Collect Microsoft Windows Sysmon logs

This document:

• describes the deployment architecture and installation steps, plus any required configuration that produce logs supported by the Google Security Operations Parser for Microsoft Windows Sysmon events. For an overview of Google Security Operations data ingestion, see Data ingestion to Google Security Operations .
• includes information about how the parser maps fields in the original log to Google Security Operations Unified Data Model fields.

Information in this document applies to the parser with the WINDOWS_SYSMON ingestion label. The ingestion label identifies which parser normalizes raw log data to structured UDM format.

Before you begin

Review the recommended deployment architecture

This diagram represents the recommended core components in a deployment architecture to collect and send Microsoft Windows Sysmon data to Google Security Operations. Compare this information with your environment to be sure these components are installed. Each customer deployment will differ from this representation and may be more complex. The following is required:

• Systems in the deployment architecture are configured with the UTC time zone.
• Sysmon is installed on servers, endpoints, and domain controllers.
• The collector Microsoft Windows server receives logs from servers, endpoints, and domain controllers.

• Microsoft Windows systems in the deployment architecture use:

  • Source Initiated Subscriptions to collect events across multiple devices.
  • WinRM service for remote system management.

• NXLog is installed on the collector Window server to forward logs to Google Security Operations forwarder.

• Google Security Operations forwarder is installed on a central Microsoft Windows server or Linux server.

  

Review the supported devices and versions

The Google Security Operations parser supports logs generated by the following Microsoft Windows server versions. Microsoft Windows Server is released with the following editions: Foundation, Essentials, Standard, and Datacenter. The event schema of logs generated by each edition does not differ.

• Microsoft Windows Server 2019
• Microsoft Windows Server 2016
• Microsoft Windows Server 2012

Google Security Operations parser supports logs generated by:

• Microsoft Windows 7 and higher client systems
• Sysmon version 13.24.

Google Security Operations parser supports logs collected by NXLog Community or Enterprise Edition.

Review the supported log types

The Google Security Operations parser supports the following log types generated by Microsoft Windows Sysmon. For more information about these log types, see the Microsoft Windows Sysmon documentation . It supports logs generated with English language text and is not supported with logs generated in non-English languages.

Configure Microsoft Windows servers, endpoints, and domain controllers

1. Install and configure the servers, endpoints, and domain controllers. For information, see Microsoft Windows Sysmon Configuration documentation .
2. Set up a collector Microsoft Windows server to parse the collected logs from multiple systems.
3. Set up the central Microsoft Windows or Linux server
4. Configure all systems with the UTC time zone.
5. Configure the devices to forward logs to the collector Microsoft Windows server.
   • Configure Source Initiated Subscriptions on Microsoft Windows systems. For information, see Setting up a Source Initiated Subscription .
   • Enable WinRM on Microsoft Windows servers and clients. For information, see Installation and configuration for Microsoft Windows Remote Management .

Configure the Bindplane Agent

Collect the Windows Sysmon logs by using the Bindplane Agent. After installation, the Bindplane Agent service appears as the observerIQ service in the list of Windows services.

1. Install the Bindplane Agent on a Windows server running the collector: For more information about installing the Bindplane Agent, see the Bindplane Agent installation instructions .

2. Create a configuration file for the Bindplane Agent with the following contents.

    receivers:
     windowseventlog/sysmon:
       channel: Microsoft-Windows-Sysmon/Operational
       raw: true
   processors:
     batch:
   
