ArcSight FlexConnector for Microsoft Sysmon

*Now updated for Sysmon v10.x*

OpSecure Microsoft Sysmon FlexConnector for ArcSight.

Available from the OpSecure “Secops” GitHub Repository and the Microfocus Markeplace

Microfocus ArcSight FlexConnector for Microsoft Sysmon via Windows Native Connector

1      Summary

ArcSight provides a range of device-specific SmartConnectors with which to gather security event information. SmartConnectors send normalized security events to the ArcSight Manager or Logger for storage and further processing.

A FlexConnector is a custom SmartConnector that you define to gather security events from log files, databases, and other software and devices. There are several FlexConnector types. The type you use depends on the kind data you need to collect.

ArcSight FlexConnectors allow you to create custom SmartConnectors that can read and parse information from third-party devices and map that information to ArcSight’s event schema

This guide describes the installation and configuration of a FlexConnector to retrieve events from the Microsoft Sysmon tool via the HPE ArcSight Windows Native SmartConnector.

1.1      References:

1.2      Scope

Extraction and Categorisation of the “Microsoft-Windows-Sysmon/Operational” Windows Event Log using Microfocus ArcSight Windows Native SmartConnector

1.3      Technical Details

The following table highlights the Software and versions tested during development of this FlexConnector.

Other versions of the vendor application may require additional FlexConnector development in the case of additional messages / events generated or changes to the logging format.

ParameterSetting
Device or Log SourceMicrosoft Sysmon
Version tested10.x
ArcSight SmartConnector VersionAt least 7.4

2      Application / Vendor Details

Sysmon from Sysinternals is a very powerful Host-level tracing tool, which can assist you in detecting advanced threats on your network. In contrast to common Antivirus/HIDS solutions, Sysmon performs system activity deep monitoring, and log high-confidence indicators of advanced attacks.

Sysmon is using a device driver and a service that is running in the background and loads very early in the boot process.

Sysmon monitors the following activities:

  • Process creation (with full command line and hashes)
  • Process termination
  • Network connections
  • File creation timestamps changes
  • Driver/image loading
  • Create remote threads
  • Raw disk access
  • Process memory access

Some of these events can be gathered up by enabling Windows built-in auditing, yet the detail level provided by Sysmon is much higher. When it comes to analysis, Sysmon doesn’t provide any; you can use other tools to visualize and investigate the raw events, for example: SIEM, Microsoft SCOM, Splunk and Azure OMS.

2.1      Constraints

Microfocus ArcSight SmartConnector Framework at least 7.4 (For automatic IPv6 Parsing)

For Workstations and large deployments it is advisable / preferable to utilise Windows Event Forwarding to gather the relevant logs rather than use direct Collection. Configuration of Windows Event Forwarding is out of scope of this document. More information can be found within the Microfocus ArcSight SmartConnector for Windows Native documentation and Windows Event Log Forwarding guidance from Microsoft (see references)

2.2      Audit and Event Logs

The following audit trail targets are supported for production systems:

Audit function / logDescription
Microsoft-Windows-Sysmon/OperationalWindows Event Log

The event log can be added to the Custom Log field for all devices monitored by a Windows Native SmartConnector.


The tool is installed and configured following the guidance from Microsoft.

2.3      Configure Auditing

https://blogs.technet.microsoft.com/motiba/2016/10/18/sysinternals-sysmon-unleashed/

Note that without effective planning, testing and tuning of the Sysmon tool, the volume of the events captured will be extremely high in production and of low quality.

A number of good practice sysmon configurations exist and should be tailored for the target organisation.
An example of a tailored Sysmon configuration file exists in this repository:

Sysmon, when installed as a service, automatically logs to the Microsoft-Windows-Sysmon/Operational Event Log.

