How to use Microsoft Sysmon, Azure Sentinel to log security events

Microsoft's Sysmon and Azure Sentinel are easy and inexpensive ways to log events on your network. Here's how to get started with them.

cloud security expert casb binary cloud computing cloud security by metamorworks getty 100803072 or
Metamorworks / Getty Images / Microsoft

Logging is the key to knowing how the attackers came in and how they got you. As applications move to the cloud, you need to enable logging for them. Microsoft offers tools to enhance both on-premises and cloud logging. You might not be using two of those tools as much as you should: Sysmon and Azure Sentinel.

System Monitor (Sysmon)

If you protect and defend anything on premises, you need to install Sysmon, which is free. Now up to version 11, Sysmon “is a Windows system service and device driver that, once installed on a system, remains resident across system reboots to monitor and log system activity to the Windows event log. It provides detailed information about process creations, network connections, and changes to file creation time”.

Download Sysmon and unzip the file. Then at a command prompt enter sysmon -accepteula –I to install Sysmon and related drivers for the defaults.

bradley log 1 Susan Bradley

Unzip and install Sysmon

Sysmon provides additional logging located in “Applications and Services Logs/Microsoft/Windows/Sysmon/Operational” and tracks the following items:

  • Event ID 1: Process creation
  • Event ID 2: A process changed a file creation time
  • Event ID 3: Network connection
  • Event ID 4: Sysmon service state changed
  • Event ID 5: Process terminated
  • Event ID 6: Driver loaded
  • Event ID 7: Image loaded
  • Event ID 8: CreateRemoteThread
  • Event ID 9: RawAccessRead
  • Event ID 10: ProcessAccess
  • Event ID 11: FileCreate
  • Event ID 12: RegistryEvent (Object create and delete)
  • Event ID 13: RegistryEvent (Value Set)
  • Event ID 14: RegistryEvent (Key and Value Rename)
  • Event ID 15: FileCreateStreamHash
  • Event ID 17: PipeEvent (Pipe Created)
  • Event ID 18: PipeEvent (Pipe Connected)
  • Event ID 19: WmiEvent (WmiEventFilter activity detected)
  • Event ID 20: WmiEvent (WmiEventConsumer activity detected)
  • Event ID 21: WmiEvent (WmiEventConsumerToFilter activity detected)
  • Event ID 22: DNSEvent (DNS query)
  • Event ID 23: FileDelete (A file delete was detected)
  • Event ID 255: Error

Read more about these on the Sysmon page along with the April release changes.

You can set Sysmon event logs to forward events to other event logs for further processing. You can also set Sysmon to perform additional logging of network connections. If you use the additional switches, use the command sysmon.exe -i -h md5 -l -n. This installs the Sysmon driver (-i), specifies the hash algorithm of MD5 (the default is SHA1) (-h md5), log loading of modules (-l), and log network connections (-n).

Next, go to “Applications and Service logs”, “Microsoft”, “Windows”, “Sysmon”,  and then “Operational” to review what is being logged. You’ll start to see patterns of files that need updating, are communicating out of your firewall, and other issues. For more advanced queries and analysis, review the recommendations from the Cquire blog.

The big change in the April release is a new Event 23 for file deletion as well as additional control over DNSevents. Attackers will drop tools on a box and then remove them to erase traces of their actions. The ability to track file deletions shows which files and tools have been removed.

Use the configuration XML file to customize your Sysmon configuration:

bradley log 2 Susan Bradley

Sysmon configuration files

You can review sample configuration files on Github.

Microsoft Azure Sentinel

Microsoft Azure Sentinel is a cloud-based logging platform that you can use for both on-premises deployments and cloud platforms such as Amazon Web Services (AWS) and Office 365. To start with Sentinel, you’ll need a free Azure account. In the search box, type “Log analytics” and then create a log analytics workspace.

bradley log 3 Susan Bradley

Setting up a Log Analytics test

Pricing for Azure Sentinel and Azure Monitor Log Analytics is based on data ingestion and data retention, but several levels of data require no fee including:

  • Azure Activity Logs
  • Office 365 Audit Logs (all SharePoint activity and Exchange admin activity)
  • Alerts from Microsoft Threat Protection products (Azure Security Center, Office 365 ATP, Azure ATP, Microsoft Defender ATP, Microsoft Cloud App Security, Azure Information Protection)

However, Azure Active Directory (AAD) audit data is not free and is billed for ingestion into both Azure Sentinel and Azure Monitor Log Analytics.

Next, search in the Azure portal for Azure Sentinel. Click on “Connect workspace”. Choose the test log analytics workspace that you previously setup. Click on “Add Azure Sentinel”. Once it’s been added you can go to “Configure” to add the connector. Microsoft offers several Office 365-based and third-party connectors as well as the Windows firewall as a data provider.

bradley log 4 Susan Bradley

Windows Firewall

Sentinel uploads several types of connector data types. The first is native types of connectors including:

  • AWS - CloudTrail
  • Azure Activity
  • Azure AD audit logs and sign-ins
  • Azure AD Identity Protection
  • Azure Advanced Threat Protection
  • Azure Information Protection
  • Azure Security Center
  • Cloud App Security
  • Domain name server
  • Office 365
  • Microsoft Defender ATP
  • Microsoft Azure Web Application Firewall
  • Windows Firewall
  • Windows security events

Next you can connect various third-party data streams via APIs such as

  • Barracuda
  • Barracuda CloudGen Firewall
  • Citrix Analytics (Security)
  • F5 BIG-IP
  • Forcepoint DLP
  • Squadra Technologies secRMM
  • Symantec ICDX
  • Zimperium

You can then connect third-party platforms and firewalls such as:

  • Firewalls, proxies, and endpoints:
    • Check Point
    • Cisco ASA
    • ExtraHop Reveal(x)
    • F5
    • Forcepoint products
    • Fortinet
    • Palo Alto Networks
    • One Identity Safeguard
    • Other CEF appliances
    • Other Syslog appliances
    • Trend Micro Deep Security
    • Zscaler
  • Data loss prevention (DLP) solutions
  • Threat intelligence providers
  • DNS machines - agent installed directly on the DNS machine
  • Linux servers
  • Other clouds

You can also upload Sysmon data into Azure Sentinel for further analysis. You can also use Sentinel to find COVID-19-themed attacks by identifying anomalous events within your Azure Sentinel Workspace.  For more information check out the community blog at

Don’t forget to keep up to date with the latest at the IDG TechTalk YouTube channel.

Copyright © 2020 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)