Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Deep Security Log Inspection Rules for Sysmon Event Monitoring

    • Updated:
    • 13 Mar 2020
    • Product/Version:
    • Deep Security 20.0
    • Platform:
    • Windows -
Summary
System Monitor (Sysmon) is a Windows system service and device driver that, once installed on a system, remains resident across system reboots to monitor and log system activity to the Windows event log. It provides detailed information about process creations, network connections, and changes to file creation time.
Sysmon logs these additional events in:
Applications and Services Logs/Microsoft/Windows/Sysmon/Operational 
Trend Micro Deep Security added support for monitoring events generated by Sysmon in Version 12.0.
The following Log Inspection rules are provided to monitor events generated by Sysmon:
  • 1009771 - Microsoft Windows Sysmon Events - 1
  • 1009777 - Microsoft Windows Sysmon Events - 2
Details
Public

Detecting MITRE ATT&CK techniques using Sysmon

After applying these rules the Deep Security Agent will detect any events related to process creation, process termination, network connection, file creation, registry value set or pipe creation and can generate log inspection events. These events have been mapped to techniques enumerated in the MITRE ATT&CK Framework.
 

Configuring Sysmon for use with the Log Inspection rules

  1. Download Sysmon from https://download.sysinternals.com/files/Sysmon.zip and extract the contents to a temporary folder.
  2. Download the latest configuration file (DSSysmonConfig.xml) from Gitub here  and extract the contents to the same folder as in Step 1.
  3. Open an elevated command prompt in the same directory as the extracted file in steps 1 and 2 and run the following command:  sysmon.exe –accepteula –I DSSysmonConfig.xml
An example of how to deploy Sysmon through GPO (with a link to a helper batch file) can be found at the end of this article below. 

For more details about Sysmon and its additional uses, refer to official Microsoft documentation here: https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon.
 
 
Please note that the rules will work ONLY with Trend Micro Deep Security Agent version 12.0.0-360 or higher.
 
 

Configuring the Log Inspection Rules in Deep Security

1. Go to Computer -> Log Inspection -> Advanced and make note of the Severity Clipping levels. These are the minimum levels at which logging events are stored.
 
SevClipping
 
2. Go to Computer or Policy -> Log Inspection -> 1009771 - Microsoft Windows Sysmon Events - 1-> Properties -> Configuration
 
 
The administrator will need to tune the priority of the various Rule IDs to be greater than the Severity Clipping levels noted in the previous step to get the corresponding alert.  Details about each Rule ID can be found by matching it to the ATT&CK IDs listed here:  https://attack.mitre.org/techniques/enterprise/.
 
3.  Repeat the same steps performed in step 2 for 1009777 - Microsoft Windows Sysmon Events - 2.


Instructions on how to deploy Sysmon via GPO

The following steps may be used to deploy Sysmon in an Active Directory environment using Group Policy Objects (GPO).
 
Please note, there are many different enterprise methods of deploying software and tools and this is one example. Sysmon can be deployed any way administrators prefer, as long as the correct configuration file is used.
  1. Download the helper deploy_sysmon.bat file (zipped) from here .  (Zip SHA256: 98a7687993ec64195b477d98afef2986aac8c1d33aa0fd802db026f544333590)
  2. Create a file share that allows all computers read-only access.  Note:  only selected accounts should have write access to this folder dues to the sensitivity of the files.  A common location to use is the SYSVOL folder of the domain, but organizational requirements may vary.
  3. Edit the first line of the deploy_sysmon.bat file to the file share created in Step 2.
  4. Copy all five (5) files mentioned in this article to the share:  deploy_sysmon.bat, DSSysmonConfig.xml, Eula.txt, sysmon.exe and sysmon64.exe
  5. Using a AD account with appropriate permissions (usually Domain Admin), use the Windows Group Policy Management Console to create a new GPO and link either to the root domain or an appropriate OU.
  6. Edit the policy and navigate to Computer Configuration > Windows Settings > Scripts (Startup/Shutdown).
  7. In the right pane, double click on Startup.
  8. Click Add.
  9. In 'Script Name' enter the full UNC path to the deploy_sysmon.bat file, or click on Browse and navigate to the network location.
  10. Click OK and then Click OK once more.
As the Group Policy updates for each computer in the selected scope, Sysmon will be deployed.  Whenever an update to the configuration file is required, simply update the DSSysmonConfig.xml file and it will get deployed at the next GPO refresh interval.
Premium
Internal
Partner
Rating:
Category:
Configure; Troubleshoot
Solution Id:
1123908
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.