LSO - MS Windows Event Logging XML - Sysmon 8/9/10

This document explains the changes required to switch over and upgrade to MS Windows Event Logging XML - Sysmon log source type to enable new Message Processing Engine (MPE) rules developed during the Log Source Optimization (LSO) project.

Prerequisites

Download and apply the Knowledge Base. For more information, see KB Synchronization Settings for LSO.
Enable the new MPE rules in the LogRhythm System Monitor.
- Select log source type MS Windows Event Logging XML - Sysmon.
  
  Ensure that you select the the log source type with "XML" in the name.
- Enable log processing policy LogRhythm Default v2.0.
For details on how to enable LogRhythm Default v2.0, see Apply LogRhythm Default v2.0 on a Log Source.

Supported Log Messages

The following table lists the log message types supported in the current MPE rules. Each linked page contains detailed information on parsing changes and new log processing settings.

Log Message Type	Event Type	Event ID
Catch All (Sysmon 8/9/10)¹	General Information	N/A¹
Catch All : Level 1 (Sysmon 8/9/10)¹	General Information	N/A¹
EVID 1 : Process Created (Sysmon 8/9/10)	Process/Service Started	1
(KB 691) EVID 2 : File Creation Time Changed (Sysmon 8/9/10)	Object Modified	2
EVID 3 : Network Connection Detected (Sysmon 8/9/10)	General Network Traffic	3
EVID 4 : Service State Changed (Sysmon 8/9/10)	Process/Service Startup Or Shutdown Activity	4
EVID 5 : Process Terminated (Sysmon 8/9/10)	Process/Service Stopped	5
EVID 6 : Driver Loaded (Sysmon 8/9/10)	Configuration Loaded : System	6
EVID 7 : Image Loaded (Sysmon 8/9/10)	Object Accessed	7
EVID 8 : Create Remote Thread (Sysmon 8/9/10)	Process/Service Started	8
EVID 9 : Raw Access Read (Sysmon 8/9/10)	Object Accessed	9
EVID 10 : Process Access (Sysmon 8/9/10)	Process/Service Started	10
EVID 11 : File Created (Sysmon 8/9/10)	Object Added	11
EVID 12 : Registry Event (Sysmon 8/9/10)	Object Added	12
EVID 13 : Registry Value Set (Sysmon 8/9/10)	Object Modified	13
EVID 14 : Key and Value Rename (Sysmon 8/9/10)	Object Modified	14
EVID 15 : File Create Stream Hash (Sysmon 8/9/10)	Object Downloaded	15
EVID 16 : Sysmon Configuration Change (Sysmon 8/9/10)	Configuration Modified : Security	16
EVID 17 : Named Pipe Created (Sysmon 8/9/10)	Interprocess Communication	17
EVID 18 : Named Pipe Connected (Sysmon 8/9/10)	Interprocess Communication	18
EVID 19 : WMI Event Filter Registered (Sysmon 8/9/10)	Object Created	19
EVID 20 : WMI Consumer Registration (Sysmon 8/9/10)	Object Created	20
EVID 21 : WMI Consumer To Filter Activity (Sysmon 8/9/10)	Object Accessed	21
EVID 22 : DNS Query (Sysmon 8/9/10)	DNS Query	22
EVID 255 : Internal Error²	Internal Error	255²

¹ _{Catch All is not available in LSO policy because all EVIDs for the new log source type MS Windows Event Logging XML - Sysmon have dedicated LSO rules.}

²_{EVID 255 : Internal Error is not available in LSO policy.}

Log Processing Policy Updates

This section details log processing policy updates made to AIE Rules, system reports and templates, tails, and investigations as part of LSO.

Changes made for LSO may impact downstream analytical components in LogRhythm. It is recommended that you review MPE policies, parsing rules, and log processing settings to assess the potential impact to your environment and custom analytical components, including saved investigations, dashboards, and fields mapped with SmartResponse Plugins.

Updates to AIE Rules

The table below indicates changes made to AIE Rules using the new policy LogRhythm Default v2.0 with the new log source type MS Windows Event Logging XML - Sysmon. The Change Details column indicates where the new log source type was added.

