Collect Microsoft Windows Sysmon data

This document:

  • describes the deployment architecture and installation steps, plus any required configuration that produce logs supported by the Chronicle Parser for Microsoft Windows Sysmon events. For an overview of Chronicle data ingestion, see Data ingestion to Chronicle.
  • includes information about how the parser maps fields in the original log to Chronicle Unified Data Model fields.

Information in this document applies to the parser with the WINDOWS_SYSMON ingestion label. The ingestion label identifies which parser normalizes raw log data to structured UDM format.

Before you begin

This diagram represents the recommended core components in a deployment architecture to collect and send Microsoft Windows Sysmon data to Chronicle. Compare this information with your environment to be sure these components are installed. Each customer deployment will differ from this representation and may be more complex. The following is required:

  • Systems in the deployment architecture are configured with the UTC time zone.
  • Sysmon is installed on servers, endpoints, and domain controllers.
  • The collector Microsoft Windows server receives logs from servers, endpoints, and domain controllers.

  • Microsoft Windows systems in the deployment architecture use:

    • Source Initiated Subscriptions to collect events across multiple devices.
    • WinRM service for remote system management.

  • NXLog is installed on the collector Window server to forward logs to Chronicle forwarder.

  • Chronicle forwarder is installed on a central Microsoft Windows server or Linux server.

    Deployment archtecture

Review the supported devices and versions

The Chronicle parser supports logs generated by the following Microsoft Windows server versions. Microsoft Windows Server is released with the following editions: Foundation, Essentials, Standard, and Datacenter. The event schema of logs generated by each edition does not differ.

  • Microsoft Windows Server 2019
  • Microsoft Windows Server 2016
  • Microsoft Windows Server 2012

Chronicle parser supports logs generated by:

  • Microsoft Windows 7 and higher client systems
  • Sysmon version 13.24.

Chronicle parser supports logs collected by NXLog Community or Enterprise Edition.

Review the supported log types

The Chronicle parser supports the following log types generated by Microsoft Windows Sysmon. For more information about these log types, see the Microsoft Windows Sysmon documentation. It supports logs generated with English language text and is not supported with logs generated in non-English languages.

Log Type Description
Sysmon Logs Sysmon channel contains 27 Event Ids. (Event Id: 1 to 26, and 255).
For a description of this log type, see the Microsoft Windows Sysmon Events documentation

Configure Microsoft Windows servers, endpoints, and domain controllers

  1. Install and configure the servers, endpoints, and domain controllers. For information, see Microsoft Windows Sysmon Configuration documentation.
  2. Set up a collector Microsoft Windows server to parse the collected logs from multiple systems.
  3. Set up the central Microsoft Windows or Linux server
  4. Configure all systems with the UTC time zone.
  5. Configure the devices to forward logs to the collector Microsoft Windows server.

Configure NXLog and Chronicle forwarder

  1. Install NXLog on the collector Microsoft Windows server. Follow the NXLog documentation, including information about configuring NXLog to collect logs from Sysmon.

  2. Create a configuration file for NXLog. Use the im_msvistalog input module. Here is an example NXLog configuration. Replace <hostname> and <port> values with information about the destination central Microsoft Windows or Linux server. For more information, see NXLog documentation about the om_tcp module.

    define ROOT     C:\Program Files (x86)\nxlog
define SYSMON_OUTPUT_DESTINATION_ADDRESS <hostname>
define SYSMON_OUTPUT_DESTINATION_PORT <port>
define CERTDIR  %ROOT%\cert
define CONFDIR  %ROOT%\conf
define LOGDIR   %ROOT%\data
define LOGFILE  %LOGDIR%\nxlog.log
LogFile %LOGFILE%

Moduledir %ROOT%\modules
CacheDir  %ROOT%\data
Pidfile   %ROOT%\data\nxlog.pid
SpoolDir  %ROOT%\data

<Extension _json>
    Module      xm_json
</Extension>

<Input windows_sysmon_eventlog>
    Module  im_msvistalog
    <QueryXML>
        <QueryList>
            <Query Id="0">
                <Select Path="Microsoft-Windows-Sysmon/Operational">*</Select>
            </Query>
        </QueryList>
    </QueryXML>
    ReadFromLast  False 
    SavePos  False
</Input>

<Output out_chronicle_sysmon>
    Module      om_tcp
    Host        %SYSMON_OUTPUT_DESTINATION_ADDRESS%
    Port        %SYSMON_OUTPUT_DESTINATION_PORT%
    Exec        $EventTime = integer($EventTime) / 1000;
    Exec        $EventReceivedTime = integer($EventReceivedTime) / 1000;
    Exec        to_json();
</Output>

<Route r2>
    Path    windows_sysmon_eventlog => out_chronicle_sysmon
</Route>

  3. Install the Chronicle forwarder on the central Microsoft Windows or Linux server. See the Installing and configuring the forwarder on Linux or Installing and configuring the forwarder on Microsoft Windows for information about installing and configuring the forwarder.

