I'm not seeing any documentation or community discussions about using SysInternals Sysmon with SumoLogic. Is anyone doing this? Is it even possible? Is there any value to adding Sysmon logs to data collection and forwarding to the SIEM?
Indeed, Sysmon provides a lot of important data for the SIEM (especially the process execution events). Sumo Logic CSE (Cloud SIEM Enterprise) already contains mappings and detection rules to support those events.
As Sysmon is logging into a Windows Event Channel, you can ingest its data using the Windows Event Log source on an installed collector. You will just need to add its custom channel name "Microsoft-Windows-Sysmon/Operational".
More information on how to configure such custom channels: https://help.sumologic.com/03Send-Data/Sources/01Sources-for-Installed-Collectors/Local-Windows-Event-Log-Source/Local-Windows-Event-Source-Custom-ChannelsComment actions
Please sign in to leave a comment.