Sysmon from Sysinternals is a very powerful Host-level tracing tool, which can assist you in detecting advanced threats on your network. In contrast to common Antivirus/HIDS solutions, Sysmon performs system activity deep monitoring, and log high-confidence indicators of advanced attacks. Sysmon is using a device driver and a service that is running in the background and loads very early in the boot process. Sysmon monitors the following activities:
Some of these events can be gathered up by enabling Windows built-in auditing, yet the detail level provided by Sysmon is much higher.
When it comes to analysis, Sysmon doesn’t provide any; you can use other tools to visualize and investigate the raw events, for example: SIEM, Microsoft SCOM, Splunk and Azure OMS.
For Workstations and large deployments it is advisable / preferable to utilise Windows Event Forwarding to gather the relevant logs rather than use direct Collection. Configuration of Windows Event Forwarding is out of scope of this document. More information can be found within the HPE ArcSight SmartConnector for Windows Native documentation and Windows Event Log Forwarding guidance from Microsoft (see references in the installation document)
This FlexConnector facilitates the extraction and categorisation of the “Microsoft-Windows-Sysmon/Operational” Windows Event Log using HPE ArcSight Windows Native SmartConnector
Please upgrade to one of the following broswers: Internet Explorer 11 (or greater) or the latest version of Chrome or Firefox