  4. Configure the Chronicle forwarder to send logs to Chronicle. Here is an example forwarder configuration.

      - syslog:
      common:
        enabled: true
        data_type: WINDOWS_SYSMON
        Data_hint:
        batch_n_seconds: 10
        batch_n_bytes: 1048576
      tcp_address: 0.0.0.0:10518
      connection_timeout_sec: 60

  5. Start the NXLog service.

Field mapping reference: device event fields to UDM fields

This section describes how the parser maps original device log fields to Unified Data Model (UDM) fields. The field mapping may differ by Event Id.

Common fields

NXLog field UDM field
UtcTime metadata.event_timestamp
Category security_result.summary and metadata.product_event_type
AccountName principal.user.userid
Domain principal.administrative_domain
RecordNumber metadata.product_log_id
HostName principal.hostname
UserID principal.user.windows_sid
SeverityValue security_result.severity
EventID security_result.rule_name set to "EventID: %{EventID}"

metadata.product_event_type set to "%{Category} [%{EventID}]"

Event Id: 1

NXLog field UDM field
metadata.event_type set to "PROCESS_LAUNCH"
RuleName security_result.rule_name
UtcTime metadata.event_timestamp
ProcessGuid target.process.product_specific_process_id set to "SYSMON:<ProcessGuid>"
ProcessId target.process.pid
Image target.process.file.full_path
Description metadata.description
CommandLine target.process.command_line
CurrentDirectory src.file.full_path
User Domain stored in principal.administrative_domain

Username stored in principal.user.userid
Hashes Based on Hash algorithm.
  • MD5 stored in target.process.file.md5
  • SHA256 stored in target.process.file.sha256
  • SHA1 stored in target.process.file.sha1
ParentProcessGuid principal.process.product_specific_process_id set to "SYSMON:<ParentProcessGuid>"
ParentProcessId principal.process.pid
ParentImage principal.process.file.full_path
ParentCommandLine principal.process.command_line

Event Id: 2

NXLog field UDM field
metadata.event_type set to "FILE_MODIFICATION"
RuleName security_result.rule_name
UtcTime metadata.event_timestamp
ProcessGuid principal.process.product_specific_process_id set to "SYSMON:<ProcessGuid>"
ProcessId principal.process.pid
Image principal.process.file.full_path
TargetFilename target.file.full_path
CreationUtcTime target.resource.attribute.labels.key set to "CreationUtcTime" and value stored in target.resource.attribute.labels.value
PreviousCreationUtcTime target.resource.attribute.labels.key set to "PreviousCreationUtcTime" and value stored in target.resource.attribute.labels.value

Event Id: 3

NXLog field UDM field
metadata.event_type set to "NETWORK_CONNECTION"

security_result.action set to "ALLOW"

network.direction" set to "OUTBOUND"
RuleName security_result.rule_name
UtcTime metadata.event_timestamp
ProcessGuid principal.process.product_specific_process_id set to "SYSMON:<ProcessGuid>"
ProcessId principal.process.pid
Image principal.process.file.full_path
User Domain stored in principal.administrative_domain

Username stored in principal.user.userid"
Protocol network.ip_protocol
SourceIp principal.ip
SourcePort principal.port
DestinationIp target.ip
DestinationHostname target.hostname
DestinationPort target.port

Event Id: 4

NXLog field UDM field
metadata.event_type set to "SETTING_MODIFICATION"

target.resource.resource_type set to "SETTING"

resource.resource_subtype set to "State"
UtcTime metadata.event_timestamp
State target.resource.name
Version metadata.product_version

Event Id: 5

NXLog field UDM field
metadata.event_type set to "PROCESS_TERMINATION"
RuleName security_result.rule_name
UtcTime metadata.event_timestamp
ProcessGuid principal.process.product_specific_process_id set to "SYSMON:<ProcessGuid>
ProcessId target.process.pid
Image target.process.file.full_path