   exporters:
     chronicle/winsysmon:
       endpoint: https://malachiteingestion-pa.googleapis.com
       creds: '{
       "type": "service_account",
       "project_id": "malachite-projectname",
       "private_key_id": ` PRIVATE_KEY_ID 
   `,
       "private_key": ` PRIVATE_KEY 
   `,
       "client_email":"` SERVICE_ACCOUNT_NAME 
   `@malachite-` PROJECT_ID 
   `.iam.gserviceaccount.com",
       "client_id": ` CLIENT_ID 
   `,
       "auth_uri": "https://accounts.google.com/o/oauth2/auth",
       "token_uri": "https://oauth2.googleapis.com/token",
       "auth_provider_x509_cert_url":"https://www.googleapis.com/oauth2/v1/certs",
       "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/` SERVICSERVICE_ACCOUNT_NAME 
   `%40malachite-` PROJECT_ID 
   `.iam.gserviceaccount.com",
       "universe_domain": "googleapis.com"
       }'
     log_type: 'WINDOWS_SYSMON'
     override_log_type: false
     raw_log_field: body
     customer_id: ` CUSTOMER_ID 
   `
   
   service:
     pipelines:
       logs/winsysmon:
         receivers:
           - windowseventlog/sysmon
         processors: [batch]
         exporters: [chronicle/winsysmon] 
   

3. Replace the PRIVATE_KEY_ID , PRIVATE_KEY SERVICSERVICE_ACCOUNT_NAME , PROJECT_ID , CLIENT_ID and CUSTOMER_ID with the respective values from the service account JSON file which you can download from Google Cloud Platform. For more information about service account keys, see Create and delete service account keys documentation .

4. To start the observerIQ agent service, select Services > Extended > the observerIQ Service > start.

Configure NXLog and Google Security Operations forwarder

1. Install NXLog on the collector that is running on a Windows server. Follow the NXLog documentation , including information about configuring NXLog to collect logs from Sysmon .

2. Create a configuration file for NXLog. Use the im_msvistalog input module. Here is an example NXLog configuration. Replace HOSTNAME and PORT values with information about the destination central Microsoft Windows or Linux server. For more information, see NXLog documentation about the om_tcp module .

    define ROOT     C:\Program Files\nxlog
   define SYSMON_OUTPUT_DESTINATION_ADDRESS HOSTNAME 
   define SYSMON_OUTPUT_DESTINATION_PORT PORT 
   define CERTDIR  %ROOT%\cert
   define CONFDIR  %ROOT%\conf
   define LOGDIR   %ROOT%\data
   define LOGFILE  %LOGDIR%\nxlog.log
   LogFile %LOGFILE%
   
   Moduledir %ROOT%\modules
   CacheDir  %ROOT%\data
   Pidfile   %ROOT%\data\nxlog.pid
   SpoolDir  %ROOT%\data
   
   <Extension _json>
       Module      xm_json
   </Extension>
   
   <Input windows_sysmon_eventlog>
       Module  im_msvistalog
       <QueryXML>
           <QueryList>
               <Query Id="0">
                   <Select Path="Microsoft-Windows-Sysmon/Operational">*</Select>
               </Query>
           </QueryList>
       </QueryXML>
       ReadFromLast  False
       SavePos  False
   </Input>
   
   <Output out_chronicle_sysmon>
       Module      om_tcp
       Host        %SYSMON_OUTPUT_DESTINATION_ADDRESS%
       Port        %SYSMON_OUTPUT_DESTINATION_PORT%
       Exec        $EventTime = integer($EventTime) / 1000;
       Exec        $EventReceivedTime = integer($EventReceivedTime) / 1000;
       Exec        to_json();
   </Output>
   
   <Route r2>
       Path    windows_sysmon_eventlog => out_chronicle_sysmon
   </Route> 
   

3. Install the Google Security Operations forwarder on the central Microsoft Windows or Linux server. See the Installing and configuring the forwarder on Linux or Installing and configuring the forwarder on Microsoft Windows for information about installing and configuring the forwarder.

4. Configure the Google Security Operations forwarder to send logs to Google Security Operations. Here is an example forwarder configuration.

