Over the last couple of nights I've been playing with Azure Sentinel to see how useful it will be as a SIEM/Hunting platform. One of the fist things I wanted to do is onboard Sysmon data. Unfortunately the documentation isn't up to par yet and it took me a LOT of time and some help from Kevin Beaumont, @ashwinpatil and Maarten Goet to get this working. Thanks guys!
For instance the "Security and Audit" Solution has a SysmonEvent schema, this one is broken however. In order to save you the same struggle I'll give a brief outline here.
First of all you'll need to connect machines, this is relatively straight forward. Then you need to start ingesting some data;
Now it is ready to start ingesting events, to configure which ones go to "Workspace Settings" and then to "Advanced Settings". Now start adding the Data sources you require.
By now the data should be flowing into your instance. You can check this by going to Logs and use the following KQL query;
Parsing the data
Sadly these events are unparsed. There are two options now, parse them by hand, which I don't recommend ;). Or parse them by creating a function and use that in your future queries.
Fortunately the Azure team loves Sysmon like I do and they were so kind to provide a parsing KQL over here.
Copy the entire contents of the file and paste it in an empty query box, next click Save on the top right. Choose a name and alias name and save it as a function.
In some cases it can take a few minutes to become available, make sure to remember this :D It caused me some annoyance when testing this for the first time. So next test your new function in a new query window.
And there you go, properly parsed events! The only slight inconvenience is that the syntax autocomplete function is not working since these field names are not part of a Schema, there is no way known to me to address this at this moment. Given you know what you're looking for most of the time, you'll be fine without.