Microsoft Sysmon FlexConnector

205629

Kevin Q Community

App Support Tiers

OpenText SUPPORTED

Support via OpenText Software Support, with a ticket filed against the associated product.

PARTNER

OpenText offers a content partnership program for select partners. Support for Partner Content offerings is provided by the partner and not by OpenText of the OpenText community.

OpenText COMMUNITY

OpenText Community Content is provided by OpenText for the benefit of customers, support for it is not available via OpenText Software Support but through specific community content forums.

COMMUNITY

Community Contributed Content is provided by OpenText customers and supported by them.

EARLY ACCESS

Show less ...Show more

The downloads referenced under the "Cybersecurity Early Access" category are made available to subscribers to mitigate time-critical issues but have not undergone formal quality and performance testing associated with official OpenText/Cybersecurity product releases. OpenText has a multi-stage Quality Assurance process. During Stage 1 we conduct a resource analysis, field mapping, ensure content level 1 functionality and analysis in our sandbox environment. Stage 2 is a complete validation including production validation. This package has cleared Stage 1 validation and therefore should be deployed with the appropriate pre-production validation. OpenText strongly recommends that any downloaded content is first checked and tested thoroughly in a non-production environment before committing to production. We welcome feedback and, should any content be shown to be faulty, detrimental or carry an incorrect claim of authorship, we shall endeavor to remove or correct such content as promptly as reasonably possible once notified and validated.

Kevin Q | Community

FlexConnector for the extraction and categorization of the “Microsoft-Windows-Sysmon/Operational” Windows Event Log using Microfocus ArcSight Windows Native SmartConnector
Updated for Sysmon V 10.x

1,237 downloads

Product compatibility

Description

Sysmon from Sysinternals is a very powerful Host-level tracing tool, which can assist you in detecting advanced threats on your network. In contrast to common Antivirus/HIDS solutions, Sysmon performs system activity deep monitoring, and log high-confidence indicators of advanced attacks. Sysmon is using a device driver and a service that is running in the background and loads very early in the boot process. Sysmon monitors the following activities:

Process creation (with full command line and hashes)
Process termination
Network connections
File creation timestamps changes
Driver/image loading
Create remote threads
Raw disk access
Process memory access
WMI Activity
DNS Query

Some of these events can be gathered up by enabling Windows built-in auditing, yet the detail level provided by Sysmon is much higher.

When it comes to analysis, Sysmon doesn’t provide any; you can use other tools to visualize and investigate the raw events, for example, SIEM, Microsoft SCOM, Splunk, and Azure OMS.

For Workstations and large deployments, it is advisable/preferable to utilize Windows Event Forwarding to gather the relevant logs rather than use direct Collection. Configuration of Windows Event Forwarding is out of the scope of this document. More information can be found within the Microfocus ArcSight SmartConnector for Windows Native documentation and Windows Event Log Forwarding guidance from Microsoft (see references in the installation document)

This FlexConnector facilitates the extraction and categorization of the “Microsoft-Windows-Sysmon/Operational” Windows Event Log using Microfocus ArcSight Windows Native SmartConnector