Collect Microsoft Windows Sysmon data
This document:
- describes the deployment architecture and installation steps, plus any required configuration that produce logs supported by the Chronicle Parser for Microsoft Windows Sysmon events. For an overview of Chronicle data ingestion, see Data ingestion to Chronicle.
- includes information about how the parser maps fields in the original log to Chronicle Unified Data Model fields.
Information in this document applies to the parser with the WINDOWS_SYSMON ingestion label. The ingestion label identifies which parser normalizes raw log data to structured UDM format.
Before you begin
Review the recommended deployment architecture
This diagram represents the recommended core components in a deployment architecture to collect and send Microsoft Windows Sysmon data to Chronicle. Compare this information with your environment to be sure these components are installed. Each customer deployment will differ from this representation and may be more complex. The following is required:
- Systems in the deployment architecture are configured with the UTC time zone.
- Sysmon is installed on servers, endpoints, and domain controllers.
- The collector Microsoft Windows server receives logs from servers, endpoints, and domain controllers.
Microsoft Windows systems in the deployment architecture use:
- Source Initiated Subscriptions to collect events across multiple devices.
- WinRM service for remote system management.
NXLog is installed on the collector Window server to forward logs to Chronicle forwarder.
Chronicle forwarder is installed on a central Microsoft Windows server or Linux server.
Review the supported devices and versions
The Chronicle parser supports logs generated by the following Microsoft Windows server versions. Microsoft Windows Server is released with the following editions: Foundation, Essentials, Standard, and Datacenter. The event schema of logs generated by each edition does not differ.
- Microsoft Windows Server 2019
- Microsoft Windows Server 2016
- Microsoft Windows Server 2012
Chronicle parser supports logs generated by:
- Microsoft Windows 7 and higher client systems
- Sysmon version 13.24.
Chronicle parser supports logs collected by NXLog Community or Enterprise Edition.
Review the supported log types
The Chronicle parser supports the following log types generated by Microsoft Windows Sysmon. For more information about these log types, see the Microsoft Windows Sysmon documentation. It supports logs generated with English language text and is not supported with logs generated in non-English languages.
Log Type | Description |
---|---|
Sysmon Logs | Sysmon channel contains 27 Event Ids. (Event Id: 1 to 26, and 255). For a description of this log type, see the Microsoft Windows Sysmon Events documentation |
Configure Microsoft Windows servers, endpoints, and domain controllers
- Install and configure the servers, endpoints, and domain controllers. For information, see Microsoft Windows Sysmon Configuration documentation.
- Set up a collector Microsoft Windows server to parse the collected logs from multiple systems.
- Set up the central Microsoft Windows or Linux server
- Configure all systems with the UTC time zone.
- Configure the devices to forward logs to the collector Microsoft Windows server.
- Configure Source Initiated Subscriptions on Microsoft Windows systems. For information, see Setting up a Source Initiated Subscription.
- Enable WinRM on Microsoft Windows servers and clients. For information, see Installation and configuration for Microsoft Windows Remote Management.
Configure NXLog and Chronicle forwarder
- Install NXLog on the collector Microsoft Windows server. Follow the NXLog documentation, including information about configuring NXLog to collect logs from Sysmon.
Create a configuration file for NXLog. Use the im_msvistalog input module. Here is an example NXLog configuration. Replace
<hostname>
and<port>
values with information about the destination central Microsoft Windows or Linux server. For more information, see NXLog documentation about the om_tcp module.define ROOT C:\Program Files (x86)\nxlog define SYSMON_OUTPUT_DESTINATION_ADDRESS <hostname> define SYSMON_OUTPUT_DESTINATION_PORT <port> define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE% Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data <Extension _json> Module xm_json </Extension> <Input windows_sysmon_eventlog> Module im_msvistalog <QueryXML> <QueryList> <Query Id="0"> <Select Path="Microsoft-Windows-Sysmon/Operational">*</Select> </Query> </QueryList> </QueryXML> ReadFromLast False SavePos False </Input> <Output out_chronicle_sysmon> Module om_tcp Host %SYSMON_OUTPUT_DESTINATION_ADDRESS% Port %SYSMON_OUTPUT_DESTINATION_PORT% Exec $EventTime = integer($EventTime) / 1000; Exec $EventReceivedTime = integer($EventReceivedTime) / 1000; Exec to_json(); </Output> <Route r2> Path windows_sysmon_eventlog => out_chronicle_sysmon </Route>
Install the Chronicle forwarder on the central Microsoft Windows or Linux server. See the Installing and configuring the forwarder on Linux or Installing and configuring the forwarder on Microsoft Windows for information about installing and configuring the forwarder.