Event Id: 6

NXLog field UDM field
metadata.event_type set to "PROCESS_MODULE_LOAD"
RuleName security_result.rule_name
UtcTime metadata.event_timestamp
ImageLoaded principal.process.file.full_path
Hashes The field populated is determined by the Hash algorithm.
  • MD5 stored in target.process.file.md5
  • SHA256 stored in target.process.file.sha256
  • SHA1 stored in target.process.file.sha1
Signed target.resource.attribute.labels.key set to "Signed" and value set to target.resource.attribute.labels.value
Signature target.resource.attribute.labels.key set to "Signature" and value stored in target.resource.attribute.labels.value
SignatureStatus target.resource.attribute.labels.key set to "SignatureStatus" and value stored in target.resource.attribute.labels.value

Event Id: 7

NXLog field UDM field
metadata.event_type set to "PROCESS_MODULE_LOAD"
RuleName security_result.rule_name
UtcTime metadata.event_timestamp
ProcessGuid principal.process.product_specific_process_id set to "SYSMON:<ProcessGuid>
ProcessId principal.process.pid
Image principal.process.file.full_path
ImageLoaded target.process.file.full_path
Description metadata.description
Hashes The field populated is determined by the Hash algorithm.
  • MD5 stored in target.process.file.md5
  • SHA256 stored in target.process.file.sha256
  • SHA1 stored in target.process.file.sha1
Signed target.resource.attribute.labels.key set to "Signed" and value stored in target.resource.attribute.labels.value
Signature target.resource.attribute.labels.key set to "Signature"
Signature value in target.resource.attribute.labels.value
SignatureStatus target.resource.attribute.labels.key set to "SignatureStatus" and value stored in target.resource.attribute.labels.value

Event Id: 8

NXLog field UDM field
metadata.event_type set to "PROCESS_MODULE_LOAD"
RuleName security_result.rule_name
UtcTime metadata.event_timestamp
SourceProcessGuid principal.process.product_specific_process_id set to "SYSMON:<SourceProcessGuid>"
SourceProcessId principal.process.pid
SourceImage principal.process.file.full_path
TargetProcessGuid target.process.product_specific_process_id set to "SYSMON:<TargetProcessGuid>"
TargetProcessId target.process.pid
TargetImage target.process.file.full_path

Event Id: 9

NXLog field UDM field
metadata.event_type set to "FILE_READ"

If the Device log field, which is required to validate the FILE_READ UDM event type, is not available, then metadata.event_type is set to "GENERIC_EVENT".

RuleName security_result.rule_name
UtcTime metadata.event_timestamp
ProcessGuid principal.process.product_specific_process_id set to "SYSMON:<ProcessGuid>
ProcessId principal.process.pid
Image principal.process.file.full_path
Device target.file.full_path

Event Id: 10

NXLog field UDM field
metadata.event_type set to "PROCESS_OPEN"

target.resource.resource_subtype set to "GrantedAccess"
RuleName security_result.rule_name
UtcTime metadata.event_timestamp
SourceProcessGUID principal.process.product_specific_process_id set to "SYSMON:<SourceProcessGuid>"
SourceProcessId principal.process.pid
SourceImage principal.process.file.full_path
TargetProcessGUID target.process.product_specific_process_id set to "SYSMON:<TargetProcessGuid>"
TargetProcessId target.process.pid
TargetImage target.process.file.full_path
GrantedAccess target.resource.name

Event Id: 11

NXLog field UDM field
metadata.event_type set to "FILE_CREATION"

target.resource.resource_subtype set to "CreationUtcTime"
RuleName security_result.rule_name
UtcTime metadata.event_timestamp
ProcessGuid principal.process.product_specific_process_id set to "SYSMON:<ProcessGuid>"
ProcessId principal.process.pid
Image principal.process.file.full_path
TargetFilename target.file.full_path
CreationUtcTime target.resource.name

Event Id: 12

NXLog field UDM field
If the Message the field contains "CreateKey|CreateValue", then metadata.event_type set to "REGISTRY_CREATION"

If the Message field contains "DeleteKey|DeleteValue", then
metadata.event_type set to REGISTRY_DELETION

Otherwise, metadata.event_type set to "REGISTRY_MODIFICATION"
RuleName security_result.rule_name
UtcTime metadata.event_timestamp
ProcessGuid principal.process.product_specific_process_id set to "SYSMON:<ProcessGuid>"
ProcessId principal.process.pid
Image principal.process.file.full_path
TargetObject target.registry.registry_key