AIE Rules	Change Details
NERC-CIP : Account Locked or Disabled Rule	Removed Group by of Host (Origin) to make it backward compatible
T1003 : OS Credential Dumping	Primary Criteria of rule block 1
T1007 : System Service Discovery	Primary Criteria of rule block 1
T1012 : Query Registry	Primary Criteria of rule block 1
T1016 : System Network Configuration Discovery	Primary Criteria of rule block 1
T1018 : Remote System Discovery	Primary Criteria and Include Filter of rule block 1
T1033 : System Owner-User Discovery	Primary Criteria of rule block 1
T1036 : Masquerading	Primary Criteria of rule block 1
T1047 : Windows Management Instrumentation	Primary Criteria of rule block 1
T1053 : Scheduled Task/Job	Primary Criteria of rule block 1
T1057 : Process Discovery	Primary Criteria of rule block 1
T1059 : Command and Scripting Interpreter	Primary Criteria of rule block 1
T1059.001 : PowerShell	Primary Criteria of rule block 1
T1069 : Permission Groups Discovery	Primary Criteria of rule block 1
T1070.006 : Timestomp	Primary Criteria of rule block 1 & 2
T1082 : System Information Discovery	Primary Criteria of rule block 1
T1083 : File and Directory Discovery	Primary Criteria and Include Filter of rule block 1
T1087 : Account Discovery	Primary Criteria of rule block 1
T1090 : Proxy	Primary Criteria of rule block 1 & 2
T1105 : Ingress Tool Transfer	Primary Criteria of rule block 1, 2 & 3, and Include Filter of rule block 1
T1218.010 : Regsvr32	Primary Criteria of rule block 1
T1218.011 : Rundll32	Primary Criteria of rule block 1
T1543.003 : Windows Service	Primary Criteria and Include Filter of rule block 1
T1547.001 : Registry RunKeys/Startup Folder	Primary Criteria of rule block 1
T1550.002 : Pass the Hash	Primary Criteria and Include Filter of rule block 1
T1550.003 : Pass the Ticket	Primary Criteria and Include Filter of rule block 1
T1558.003 : Kerberoasting	Primary Criteria and Include Filter of rule block 1
T1566.001 : Spearphishing Attachment	Primary Criteria of rule block 1
T1566.002 : Spearphishing Link	Primary Criteria of rule block 1
T1569.002 : Service Execution	Primary Criteria of rule block 1 & 2

Updates to System Reports

The table below indicates changes made to system reports using the new policy LogRhythm Default v2.0 with the new log source type MS Windows Event Logging XML - Sysmon.

Report Name	Change Details
FISMA : Processes By User	Added a new line to the Include Filter: Operator. Or Previous Field. Process Name Filter Mode. Is Not Filtered Values. NOTHING
NEI : Processes By User	Added a new line to the Include Filter: Operator. Or Previous Field. Process Name Filter Mode. Is Not Filtered Values. NOTHING
NRC : Processes By User	Added a new line to the Include Filter: Operator. Or Previous Field. Process Name Filter Mode. Is Not Filtered Values. NOTHING
PCI-DSS : Invalid CDE => Internet Comm Details	Added a new line to the Include Filter: Operator. Or Previous Field. IP Address (Impacted) Filter Mode. Is Not Filtered Values. NOTHING
PCI-DSS : Invalid DMZ => Internal Comm Details	Added a new line to the Include Filter: Operator. Or Previous Field. IP Address (Impacted) Filter Mode. Is Not Filtered Values. NOTHING
PCI-DSS : Invalid Inet => Intrn Comm Details	Added a new line to the Include Filter: Operator. Or Previous Field. IP Address (Impacted) Filter Mode. Is Not Filtered Values. NOTHING
PCI-DSS : Invalid Internet => CDE Comm Details	Added a new line to the Include Filter: Operator. Or Previous Field. IP Address (Impacted) Filter Mode. Is Not Filtered Values. NOTHING
PCI-DSS : Invalid Internet => DMZ Comm Details	Added a new line to the Include Filter: Operator. Or Previous Field. IP Address (Impacted) Filter Mode. Is Not Filtered Values. NOTHING

Updates to System Report Templates

The table below details changes made to system report templates using the new policy LogRhythm Default v2.0 with the new log source type MS Windows Event Logging XML - Sysmon.

Template Name	Change Details
Log Summary by Entity, Log Host, iApp, Event, Login, Object	Added Process field after Object. New Report name: Log Summary by Entity, Log Host, iApp, Event, Login, Object, Process

Updates to System Tails

No changes

Updates to System Investigations

No changes