Configure your Microsoft Sysmon deployment to collect data

Sysmon events are stored in Applications and Services Logs/Microsoft/Windows/Sysmon/Operational or on the WEC server, if using WEC, and collected by the Splunk software.

Prepare your Sysmon configuration file based on your security team or SOC needs. The best practice is to start preparing the configuration with the template SwiftOnSecurity/sysmon-config and adjust filtering rules of each event type according to your environment needs, instead of running Sysmon without a custom configuration file. Otherwise, Sysmon will monitor a predefined small subset of events and event types or flood the eventlog and your Splunk platform deployment with unnecessary events.

To learn more about configuration file preparation and adjustment, see:

• Microsoft documentation on Sysmon
• TrustedSec Sysmon Community Guide
• Olaf Hartong's sysmon-modular
• SwiftOnSecurity sysmon-config

WEF/WEC support

Splunk Add-on for Sysmon can be used for Sysmon events forwarded and collected with use of Windows Event Forwarding (https://docs.microsoft.com/en-us/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection) and Windows Event Collector (https://docs.microsoft.com/en-us/windows/win32/wec/windows-event-collector) or WEF/WEC for short. WEF/WEC architecture requires careful tuning to work reliably. Use a dedicated collector channel for Sysmon events and name the channel is WEC-Sysmon or something similar.

Hashes generation configuration

Choose one hashing algorithm in Sysmon's general configuration for process and file hash generation. Select the hash type used by your threat intelligence solution, so that processing cycles aren't wasted by checking for the presence of a specific MD5 hash in a field containing a SHA256 hash.

Using * or multiple types of hashes in the hash declaration is not recommended due to performance implications and the possibility of false negatives caused by labels in the hash field.