Tails

  • No changes

Updates to System Investigations

  • No changes
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.