Configuration: Install TA via GUI on all search heads, install via your preferred method (manual or Deployment Server) on forwarders running on Windows that have Sysmon 3.1 or greater installed.
Ensure that you have at least version 6.2.0 universal forwarders to take advantage of Windows XML event log format.
Sysmon ProcessCreate events may pick up passwords in CommandLine and ParentCommandLine fields. Depending on organizational policy you may be required to mask passwords either at search time or prior to indexing. SEDCMD entries can be added to props.conf files on search heads or indexers to mask data in known positions of passwords. Note this contribution has not been widely tested and may require substantial additional configuration and tuning effort. Use at your own risk.
SEDCMD-pwd_rule1 = s/ -pw ([^\s\<])+/ -pw ***MASK***/g
The Sysmon v10 configuration XML spec does not allow for mutiple log-write exclusions based on rule groups. It is possible to achieve complex log forwarding exclusions for high volume DNS Query Events with inputs.conf blacklist specs. See comments in inputs.conf for implementation examples.
For additional info on Sysmon see: (http://blogs.splunk.com/2014/11/24/monitoring-network-traffic-with-sysmon-and-splunk/)
This is a community supported TA. As such, post to answers.splunk.com and reference it.
We strongly recommend that you use the popular Sysmon configuration shared by SwiftOnSecurity as your starting point:
(https://github.com/SwiftOnSecurity/sysmon-config)
3/16/2017 - The following configuration guidance was included historically
but should now be considered deprecated. We suggest instead that you use the
SwiftOnSecurity configuration as a starting point, and tune it to meet your needs.
You may choose to use elements of the legacy configuration below, particularly if
you are interested in excluding common Splunk image/file names from creating Sysmon
events.
NOTE: If you choose to exclude certain events based on file name, please be aware
that this could potentially be abused by an attacker to hide malicious activity by
choosing an excluded name for their malware. If you are not willing to accept this
risk, do not use the configuration below.
Sysmon is capable of delivering a large amount of events into your
Splunk instance. The following configuration, loaded into each
system running Sysmon 3.1 or greater, will reduce the amount of data considerably.
Special thanks go to Jeff Walzer from the University of Pittsburgh for
originally helping to test this (walzer@pitt.edu).
Load this via sysmon -c (filename) from an admin-level command prompt.
(after you have placed it in a text file). You may get some
unusual errors - these are benign and can be ignored. Check the
filtering via a "sysmon -c" with no argument.
For additional Sysmon filtering, remove the entire ImageLoad section.
<Sysmon schemaversion="3.2">
<HashAlgorithms>*</HashAlgorithms>
<EventFiltering>
<!-- Log all drivers except if the signature -->
<!-- contains Microsoft or Windows -->
<DriverLoad onmatch="exclude">
<Signature condition="contains">microsoft</Signature>
<Signature condition="contains">windows</Signature>
</DriverLoad>
<!-- Exclude certain processes that cause high event volumes -->
<ProcessCreate onmatch="exclude">
<Image condition="contains">splunk</Image>
<Image condition="contains">streamfwd</Image>
<Image condition="contains">splunkd</Image>
<Image condition="contains">splunkD</Image>
<Image condition="contains">splunk</Image>
<Image condition="contains">splunk-optimize</Image>
<Image condition="contains">splunk-MonitorNoHandle</Image>
<Image condition="contains">splunk-admon</Image>
<Image condition="contains">splunk-netmon</Image>
<Image condition="contains">splunk-regmon</Image>
<Image condition="contains">splunk-winprintmon</Image>
<Image condition="contains">btool</Image>
<Image condition="contains">PYTHON</Image>
</ProcessCreate>
<ProcessTerminate onmatch="exclude">
<Image condition="contains">splunk</Image>
<Image condition="contains">streamfwd</Image>
<Image condition="contains">splunkd</Image>
<Image condition="contains">splunkD</Image>
<Image condition="contains">splunk</Image>
<Image condition="contains">splunk-optimize</Image>
<Image condition="contains">splunk-MonitorNoHandle</Image>
<Image condition="contains">splunk-admon</Image>
<Image condition="contains">splunk-netmon</Image>
<Image condition="contains">splunk-regmon</Image>
<Image condition="contains">splunk-winprintmon</Image>
<Image condition="contains">btool</Image>
<Image condition="contains">PYTHON</Image>
</ProcessTerminate>
<FileCreateTime onmatch="exclude">
<Image condition="contains">splunk</Image>
<Image condition="contains">streamfwd</Image>
<Image condition="contains">splunkd</Image>
<Image condition="contains">splunkD</Image>
<Image condition="contains">splunk</Image>
<Image condition="contains">splunk-optimize</Image>
<Image condition="contains">splunk-MonitorNoHandle</Image>
<Image condition="contains">splunk-admon</Image>
<Image condition="contains">splunk-netmon</Image>
<Image condition="contains">splunk-regmon</Image>
<Image condition="contains">splunk-winprintmon</Image>
<Image condition="contains">btool</Image>
<Image condition="contains">PYTHON</Image>
</FileCreateTime>
</EventFiltering>
</Sysmon>
Fixes minor AppInspect failures
July 30, 2019
Tested with Sysmon version 10
https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
Updates to work with the new Splunk_TA_windows v5 and onwards - https://docs.splunk.com/Documentation/WindowsAddOn/5.0.1/User/Upgrade#Upgrade_from_version_4.8.4_to_version_5.0.1
All searches,reports and dashboards using sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" need to use source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" instead, due to the upgrade to Splunk_TA_windows v5
Tested with Sysmon version 10
https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
Added support for Sysmon v10 having new DNS Query event type.
Provided inputs.conf examples enabling blacklist of multiple DNS Query events based on complex rule groups
December 11, 2018
Tested with Sysmon version 8.0
https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
Updates to work with the new Splunk Enpoint Data Model - http://docs.splunk.com/Documentation/CIM/4.12.0/User/Endpoint
Thanks to Bhavin Patel for contributions (@patel-bhavin)
Updated lookups to support Sysmon V5.
Now extracts various hash values into convenient fields. See https://github.com/splunk/TA-microsoft-sysmon/issues
Several minor bugfixes and enhancements. Tested with Microsoft Sysmon version 3.21
Major modification of the version to better align with SplunkBase.
Fixed typos in eventtypes.conf and props.conf
Version 0.3.1 was contributed by James Brodsky.
-Confirmed to work with Sysmon 3.1
-Some more CIM work
-new README file
-example Sysmon config (in readme)
-Lookup file to map event codes to event descriptions
Added CIM compliance for process events
Initial CIM-compliant Release
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.