Configure the Chronicle forwarder to send logs to Chronicle. Here is an example forwarder configuration.
- syslog: common: enabled: true data_type: WINDOWS_SYSMON Data_hint: batch_n_seconds: 10 batch_n_bytes: 1048576 tcp_address: 0.0.0.0:10518 connection_timeout_sec: 60
Start the NXLog service.
Field mapping reference: device event fields to UDM fields
This section describes how the parser maps original device log fields to Unified Data Model (UDM) fields. The field mapping may differ by Event Id.
Common fields
NXLog field | UDM field |
---|---|
UtcTime | metadata.event_timestamp |
Category | security_result.summary and metadata.product_event_type |
AccountName | principal.user.userid |
Domain | principal.administrative_domain |
RecordNumber | metadata.product_log_id |
HostName | principal.hostname |
UserID | principal.user.windows_sid |
SeverityValue | security_result.severity |
EventID | security_result.rule_name set to "EventID: %{EventID}" metadata.product_event_type set to "%{Category} [%{EventID}]" |
Event Id: 1
NXLog field | UDM field |
---|---|
metadata.event_type set to "PROCESS_LAUNCH" | |
RuleName | security_result.rule_name |
UtcTime | metadata.event_timestamp |
ProcessGuid | target.process.product_specific_process_id set to
"SYSMON:<ProcessGuid> " |
ProcessId | target.process.pid |
Image | target.process.file.full_path |
Description | metadata.description |
CommandLine | target.process.command_line | CurrentDirectory | src.file.full_path |
User | Domain stored in principal.administrative_domain Username stored in principal.user.userid |
Hashes | Based on Hash algorithm.
|
ParentProcessGuid | principal.process.product_specific_process_id set to
"SYSMON:<ParentProcessGuid> " |
ParentProcessId | principal.process.pid |
ParentImage | principal.process.file.full_path |
ParentCommandLine | principal.process.command_line |
Event Id: 2
NXLog field | UDM field |
---|---|
metadata.event_type set to "FILE_MODIFICATION" | |
RuleName | security_result.rule_name |
UtcTime | metadata.event_timestamp |
ProcessGuid | principal.process.product_specific_process_id set to
"SYSMON:<ProcessGuid> " |
ProcessId | principal.process.pid |
Image | principal.process.file.full_path |
TargetFilename | target.file.full_path |
CreationUtcTime | target.resource.attribute.labels.key set to "CreationUtcTime" and value stored in target.resource.attribute.labels.value |
PreviousCreationUtcTime | target.resource.attribute.labels.key set to "PreviousCreationUtcTime" and value stored in target.resource.attribute.labels.value |
Event Id: 3
NXLog field | UDM field |
---|---|
metadata.event_type set to "NETWORK_CONNECTION" security_result.action set to "ALLOW" network.direction" set to "OUTBOUND" |
|
RuleName | security_result.rule_name |
UtcTime | metadata.event_timestamp |
ProcessGuid | principal.process.product_specific_process_id set to
"SYSMON:<ProcessGuid> " |
ProcessId | principal.process.pid |
Image | principal.process.file.full_path |
User | Domain stored in principal.administrative_domain Username stored in principal.user.userid" |
Protocol | network.ip_protocol |
SourceIp | principal.ip |
SourcePort | principal.port |
DestinationIp | target.ip |
DestinationHostname | target.hostname |
DestinationPort | target.port |
Event Id: 4
NXLog field | UDM field |
---|---|
metadata.event_type set to "SETTING_MODIFICATION" target.resource.resource_type set to "SETTING" resource.resource_subtype set to "State" |
|
UtcTime | metadata.event_timestamp |
State | target.resource.name |
Version | metadata.product_version |
Event Id: 5
NXLog field | UDM field |
---|---|
metadata.event_type set to "PROCESS_TERMINATION" | |
RuleName | security_result.rule_name |
UtcTime | metadata.event_timestamp |
ProcessGuid | principal.process.product_specific_process_id set to
"SYSMON:<ProcessGuid> |
ProcessId | target.process.pid |
Image | target.process.file.full_path |
Event Id: 6
NXLog field | UDM field |
---|---|
metadata.event_type set to "PROCESS_MODULE_LOAD" | |
RuleName | security_result.rule_name |
UtcTime | metadata.event_timestamp |
ImageLoaded | principal.process.file.full_path |
Hashes | The field populated is determined by the Hash algorithm.
