Advanced Sysmon filtering using Logstash

When I initially deployed Sysmon earlier last year I was amazed by the  amount of details it gathered as well as the huge amount of logs that my ELK stack was consuming. I decided to run it for a few weeks to get an idea of what was “normal” in my environment and later filter out those reoccurring events. If you really want to know what’s going on in your environment you should take this approach and filter as needed, it will take some time but you will feel confident that nothing is slipping through the cracks.

Since Sysmon doesn’t have advanced filtering (as of version 5.02), we will do a combination of Sysmon configuration filtering and Logstash configuration filtering to get exactly what we need.

Now that you’ve been collecting these logs for some time, let’s start filtering out items that are generating too many logs.

Here’s my logstash configuration (data being sent through Winlogbeat from my WEF server- Follow this guide to get this setup in your environment) or this for non-domain environment)

Filter #1 and #2 – Removes leading SHA256= from all file hashes generated by sysmon (See image below).

This will help you out whenever you are trying to integrate any type of file hash lookup intel to your data such as Virus total (See guide here).

This is how the data will be stored in Elasticsearch

Filter #3 – Drops expected network connections or applications that generate network connections.
The current filter would drop a log that would match this event based on
[event_data][Image] == “C:\Program Files\Mozilla Firefox\firefox.exe”

As you can see, you may use any of the fields generated and create additional filters based on if statements.

Filter # 4 – Drops newly created processes.

This will probably be one of the most chatty logs; therefore, I would suggest to filter out these on your Sysmon configuration; however, for processes such as svchost.exe, csrss.exe, conhost.exe, services.exe,etc, I would go with Logstash and add additional logic (if statements for other fields such as ParentCommandLine, CommandLine, and User to filter out normal activity processes.

Here’s an example:

For process: sdclt.exe with a parent Image of C:\Windows\system32\services.exe and Command Line C:\Windows\System32\sdclt.exe /CONFIGNOTIFICATION 

Those are some examples of how you can filter out additional data being generated by Sysmon.

Lastly, here’s an example of a test Sysmon configuration that you may get started with.

If you have any questions feel free to send me a message on Twitter @Pablis2010 where I’ll answer quicker.

Leave a Reply

Notify of