    - syslog:
         common:
           enabled: true
           data_type: WINDOWS_SYSMON
           Data_hint:
           batch_n_seconds: 10
           batch_n_bytes: 1048576
         tcp_address: 0.0.0.0:10518
         connection_timeout_sec: 60 
   

5. Start the NXLog service.

Supported Windows Sysmon log formats

The Windows Sysmon parser supports logs in JSON and XML formats.

Supported Windows Sysmon sample logs

• JSON:

   {
    "EventTime": 1611175283,
    "Hostname": "dummy10-1.user12.local",
    "Keywords": -9223372036854775808,
    "EventType": "INFO",
    "SeverityValue": 2,
    "Severity": "INFO",
    "EventID": 1,
    "SourceName": "Microsoft-Windows-Sysmon",
    "ProviderGuid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}",
    "Version": 5,
    "Task": 1,
    "OpcodeValue": 0,
    "RecordNumber": 8846,
    "ProcessID": 1184,
    "ThreadID": 2568,
    "Channel": "Microsoft-Windows-Sysmon/Operational",
    "Domain": "NT AUTHORITY",
    "AccountName": "SYSTEM",
    "UserID": "S-1-2-3",
    "AccountType": "User",
    "Message": "Process Create:\\r\\nRuleName: -\\r\\nUtcTime: 2021-09-13 06:34:03.015\\r\\nProcessGuid: {de2dee9a-f0db-613e-7017-000000001100}\\r\\nProcessId: 5440\\r\\nImage: C:\\\\Program Files\\\\WindowsApps\\\\Microsoft.WindowsCalculator_10.2103.8.0_x64__8wekyb3d8bbwe\\\\Calculator.exe\\r\\nFileVersion: -\\r\\nDescription: -\\r\\nProduct: -\\r\\nCompany: -\\r\\nOriginalFileName: -\\r\\nCommandLine: \\"C:\\\\Program Files\\\\WindowsApps\\\\Microsoft.WindowsCalculator_10.2103.8.0_x64__8wekyb3d8bbwe\\\\Calculator.exe\\" -ServerName:App.AppXsm3pg4n7er43kdh1qp4e79f1j7am68r8.mca\\r\\nCurrentDirectory: C:\\\\Program Files\\\\WindowsApps\\\\Microsoft.WindowsCalculator_10.2103.8.0_x64__8wekyb3d8bbwe\\\\\\r\\nUser: DUMMY10-1\\\\admin\\r\\nLogonGuid: {de2dee9a-8d8d-6138-3c16-120000000000}\\r\\nLogonId: 0x12163C\\r\\nTerminalSessionId: 1\\r\\nIntegrityLevel: AppContainer\\r\\nHashes: SHA256=1BE51B1664853ACCA05B402FBB441456D0A6FA57D70BAED476434CF8F686E15F\\r\\nParentProcessGuid: {de2dee9a-8a98-6138-0d00-000000001100}\\r\\nParentProcessId: 924\\r\\nParentImage: C:\\\\Windows\\\\System32\\\\svchost.exe\\r\\nParentCommandLine: C:\\\\Windows\\\\system32\\\\svchost.exe -k DcomLaunch -p",
    "Category": "Process Create (rule: ProcessCreate)",
    "Opcode": "Info",
    "RuleName": "-",
    "UtcTime": "2021-09-13 06:34:03.015",
    "ProcessGuid": "{de2dee9a-f0db-613e-7017-000000001100}",
    "Image": "C:\\\\Program Files\\\\WindowsApps\\\\Microsoft.WindowsCalculator_10.2103.8.0_x64__8wekyb3d8bbwe\\\\Calculator.exe",
    "FileVersion": "-",
    "Description": "-",
    "Product": "-",
    "Company": "-",
    "OriginalFileName": "-",
    "CommandLine": "\\"C:\\\\Program Files\\\\WindowsApps\\\\Microsoft.WindowsCalculator_10.2103.8.0_x64__8wekyb3d8bbwe\\\\Calculator.exe\\" -ServerName:App.AppXsm3pg4n7er43kdh1qp4e79f1j7am68r8.mca",
    "CurrentDirectory": "C:\\\\Program Files\\\\WindowsApps\\\\Microsoft.WindowsCalculator_10.2103.8.0_x64__8wekyb3d8bbwe\\\\",
    "User": "DUMMY10-1\\\\admin",
    "LogonGuid": "{de2dee9a-8d8d-6138-3c16-120000000000}",
    "LogonId": "0x12163c",
    "TerminalSessionId": "1",
    "IntegrityLevel": "AppContainer",
    "Hashes": "SHA256=1BE51B1664853ACCA05B402FBB441456D0A6FA57D70BAED476434CF8F686E15F",
    "ParentProcessGuid": "{de2dee9a-8a98-6138-0d00-000000001100}",
    "ParentProcessId": "924",
    "ParentImage": "C:\\\\Windows\\\\System32\\\\svchost.exe",
    "ParentCommandLine": "C:\\\\Windows\\\\system32\\\\svchost.exe -k DcomLaunch -p",
    "EventReceivedTime": 1611175286,
    "SourceModuleName": "windows_sysmon_eventlog",
    "SourceModuleType": "im_msvistalog"
  } 
  