Event Id: 13

NXLog field UDM field
metadata.event_type set to "REGISTRY_MODIFICATION"
RuleName security_result.rule_name
UtcTime metadata.event_timestamp
ProcessGuid principal.process.product_specific_process_id set to "SYSMON:<ProcessGuid>"
ProcessId principal.process.pid
Image principal.process.file.full_path
TargetObject target.registry.registry_key
Details target.registry.registry_value_data

Event Id: 14

NXLog field UDM field
metadata.event_type set to "REGISTRY_MODIFICATION"
RuleName security_result.rule_name
UtcTime metadata.event_timestamp
ProcessGuid principal.process.product_specific_process_id set to "SYSMON:<ProcessGuid>"
ProcessId principal.process.pid
Image principal.process.file.full_path
TargetObject src.registry.registry_key
NewName target.registry.registry_key

Event Id: 15

NXLog field UDM field
metadata.event_type set to FILE_CREATION
RuleName security_result.rule_name
UtcTime metadata.event_timestamp
ProcessGuid principal.process.product_specific_process_id set to "SYSMON:<ProcessGuid>"
ProcessId principal.process.pid
Image principal.process.file.full_path
TargetFilename target.file.full_path
CreationUtcTime target.resource.attribute.labels.key set to "CreationUtcTime" and value stored in target.resource.attribute.labels.value
Hash The field populated is determined by the Hash algorithm.
  • If MD5, the value is stored in target.process.file.md5
  • If SHA256 set to the value is stored in target.process.file.sha256
  • If SHA1, the value is stored in target.process.file.sha1

Event Id: 16

NXLog field UDM field
metadata.event_type set to "SETTING_MODIFICATION"
UtcTime metadata.event_timestamp
ProcessID target.process.pid
Configuration The value is stored in target.process.command_line when this field value contains any command line or process

The value is stored in target.process.file.full_path when this field value contains the configuration file path.
ConfigurationFileHash The field populated is determined by the Hash algorithm.
  • If MD5, the value is stored in target.process.file.md5
  • If SHA256 set to the value is stored in target.process.file.sha256
  • If SHA1, the value is stored in target.process.file.sha1

Event Id: 17

NXLog field UDM field
metadata.event_type set to "PROCESS_UNCATEGORIZED"

target.resource.resource_type set to "PIPE"
RuleName security_result.rule_name
UtcTime metadata.event_timestamp
ProcessGuid target.process.product_specific_process_id set to "SYSMON:<ProcessGuid>"
ProcessId target.process.pid
PipeName target.resource.name
Image target.process.file.full_path

Event Id: 18

NXLog field UDM field
metadata.event_type set to "PROCESS_UNCATEGORIZED"

target.resource.resource_type set to "PIPE"
RuleName security_result.rule_name
UtcTime metadata.event_timestamp
ProcessGuid target.process.product_specific_process_id set to "SYSMON:<ProcessGuid>"
ProcessId target.process.pid
PipeName target.resource.name
Image target.process.file.full_path

Event Id: 19

NXLog field UDM field
metadata.event_type set to USER_RESOURCE_ACCESS
RuleName security_result.rule_name
UtcTime metadata.event_timestamp
Operation
User The Domain is stored in principal.administrative_domain

The Username is stored in principal.user.userid
EventNamespace target.file.full_path
Name target.application
Query target.resource.name

Event Id: 20

NXLog field UDM field
metadata.event_type set to "USER_RESOURCE_ACCESS"
RuleName security_result.rule_name
UtcTime metadata.event_timestamp
Operation target.resource.attribute.labels.key set to "Operation" and the value is stored in target.resource.attribute.labels.value
User The domain is stored in principal.administrative_domain

The Username is stored in principal.user.userid
Name target.resource.attribute.labels.key set to "Name"
Name value in target.resource.attribute.labels.value
Type target.resource.attribute.labels.key set to "Type" and the value is stored in target.resource.attribute.labels.value
Destination target.resource.name

Event Id: 21

NXLog field UDM field
metadata.event_type set to "USER_RESOURCE_ACCESS"
RuleName security_result.rule_name
UtcTime metadata.event_timestamp
Operation target.resource.attribute.labels.key set to "Operation" and the value is stored in target.resource.attribute.labels.value
User The domain is stored in principal.administrative_domain

The username is stored in principal.user.userid
Consumer target.resource.attribute.labels.key set to "Consumer" and the value is stored in target.resource.attribute.labels.value
Filter target.resource.name