2.4      Message Reference

Events generated by the Sysmon tool are listed below. Refer to the Microsoft websites listed as references for comprehensive documentation:

Event IDTagEvent
1ProcessCreateProcess Create
2FileCreateTimeFile creation time
3NetworkConnectNetwork connection detected
4Sysmon service state changeSysmon service state change
5ProcessTerminateProcess terminated
6DriverLoadDriver Loaded
7ImageLoadImage loaded
8CreateRemoteThreadCreateRemoteThread detected
9RawAccessReadRawAccessRead detected
10ProcessAccessProcess accessed
11FileCreateFile created
12RegistryEventRegistry object added or deleted
13RegistryEventRegistry value set
14RegistryEventRegistry object renamed
15FileCreateStreamHashFile stream created
16Sysmon configuration changeSysmon configuration change
17PipeEventNamed pipe created
18PipeEventNamed pipe connected
19WmiEventFilterWmiEventFilter activity detected
20WmiEventConsumerWmiEventConsumer activity detected
21WmiEventConsumerToFilterWmiEventConsumerToFilter activity detected
22DNS QueryDNS Query Event
255Error ReportError

4      Device Event Mapping to ArcSight Fields

Sysmon Active Channel 1 300x226 - ArcSight FlexConnector for Microsoft Sysmon
Device Specific FieldArcSight ESM Field
UtcTimeevent.deviceCustomDate1 / endTime
ProcessGuidevent.deviceCustomString6
ProcessIdevent.deviceProcessId
Imageevent.deviceProcessName
CommandLineevent.deviceCustomString1
CurrentDirectoryevent.deviceCustomString3
Userevent.sourceUserName
LogonGuidadditionaldata.LogonGuid
LogonIdevent.sourceUserId
TerminalSessionIdevent.deviceCustomNumber2
IntegrityLevelevent.deviceCustomString5
Hashesevent.fileHash
ParentProcessGuidadditionaldata.ParentProcessGuid
ParentProcessIdevent.sourceProcessId
ParentImageevent.sourceProcessName
ParentCommandLineevent.deviceCustomString2
TargetFilenameevent.fileName
CreationUtcTimeevent.fileCreateTime
PreviousCreationUtcTimeevent.oldFileCreateTime
Protocolevent.transportProtocol
Initiatedevent.deviceCustomString4
SourceIsIpv6additionaldata.SourceIsIpv6
SourceIpevent.sourceAddress
SourceHostnameevent.sourceHostName
SourcePortevent.sourcePort
SourcePortNameadditionaldata.SourcePortName
DestinationIsIpv6additionaldata.DestinationIsIpv6
DestinationIpevent.destinationAddress
DestinationHostnameevent.destinationHostName
DestinationPortevent.destinationPort
DestinationPortNameadditionaldata.DestinationPortName
Stateevent.deviceAction
Versionevent.deviceCustomString1
SchemaVersionevent.deviceCustomString2
ImageLoadedevent.destinationProcessName
Signedevent.deviceCustomString1
Signatureevent.deviceCustomString2
SignatureStatusevent.deviceCustomString3
SourceProcessGuidevent.flexString1
SourceProcessIdevent.sourceProcessId
SourceImageevent.sourceProcessName
TargetProcessGuidevent.flexString2
TargetProcessIdevent.destinationProcessId
TargetImageevent.destinationProcessName
NewThreadIdevent.deviceCustomString1
StartAddressevent.deviceCustomString2
StartModuleevent.deviceCustomString3
StartFunctionevent.deviceCustomString4
Deviceevent.deviceCustomString1
SourceThreadIdevent.deviceCustomString1
GrantedAccessevent.deviceCustomString2
CallTraceevent.deviceCustomString3
EventTypeevent.deviceAction
TargetObjectevent.fileName
Detailsevent.deviceCustomString1
NewNameevent.deviceCustomString1
Hashevent.fileHash
Configurationevent.fileName
ConfigurationFileHashevent.fileHash
PipeNameevent.fileName
IDevent.deviceCustomString1
Descriptionevent.deviceCustomString2