What is Windows Sysmon Search?
[Sysmon] (https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon "Sysmon Sysinternals") is a Windows system service of the Sysinternals suite that provides permanent monitoring and more detailed logging of certain types of events. Sysmon allows you to record detailed information such as process creations, network connections, registry events, file creations and more.
Once collected and sent to ServicePilot using the Windows-Event package, these events can be analyzed in the web interface just like other standard Windows event logs.
By analyzing Sysmon logs, you can identify malicious or abnormal activities and understand how intruders and malware work on your network.
Monitoring of the Windows Sysmon event search
This package performs several predefined searches to automatically analyze data for all windows systems sending Windows Sysmon Events to ServicePilot.
Different searches are carried out:
- Microsoft Binary Communication Endpoint: Monitors and triggers an alarm if a Windows executable communicates with a URL from an external network such as Github, pastebin...
- PowerShell Rundll32 Remote Thread Creation: Monitors and creates an alert when a PowerShell remote thread is created in Rundll32.exe.
- Suspicious File Characteristics: Monitors Executable files with suspicious characteristics due to lack of description fields completion (FileVersion,Description,Product,Company...)
- and others...
Note that for some searches, it also depends on the configuration of your XML file or filters on specific events that you set up before forwarding Sysmon events to ServicePilot.