Event Id: 22

NXLog field UDM field
metadata.event_type set to "NETWORK_DNS"

network.application_protocol set to "DNS"
RuleName security_result.rule_name
UtcTime metadata.event_timestamp
ProcessGuid principal.process.product_specific_process_id set to "SYSMON:<ProcessGuid>"
ProcessId principal.process.pid
QueryName network.dns.questions
QueryStatus Stored in security_result.summary as "Query Status: "
QueryResults Type is saved to network.dns.answers.type with values separated by a semicolon (;)
Data is saved to network.dns.answers.data
Values that do not have type are mapped to network.dns.answers.data.
Image principal.process.file.full_path

Event Id: 23

NXLog field UDM field
metadata.event_type set to "FILE_DELETION"
RuleName security_result.rule_name
UtcTime metadata.event_timestamp
ProcessGuid principal.process.product_specific_process_id set to "SYSMON:<ProcessGuid>"
ProcessId principal.process.pid
User Domain stored into principal.administrative_domain

Username stored in principal.user.userid
Image principal.process.file.full_path
TargetFilename target.file.full_path
Hashes The field populated is determined by the Hash algorithm.
  • MD5 set to target.process.file.md5
  • SHA256 set to target.process.file.sha256
  • SHA1 set to target.process.file.sha1
IsExecutable Field target.resource.attribute.labels.key set to "IsExecutable" and the value is stored in target.resource.attribute.labels.value
Archived target.resource.attribute.labels.key set to "Archived" and the value is stored in target.resource.attribute.labels.value

Event Id: 24

NXLog field UDM field
metadata.event_type set to "RESOURCE_READ"
RuleName security_result.rule_name
UtcTime metadata.event_timestamp
ProcessGuid target.process.product_specific_process_id set to "SYSMON:<ProcessGuid>"
ProcessId principal.process.pid
Image target.process.file.full_path

target.resource.name
ClientInfo ip stored in target.ip
hostname stored in target.hostname
user stored in principal.user.userid
Hashes The field populated is determined by the Hash algorithm.
  • If MD5, value stored in target.process.file.md5
  • If SHA256, value stored in target.process.file.sha256
  • If SHA1, value stored in target.process.file.sha1
Archived target.resource.attribute.labels.key set to "Archived" and value stored in target.resource.attribute.labels.value

Event Id: 25

NXLog field UDM field
metadata.event_type set to "PROCESS_LAUNCH"
RuleName security_result.rule_name
UtcTime metadata.event_timestamp
ProcessGuid target.process.product_specific_process_id stored as "SYSMON:<ProcessGuid>"
ProcessId principal.process.pid
Image target.process.file.full_path

Event Id: 26

NXLog field UDM field
metadata.event_type set to FILE_DELETION
RuleName security_result.rule_name
UtcTime metadata.event_timestamp
ProcessGuid principal.process.product_specific_process_id set to "SYSMON:%{ProcessGuid}
ProcessId principal.process.pid
User Domain set to principal.administrative_domain

Username set to principal.user.userid
Image principal.process.file.full_path
TargetFilename target.file.full_path
Hashes Based on Hash algorithm.
MD5 set to target.process.file.md5
SHA256 set to target.process.file.sha256
SHA1 set to target.process.file.sha1
IsExecutable target.resource.attribute.labels.key set to "IsExecutable" & value in target.resource.attribute.labels.value

Event Id: 29

NXLog field UDM field
metadata.event_type set to FILE_CREATION
RuleName security_result.rule_name
UtcTime metadata.event_timestamp
ProcessGuid principal.process.product_specific_process_id is set to "SYSMON:PROCESS_GUID" PROCESS_GUID is the ProcessGuid. The ProcessGuid field is a unique value for this process across a domain to make event correlation easier.
ProcessId principal.process.pid
User Domain is set to principal.administrative_domain

Username is set to principal.user.userid
Image principal.process.file.full_path
TargetFilename target.file.full_path
Hashes Based on the hash algorithm, the following values are set:
  • MD5 is set to target.process.file.md5
  • SHA256 is set to target.process.file.sha256
  • SHA1 is set to target.process.file.sha1

Event Id: 255

NXLog field UDM field
metadata.event_type set to SERVICE_UNSPECIFIED

metadata.product_event_type set to "Error - [255]"

target.application set to "Microsoft Sysmon"
UtcTime metadata.event_timestamp
ID security_result.summary
Description security_result.description