• XML:

   <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'>
    <System>
      <Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/>
      <EventID>7</EventID>
      <Version>3</Version>
      <Level>4</Level>
      <Task>7</Task>
      <Opcode>0</Opcode>
      <Keywords>0x8000000000000000</Keywords>
      <TimeCreated SystemTime='2024-11-14T15:41:55.9275040Z'/>
      <EventRecordID>15560430</EventRecordID>
      <Correlation/>
      <Execution ProcessID='2124' ThreadID='6004'/>
      <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
      <Computer>testcomputer.example.org</Computer>
      <Security UserID='S-1-5-18'/>
    </System>
    <EventData>
      <Data Name='RuleName'>technique_id=T1047,technique_name=Windows Management Instrumentation</Data>
      <Data Name='UtcTime'>2024-11-14 15:41:55.918</Data>
      <Data Name='ProcessGuid'>{de61df1c-1a43-6736-a863-00000000ad00}</Data>
      <Data Name='ProcessId'>20728</Data>
      <Data Name='Image'>C:\\Program Files\\SourceFile\\SourceFile.exe</Data>
      <Data Name='ImageLoaded'>C:\\Windows\\System32\\wbem\\imagename.dll</Data>
      <Data Name='FileVersion'>10.0.22621.3672 (WinBuild.160101.0800)</Data>
      <Data Name='Description'>WMI</Data>
      <Data Name='Product'>Microsoft® Windows® Operating System</Data>
      <Data Name='Company'>Microsoft Corporation</Data>
      <Data Name='OriginalFileName'>originalimagename.dll</Data>
      <Data Name='Hashes'>SHA1=AB20D0B71E38A3BF130100BE2F85D32F29D04697,MD5=2C6D07DCF4CDD6177B67F210019D5C61,SHA256=413CDAACD75C19725591059F70CB7F1C0C1AEAA6E1D43C70A687310859C1813F,IMPHASH=472A202488B9A8A8072E75ADE4EC1496</Data>
      <Data Name='Signed'>true</Data>
      <Data Name='Signature'>Microsoft Windows</Data>
      <Data Name='SignatureStatus'>Valid</Data>
      <Data Name='User'>Test\\TestUser</Data>
    </EventData>
  </Event> 
  

Field mapping reference: device event fields to UDM fields

This section describes how the parser maps original device log fields to Unified Data Model (UDM) fields. The field mapping may differ by Event Id.

Field mapping reference: Event Identifier to Event Type

Field mapping reference: WINDOWS_SYSMON

The following table lists the log fields of the WINDOWS_SYSMON log type and their corresponding UDM fields.

Need more help? Get answers from Community members and Google SecOps professionals.