SysInternals Sysmon

Follow

Matthew Wyenandt

• July 28, 2022 12:29

I'm not seeing any documentation or community discussions about using SysInternals Sysmon with SumoLogic.  Is anyone doing this?  Is it even possible?  Is there any value to adding Sysmon logs to data collection and forwarding to the SIEM?  

0

• Official comment

  

  Julien Bernard

  • July 28, 2022 12:37

  Dear Matthew,

  Indeed, Sysmon provides a lot of important data for the SIEM (especially the process execution events). Sumo Logic CSE (Cloud SIEM Enterprise) already contains mappings and detection rules to support those events.

  As Sysmon is logging into a Windows Event Channel, you can ingest its data using the Windows Event Log source on an installed collector. You will just need to add its custom channel name "Microsoft-Windows-Sysmon/Operational".

  More information on how to configure such custom channels: https://help.sumologic.com/03Send-Data/Sources/01Sources-for-Installed-Collectors/Local-Windows-Event-Log-Source/Local-Windows-Event-Source-Custom-Channels

   

  Comment actions Permalink

Please sign in to leave a comment.