Cyber Defense with MITRE Framework | Graylog + SOC Prime | On-Demand Webinar >> ​

Graylog and Illuminate Spotlight for Sysmon

This is a Transcript of “Graylog and Sysmon”

When monitoring things deeper into your network at the endpoint client level, you’re able to collect even more valuable information.

Visibility with Sysmon in Windows

An example of this is with Sysmon in Windows operating systems. In this example, in my Graylog instance, we’re logging Sysmon events through the Graylog Illuminate Spotlight for Sysmon.

This gives you detailed information and in the Windows endpoints, such things like:

  • recording hashes for image files,
  • process GUIDs for correlation of events when Windows reuses process IDs,
  • GUIDs for some log on sessions,
  • logs for drivers or DLLs with signatures and hash values,
  • raw read access to disk volumes and events from early stages in the boot process, and many others.

Some, if not all of these, very well common in fact, are those for looking for data in your logs for IOC and hash values; looking for a known and bad DNS queries and bad IP destinations, very common within these actual environments; modifications of files and known directories or file names that are being modified in many different threat vectors.

Graylog Dashboards for Sysmon in Windows

In this instance of Graylog, I’ve highlighted here the dashboards that are available specifically through Sysmon, one being an overview and the other three, being the investigation drill downs for hosts, for process, or for user or login activity. This will highlight individual workflows in tracking those individual items one by one in investigations.

A Look at the Primary Dashboard

Next tab we’re looking at here is the primary dashboard, the overview, and includes four different pieces of information or four different tabs within the dashboard.

The first one is the DNS summary showing you the failed DNS queries and successful DNS queries and, over time, a variety of successful counts and their path, as well as the top 10 and rarest 10s right across the board.

The Endpoint Activity Summary

Next tab, we’ve got a Sysmon endpoint activity summary. And this one gives you the endpoint types of events that are being listed and provides you a heat map for the top 10 end points and Sysmon types by host and the sub-categories broken down, as well.

The Network Summary

The Sysmon network summary tab is a tab that allows you to see the network connections that are created in processes and whatnot by Sysmon and its monitoring of those. Here, you’ll get the top 10 destinations by ports for the destination IP addresses. And you can map backwards as to what’s going on in your individual end clients. And a Sysmon operation summary, which just gives you your hosts reporting, your Sysmon errors detected, and some events over time for the sub-categories so you can get a good snapshot of what hosts are being involved in the Sysmon data.

Thanks for watching today and happy logging with Graylog.