What is Security Windows Sysmon?
Windows Sysmon is a Windows system service of the SysInternals suite that provides permanent monitoring and more detailed logging of certain types of events. Sysmon allows you to record detailed information such as process creations, network connections, registry events, file creations and more.
Once collected and sent to ServicePilot using the Windows-Event package, these events can be analyzed in the web interface just like other standard Windows event logs.
By analyzing Sysmon logs, you can identify malicious or abnormal activities and understand how intruders and malware work on your network.
Monitoring of Security Windows Sysmon
This package performs several predefined searches to automatically analyze data for all Windows systems sending Windows Sysmon Events to ServicePilot.
Different searches are carried out:
- Process Creation: the process creation event provides extended information about a newly created process
- File Creation Time Changed: the change file creation time event is registered when a file creation time is explicitly modified by a process
- Sysmon State Changed: the service state change event reports the state of the Sysmon service (started or stopped)
- Process Terminated: the process terminate event reports when a process terminates. It provides the UtcTime, ProcessGuid and ProcessId of the process
- Driver Loaded: the driver loaded events provides information about a driver being loaded on the system
- and others...