How to use Microsoft Sysmon, Azure Sentinel to log security events

Microsoft's Sysmon and Azure Sentinel are easy and inexpensive ways to log events on your network. Here's how to get started with them.

cloud security expert casb binary cloud computing cloud security by metamorworks getty 100803072 or
Metamorworks / Getty Images / Microsoft

Logging is the key to knowing how the attackers came in and how they got you. As applications move to the cloud, you need to enable logging for them. Microsoft offers tools to enhance both on-premises and cloud logging. You might not be using two of those tools as much as you should: Sysmon and Azure Sentinel.

System Monitor (Sysmon)

If you protect and defend anything on premises, you need to install Sysmon, which is free. Now up to version 11, Sysmon “is a Windows system service and device driver that, once installed on a system, remains resident across system reboots to monitor and log system activity to the Windows event log. It provides detailed information about process creations, network connections, and changes to file creation time”.

Download Sysmon and unzip the file. Then at a command prompt enter sysmon -accepteula –I to install Sysmon and related drivers for the defaults.

bradley log 1 Susan Bradley

Unzip and install Sysmon

To continue reading this article register now

7 hot cybersecurity trends (and 2 going cold)