Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Deep Security Log Inspection Rules for Sysmon Event Monitoring

    • Updated:
    • 15 Oct 2019
    • Product/Version:
    • Deep Security 12.All
    • Platform:
    • Windows -
Summary
System Monitor (Sysmon) is a Windows system service and device driver that, once installed on a system, remains resident across system reboots to monitor and log system activity to the Windows event log. It provides detailed information about process creations, network connections, and changes to file creation time.
Sysmon logs these additional events in:
Applications and Services Logs/Microsoft/Windows/Sysmon/Operational 
Trend Micro Deep Security added support for monitoring events generated by Sysmon in Version 12.0.
The following Log Inspection rules are provided to monitor events generated by Sysmon:
  • 1009771 - Microsoft Windows Sysmon Events - 1
  • 1009777 - Microsoft Windows Sysmon Events - 2
Details
Public

Detecting MITRE ATT&CK techniques using Sysmon

After applying these rules the Deep Security Agent will detect any events related to process creation, process termination, network connection, file creation, registry value set or pipe creation and can generate log inspection events. These events have been mapped to techniques enumerated in the MITRE ATT&CK Framework.
 

Configuring Sysmon for use with the Log Inspection rules

  1. Download Sysmon from https://download.sysinternals.com/files/Sysmon.zip and extract the contents to a temporary folder.
  2. Download the configuration file (DSSysmonConfig.zip) from here (SHA256-FE58611D855596141109EF835EF3FB8D06DCE283E430648A7374BA26415AFA4F) and extract the contents to the same folder as in Step 1.
  3. Open an elevated command prompt in the same directory as the extracted file in steps 1 and 2 and run the following command:  sysmon.exe –accepteula –I DSSysmonConfig.xml
For more details about Sysmon and its additional uses, refer to official Microsoft documentation here: https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon.
 
 
Please note that the rules will work ONLY with Trend Micro Deep Security Agent version 12.0.0-360 or higher.
 
 

Configuring the Log Inspection Rules in Deep Security

1. Go to Computer -> Log Inspection -> Advanced and make note of the Severity Clipping levels. These are the minimum levels at which logging events are stored.
 
SevClipping
 
2. Go to Computer or Policy -> Log Inspection -> 1009771 - Microsoft Windows Sysmon Events - 1-> Properties -> Configuration
 
 
The administrator will need to tune the priority of the various Rule IDs to be greater than the Severity Clipping levels noted in the previous step to get the corresponding alert.  Details about each Rule ID can be found by matching it to the ATT&CK IDs listed here:  https://attack.mitre.org/techniques/enterprise/.
 
3.  Repeat the same steps performed in step 2 for 1009777 - Microsoft Windows Sysmon Events - 2.
Premium
Internal
Rating:
Category:
Configure; Troubleshoot
Solution Id:
1123908
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.