|
Signed | target.resource.attribute.labels.key set to "Signed" and value set to target.resource.attribute.labels.value |
Signature | target.resource.attribute.labels.key set to "Signature" and value stored in target.resource.attribute.labels.value |
SignatureStatus | target.resource.attribute.labels.key set to "SignatureStatus" and value stored in target.resource.attribute.labels.value |
Event Id: 7
NXLog field | UDM field |
---|---|
metadata.event_type set to "PROCESS_MODULE_LOAD" | |
RuleName | security_result.rule_name |
UtcTime | metadata.event_timestamp |
ProcessGuid | principal.process.product_specific_process_id set to
"SYSMON:<ProcessGuid> |
ProcessId | principal.process.pid |
Image | principal.process.file.full_path |
ImageLoaded | target.process.file.full_path |
Description | metadata.description |
Hashes | The field populated is determined by the Hash algorithm.
|
Signed | target.resource.attribute.labels.key set to "Signed" and value stored in target.resource.attribute.labels.value |
Signature | target.resource.attribute.labels.key set to "Signature" Signature value in target.resource.attribute.labels.value |
SignatureStatus | target.resource.attribute.labels.key set to "SignatureStatus" and value stored in target.resource.attribute.labels.value |
Event Id: 8
NXLog field | UDM field |
---|---|
metadata.event_type set to "PROCESS_MODULE_LOAD" | |
RuleName | security_result.rule_name |
UtcTime | metadata.event_timestamp |
SourceProcessGuid | principal.process.product_specific_process_id set to
"SYSMON:<SourceProcessGuid> " |
SourceProcessId | principal.process.pid |
SourceImage | principal.process.file.full_path |
TargetProcessGuid | target.process.product_specific_process_id set to
"SYSMON:<TargetProcessGuid> " |
TargetProcessId | target.process.pid |
TargetImage | target.process.file.full_path |
Event Id: 9
NXLog field | UDM field |
---|---|
metadata.event_type set to "FILE_READ"
If the Device log field, which is required to validate the FILE_READ UDM event type, is not available, then metadata.event_type is set to "GENERIC_EVENT". |
|
RuleName | security_result.rule_name |
UtcTime | metadata.event_timestamp |
ProcessGuid | principal.process.product_specific_process_id set to
"SYSMON:<ProcessGuid> |
ProcessId | principal.process.pid |
Image | principal.process.file.full_path |
Device | target.file.full_path |
Event Id: 10
NXLog field | UDM field |
---|---|
metadata.event_type set to "PROCESS_OPEN" target.resource.resource_subtype set to "GrantedAccess" |
|
RuleName | security_result.rule_name |
UtcTime | metadata.event_timestamp |
SourceProcessGUID | principal.process.product_specific_process_id set to
"SYSMON:<SourceProcessGuid> " |
SourceProcessId | principal.process.pid |
SourceImage | principal.process.file.full_path |
TargetProcessGUID | target.process.product_specific_process_id set to
"SYSMON:<TargetProcessGuid> " |
TargetProcessId | target.process.pid |
TargetImage | target.process.file.full_path |
GrantedAccess | target.resource.name |
Event Id: 11
NXLog field | UDM field |
---|---|
metadata.event_type set to "FILE_CREATION" target.resource.resource_subtype set to "CreationUtcTime" |
|
RuleName | security_result.rule_name |
UtcTime | metadata.event_timestamp |
ProcessGuid | principal.process.product_specific_process_id set to
"SYSMON:<ProcessGuid> " |
ProcessId | principal.process.pid |
Image | principal.process.file.full_path |
TargetFilename | target.file.full_path |
CreationUtcTime | target.resource.name |
Event Id: 12
NXLog field | UDM field |
---|---|
If the Message the field contains "CreateKey|CreateValue", then
metadata.event_type set to "REGISTRY_CREATION" If the Message field contains "DeleteKey|DeleteValue", then metadata.event_type set to REGISTRY_DELETION Otherwise, metadata.event_type set to "REGISTRY_MODIFICATION" |
|
RuleName | security_result.rule_name |
UtcTime | metadata.event_timestamp |
ProcessGuid | principal.process.product_specific_process_id set to
"SYSMON:<ProcessGuid> " |
ProcessId | principal.process.pid |
Image | principal.process.file.full_path |
TargetObject | target.registry.registry_key |
Event Id: 13
NXLog field | UDM field |
---|---|
metadata.event_type set to "REGISTRY_MODIFICATION" | |
RuleName | security_result.rule_name |
UtcTime | metadata.event_timestamp |
ProcessGuid | principal.process.product_specific_process_id set to
"SYSMON:<ProcessGuid> " |
ProcessId | principal.process.pid |
Image | principal.process.file.full_path |
TargetObject | target.registry.registry_key |
Details | target.registry.registry_value_data |
Event Id: 14
NXLog field | UDM field |
---|---|
metadata.event_type set to "REGISTRY_MODIFICATION" | |
RuleName | security_result.rule_name |
UtcTime | metadata.event_timestamp |
ProcessGuid | principal.process.product_specific_process_id set to
"SYSMON:<ProcessGuid> " |
ProcessId | principal.process.pid |
Image | principal.process.file.full_path |
TargetObject | src.registry.registry_key |
NewName | target.registry.registry_key |
Event Id: 15
NXLog field | UDM field |
---|---|
metadata.event_type set to FILE_CREATION | |
RuleName | security_result.rule_name |
UtcTime | metadata.event_timestamp |
ProcessGuid | principal.process.product_specific_process_id set to
"SYSMON:<ProcessGuid> " |
ProcessId | principal.process.pid |
Image | principal.process.file.full_path |
TargetFilename | target.file.full_path |
CreationUtcTime | target.resource.attribute.labels.key set to "CreationUtcTime" and value stored in target.resource.attribute.labels.value |
Hash | The field populated is determined by the Hash algorithm.
|
Event Id: 16
NXLog field | UDM field |
---|---|
metadata.event_type set to "SETTING_MODIFICATION" | |
UtcTime | metadata.event_timestamp |
ProcessID | target.process.pid |
Configuration | The value is stored in target.process.command_line when this field value
contains any command line or process The value is stored in target.process.file.full_path when this field value contains the configuration file path. |
ConfigurationFileHash | The field populated is determined by the Hash algorithm.
|
Event Id: 17
NXLog field | UDM field |
---|---|
metadata.event_type set to "PROCESS_UNCATEGORIZED" target.resource.resource_type set to "PIPE" |
|
RuleName | security_result.rule_name |
UtcTime | metadata.event_timestamp |
ProcessGuid | target.process.product_specific_process_id set to
"SYSMON:<ProcessGuid> " |
ProcessId | target.process.pid |
PipeName | target.resource.name |
Image | target.process.file.full_path |
Event Id: 18
NXLog field | UDM field |
---|---|
metadata.event_type set to "PROCESS_UNCATEGORIZED" target.resource.resource_type set to "PIPE" |
|
RuleName | security_result.rule_name |
UtcTime | metadata.event_timestamp |
ProcessGuid | target.process.product_specific_process_id set to
"SYSMON:<ProcessGuid> " |
ProcessId | target.process.pid |
PipeName | target.resource.name |
Image | target.process.file.full_path |
Event Id: 19
NXLog field | UDM field |
---|---|
metadata.event_type set to USER_RESOURCE_ACCESS | |
RuleName | security_result.rule_name |
UtcTime | metadata.event_timestamp |
Operation | |
User | The Domain is stored in principal.administrative_domain The Username is stored in principal.user.userid |
EventNamespace | target.file.full_path |
Name | target.application |
Query | target.resource.name |
Event Id: 20
NXLog field | UDM field |
---|---|
metadata.event_type set to "USER_RESOURCE_ACCESS" | |
RuleName | security_result.rule_name |
UtcTime | metadata.event_timestamp |
Operation | target.resource.attribute.labels.key set to "Operation" and the value is stored in target.resource.attribute.labels.value |
User | The domain is stored in principal.administrative_domain The Username is stored in principal.user.userid |
Name | target.resource.attribute.labels.key set to "Name" Name value in target.resource.attribute.labels.value |
Type | target.resource.attribute.labels.key set to "Type" and the value is stored in target.resource.attribute.labels.value |
Destination | target.resource.name |
Event Id: 21
NXLog field | UDM field |
---|---|
metadata.event_type set to "USER_RESOURCE_ACCESS" | |
RuleName | security_result.rule_name |
UtcTime | metadata.event_timestamp |
Operation | target.resource.attribute.labels.key set to "Operation" and the value is stored in target.resource.attribute.labels.value |
User | The domain is stored in principal.administrative_domain The username is stored in principal.user.userid |
Consumer | target.resource.attribute.labels.key set to "Consumer" and the value is stored in target.resource.attribute.labels.value |
Filter | target.resource.name |
Event Id: 22
NXLog field | UDM field |
---|---|
metadata.event_type set to "NETWORK_DNS" network.application_protocol set to "DNS" |
|
RuleName | security_result.rule_name |
UtcTime | metadata.event_timestamp |
ProcessGuid | principal.process.product_specific_process_id set to
"SYSMON:<ProcessGuid> " |
ProcessId | principal.process.pid |
QueryName | network.dns.questions |
QueryStatus | Stored in security_result.summary as "Query Status: |
QueryResults | Type is saved to network.dns.answers.type with values separated by a
semicolon (;) Data is saved to network.dns.answers.data Values that do not have type are mapped to network.dns.answers.data. |
Image | principal.process.file.full_path |
Event Id: 23
NXLog field | UDM field |
---|---|
metadata.event_type set to "FILE_DELETION" | |
RuleName | security_result.rule_name |
UtcTime | metadata.event_timestamp |
ProcessGuid | principal.process.product_specific_process_id set to
"SYSMON:<ProcessGuid> " |
ProcessId | principal.process.pid |
User | Domain stored into principal.administrative_domain Username stored in principal.user.userid |
Image | principal.process.file.full_path |
TargetFilename | target.file.full_path |
Hashes | The field populated is determined by the Hash algorithm.
|
IsExecutable | Field target.resource.attribute.labels.key set to "IsExecutable" and the value is stored in target.resource.attribute.labels.value |
Archived | target.resource.attribute.labels.key set to "Archived" and the value is stored in target.resource.attribute.labels.value |
Event Id: 24
NXLog field | UDM field |
---|---|
metadata.event_type set to "RESOURCE_READ" | |
RuleName | security_result.rule_name |
UtcTime | metadata.event_timestamp |
ProcessGuid | target.process.product_specific_process_id set to
"SYSMON:<ProcessGuid> " |
ProcessId | principal.process.pid |
Image | target.process.file.full_path target.resource.name |
ClientInfo | ip stored in target.ip hostname stored in target.hostname user stored in principal.user.userid |
Hashes | The field populated is determined by the Hash algorithm.
|
Archived | target.resource.attribute.labels.key set to "Archived" and value stored in target.resource.attribute.labels.value |
Event Id: 25
NXLog field | UDM field |
---|---|
metadata.event_type set to "PROCESS_LAUNCH" | |
RuleName | security_result.rule_name |
UtcTime | metadata.event_timestamp |
ProcessGuid | target.process.product_specific_process_id stored as
"SYSMON:<ProcessGuid> " |
ProcessId | principal.process.pid |
Image | target.process.file.full_path |
Event Id: 26
NXLog field | UDM field |
---|---|
metadata.event_type set to FILE_DELETION | |
RuleName | security_result.rule_name |
UtcTime | metadata.event_timestamp |
ProcessGuid | principal.process.product_specific_process_id set to "SYSMON:%{ProcessGuid} |
ProcessId | principal.process.pid |
User | Domain set to principal.administrative_domain Username set to principal.user.userid |
Image | principal.process.file.full_path |
TargetFilename | target.file.full_path |
Hashes | Based on Hash algorithm. MD5 set to target.process.file.md5 SHA256 set to target.process.file.sha256 SHA1 set to target.process.file.sha1 |
IsExecutable | target.resource.attribute.labels.key set to "IsExecutable" & value in target.resource.attribute.labels.value |
Event Id: 29
NXLog field | UDM field |
---|---|
metadata.event_type set to FILE_CREATION | |
RuleName | security_result.rule_name |
UtcTime | metadata.event_timestamp |
ProcessGuid | principal.process.product_specific_process_id is set to
"SYSMON:PROCESS_GUID "
PROCESS_GUID is the ProcessGuid . The ProcessGuid field is a unique value for this process across a domain to make event correlation easier.
|
ProcessId | principal.process.pid |
User | Domain is set to principal.administrative_domain Username is set to principal.user.userid |
Image | principal.process.file.full_path |
TargetFilename | target.file.full_path |
Hashes | Based on the hash algorithm, the following values are set:
|
Event Id: 255
NXLog field | UDM field |
---|---|
metadata.event_type set to SERVICE_UNSPECIFIED metadata.product_event_type set to "Error - [255]" target.application set to "Microsoft Sysmon" |
|
UtcTime | metadata.event_timestamp |
ID | security_result.summary |
Description | security_result.description |