Using Sysmon in Azure Sentinel

Olaf Hartong
Jun 2 · 3 min read

Over the last couple of nights I've been playing with Azure Sentinel to see how useful it will be as a SIEM/Hunting platform. One of the fist things I wanted to do is onboard Sysmon data. Unfortunately the documentation isn't up to par yet and it took me a LOT of time and some help from Kevin Beaumont, @ashwinpatil and Maarten Goet to get this working. Thanks guys!

For instance the "Security and Audit" Solution has a SysmonEvent schema, this one is broken however. In order to save you the same struggle I'll give a brief outline here.

Onboarding data

First of all you'll need to connect machines, this is relatively straight forward. Then you need to start ingesting some data;

go to “Getting started” and click connect on step 1
configure the Security Events
select "All Events" and click Update at the bottom

Now it is ready to start ingesting events, to configure which ones go to "Workspace Settings" and then to "Advanced Settings". Now start adding the Data sources you require.

Sysmon is not in the list by default, but just type "Microsoft-Windows-Sysmon/Operational" in the field and add it. Make sure to Save!

By now the data should be flowing into your instance. You can check this by going to Logs and use the following KQL query;

KQL Query, plus results

Parsing the data

Sadly these events are unparsed. There are two options now, parse them by hand, which I don't recommend ;). Or parse them by creating a function and use that in your future queries.

Fortunately the Azure team loves Sysmon like I do and they were so kind to provide a parsing KQL over here.

I have created a OSSEM mapped equivalent of that one, since I like the consistency in the field names, I also use it in my Splunk ThreatHunting app. This parsing KQL version is available here.

Copy the entire contents of the file and paste it in an empty query box, next click Save on the top right. Choose a name and alias name and save it as a function.

In some cases it can take a few minutes to become available, make sure to remember this :D It caused me some annoyance when testing this for the first time. So next test your new function in a new query window.

And there you go, properly parsed events! The only slight inconvenience is that the syntax autocomplete function is not working since these field names are not part of a Schema, there is no way known to me to address this at this moment. Given you know what you're looking for most of the time, you'll be fine without.

BlueTeamLabs

Blogging platform for the BlueTeamLabs GitHub repository

Olaf Hartong

Written by

Photographer | InfoSec | DFIR | Threat hunter | Data Dweller | Splunk | Sysmon

BlueTeamLabs

Blogging platform for the BlueTeamLabs GitHub repository

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade