Mit Sammlungen den Überblick behalten Sie können Inhalte basierend auf Ihren Einstellungen speichern und kategorisieren.

Microsoft Windows-Sysmon-Daten erfassen

Dieses Dokument enthält folgende Informationen:

  • beschreibt die Bereitstellungsarchitektur und Installationsschritte sowie alle erforderlichen Konfigurationen, die Logs generieren, die vom Chronicle-Parser für Microsoft Windows-Sysmon-Ereignisse unterstützt werden. Eine Übersicht über die Chronicle-Datenaufnahme finden Sie unter Datenaufnahme in Chronicle.
  • enthält Informationen dazu, wie der Parser Felder im ursprünglichen Log den Feldern von Chronicle Unified Data Model zuordnet.

Die Informationen in diesem Dokument beziehen sich auf den Parser mit dem Aufnahmelabel WINDOWS_SYSMON. Das Aufnahmelabel gibt an, welcher Parser Log-Rohdaten auf ein strukturiertes UDM-Format normalisiert.

Hinweis

Dieses Diagramm zeigt die empfohlenen Kernkomponenten in einer Bereitstellungsarchitektur zum Erfassen und Senden von Microsoft Windows-Sysmon-Daten an Chronicle. Vergleichen Sie diese Informationen mit Ihrer Umgebung, um sicherzustellen, dass diese Komponenten installiert sind. Jede Kundenbereitstellung unterscheidet sich von dieser Darstellung und kann komplexer sein. Folgendes ist erforderlich:

  • Systeme in der Bereitstellungsarchitektur werden mit der UTC-Zeitzone konfiguriert.
  • Sysmon ist auf Servern, Endpunkten und Domaincontrollern installiert.
  • Der Microsoft Windows-Server des Collectors empfängt Logs von Servern, Endpunkten und Domaincontrollern.
  • Für Microsoft Windows-Systeme in der Bereitstellungsarchitektur wird Folgendes verwendet:

    • Von der Quelle initiierte Abos zum Erfassen von Ereignissen auf mehreren Geräten.
    • WinRM-Dienst für die Remote-Systemverwaltung
  • NXLog ist auf dem Collector-Fensterserver installiert, um Logs an Chronicle-Forwarder weiterzuleiten.

  • Chronicle Forwarder ist auf einem zentralen Microsoft Windows-Server oder einem Linux-Server installiert.

    Bereitstellungsarchitektur

Unterstützte Geräte und Versionen ansehen

Der Chronicle-Parser unterstützt Logs, die von den folgenden Microsoft Windows-Serverversionen generiert wurden. Microsoft Windows Server wird mit den folgenden Versionen veröffentlicht: Grundlagen, Essentials, Standard und Rechenzentrum. Das Ereignisschema der von jeder Ausgabe generierten Logs unterscheidet sich nicht.

  • Microsoft Windows Server 2019
  • Microsoft Windows Server 2016
  • Microsoft Windows Server 2012

Chronicle-Parser unterstützen Logs, die erstellt wurden von:

  • Microsoft Windows 7 und höher
  • Sysmon Version 13.24.

Chronicle-Parser unterstützen Logs, die von der NXLog-Community oder Enterprise Edition erfasst wurden.

Unterstützte Logtypen

Der Chronicle-Parser unterstützt die folgenden von Microsoft Windows Sysmon generierten Logtypen. Weitere Informationen zu diesen Logtypen finden Sie in der Dokumentation zu Microsoft Windows Sysmon. Sie unterstützt Logs, die in englischer Sprache geschrieben wurden, und nicht, wenn sie in nicht-englischen Sprachen generiert wurden.

Logtyp Beschreibung
Sysmon-Protokolle Sysmon-Kanal enthält 27 Ereignis-IDs. (Ereignis-ID: 1 bis 26 und 255).
Eine Beschreibung dieses Logtyps finden Sie in der Dokumentation zu Microsoft Windows-Sysmon-Ereignissen.

Microsoft Windows-Server, -Endpunkte und -Domaincontroller konfigurieren

  1. Server, Endpunkte und Domaincontroller installieren und konfigurieren Weitere Informationen finden Sie in der Dokumentation zur Microsoft Windows-Sysmon-Konfiguration.
  2. Richten Sie einen Microsoft Windows-Collector-Collector ein, um die erfassten Logs von mehreren Systemen zu parsen.
  3. Zentralen Microsoft Windows- oder Linux-Server einrichten
  4. Konfigurieren Sie alle Systeme mit der Zeitzone UTC.
  5. Konfigurieren Sie die Geräte so, dass Logs an den Microsoft Windows-Server des Collectors weitergeleitet werden.

NXLog und Chronicle-Forwarder konfigurieren

  1. Installieren Sie NXLog auf dem Microsoft Windows-Server des Collectors. Folgen Sie der NXLog-Dokumentation, einschließlich Informationen zum Konfigurieren von NXLog zum Erfassen von Logs aus Sysmon.
  2. Erstellen Sie eine Konfigurationsdatei für NXLog. Verwenden Sie das Eingabemodul im_msvistalog. Hier ist ein Beispiel für eine NXLog-Konfiguration. Ersetzen Sie die Werte <hostname> und <port> durch Informationen zum Microsoft Windows- oder Linux-Zielserver. Weitere Informationen finden Sie in der NXLog-Dokumentation zum om_tcp-Modul.

    define ROOT     C:\Program Files (x86)\nxlog
    define SYSMON_OUTPUT_DESTINATION_ADDRESS <hostname>
    define SYSMON_OUTPUT_DESTINATION_PORT <port>
    define CERTDIR  %ROOT%\cert
    define CONFDIR  %ROOT%\conf
    define LOGDIR   %ROOT%\data
    define LOGFILE  %LOGDIR%\nxlog.log
    LogFile %LOGFILE%
    
    Moduledir %ROOT%\modules
    CacheDir  %ROOT%\data
    Pidfile   %ROOT%\data\nxlog.pid
    SpoolDir  %ROOT%\data
    
    <Extension _json>
        Module      xm_json
    </Extension>
    
    <Input windows_sysmon_eventlog>
        Module  im_msvistalog
        <QueryXML>
            <QueryList>
                <Query Id="0">
                    <Select Path="Microsoft-Windows-Sysmon/Operational">*</Select>
                </Query>
            </QueryList>
        </QueryXML>
        ReadFromLast  False
        SavePos  False
    </Input>
    
    <Output out_chronicle_sysmon>
        Module      om_tcp
        Host        %SYSMON_OUTPUT_DESTINATION_ADDRESS%
        Port        %SYSMON_OUTPUT_DESTINATION_PORT%
        Exec        $EventTime = integer($EventTime) / 1000;
        Exec        $EventReceivedTime = integer($EventReceivedTime) / 1000;
        Exec        to_json();
    </Output>
    
    <Route r2>
        Path    windows_sysmon_eventlog => out_chronicle_sysmon
    </Route>
    
  3. Installieren Sie den Chronicle-Forwarder auf dem zentralen Microsoft Windows- oder Linux-Server. Informationen zum Installieren und Konfigurieren des Forwarders finden Sie unter Weiterleitung unter Linux installieren und konfigurieren oder Weiterleitung unter Microsoft Windows installieren und konfigurieren.

  4. Chronicle-Forwarder so konfigurieren, dass Logs an Chronicle gesendet werden. Hier ist ein Beispiel für eine Forwarder-Konfiguration.

      - syslog:
          common:
            enabled: true
            data_type: WINDOWS_SYSMON
            Data_hint:
            batch_n_seconds: 10
            batch_n_bytes: 1048576
          tcp_address: 0.0.0.0:10518
          connection_timeout_sec: 60
    
  5. Starten Sie den NXLog-Dienst.

Feldzuordnungsreferenz: Felder für Geräteereignisse und UDM-Felder

In diesem Abschnitt wird beschrieben, wie der Parser die ursprünglichen Logfelder des Geräts den UDM-Feldern (Unified Data Model) zuordnet. Die Feldzuordnung kann sich je nach Ereignis-ID unterscheiden.

Allgemeine Felder

NXLog-Feld UDM-Feld
UtcZeit Metadaten.Ereignis_Zeitstempel
Kategorie „security_result.summary“ und „metadata.product_event_type“
Kontoname Hauptkontonutzer.Nutzer-ID
Domain Hauptkonto.administrative_Domain
Datensatznummer Metadaten.Produkt_ID
Hostname Hauptkonto
User-ID Hauptkonto.user.windows_sid
Schweregrad Wert_für_die_Sicherheit
Ereignis-ID security_result.rule_name auf "EventID: %{EventID}"

metadata.product_event_type auf "%{Category} [%{EventID}]" festgelegt

Ereignis-ID: 1

NXLog-Feld UDM-Feld
metadata.event_type set to "PROCESS_LAUNCH"
RuleName security_result.rule_name
UtcTime metadata.event_timestamp
ProcessGuid target.process.product_specific_process_id set to "SYSMON:<ProcessGuid>"
ProcessId target.process.pid
Image target.process.file.full_path
Description metadata.description
CommandLine target.process.command_line
CurrentDirectory src.file.full_path
User Domain stored in principal.administrative_domain

Username stored in principal.user.userid
Hashes Based on Hash algorithm.
  • MD5 stored in target.process.file.md5
  • SHA256 stored in target.process.file.sha256
  • SHA1 stored in target.process.file.sha1
ParentProcessGuid principal.process.product_specific_process_id set to "SYSMON:<ParentProcessGuid>"
ParentProcessId principal.process.pid
ParentImage principal.process.file.full_path
ParentCommandLine principal.process.command_line

Ereignis-ID: 2

NXLog-Feld UDM-Feld
metadata.event_type set to "FILE_MODIFICATION"
RuleName security_result.rule_name
UtcTime metadata.event_timestamp
ProcessGuid principal.process.product_specific_process_id set to "SYSMON:<ProcessGuid>"
ProcessId principal.process.pid
Image principal.process.file.full_path
TargetFilename target.file.full_path
CreationUtcTime target.resource.attribute.labels.key set to "CreationUtcTime" and value stored in target.resource.attribute.labels.value
PreviousCreationUtcTime target.resource.attribute.labels.key set to "PreviousCreationUtcTime" and value stored in target.resource.attribute.labels.value

Ereignis-ID: 3

NXLog-Feld UDM-Feld
metadata.event_type set to "NETWORK_CONNECTION"

security_result.action set to "ALLOW"

network.direction" set to "OUTBOUND"
RuleName security_result.rule_name
UtcTime metadata.event_timestamp
ProcessGuid principal.process.product_specific_process_id set to "SYSMON:<ProcessGuid>"
ProcessId principal.process.pid
Image principal.process.file.full_path
User Domain stored in principal.administrative_domain

Username stored in principal.user.userid"
Protocol network.ip_protocol
SourceIp principal.ip
SourcePort principal.port
DestinationIp target.ip
DestinationHostname target.hostname
DestinationPort target.port

Ereignis-ID: 4

NXLog-Feld UDM-Feld
metadata.event_type set to "SETTING_MODIFICATION"

target.resource.resource_type set to "SETTING"

resource.resource_subtype set to "State"
UtcTime metadata.event_timestamp
State target.resource.name
Version metadata.product_version

Ereignis-ID: 5

NXLog-Feld UDM-Feld
metadata.event_type set to "PROCESS_TERMINATION"
RuleName security_result.rule_name
UtcTime metadata.event_timestamp
ProcessGuid principal.process.product_specific_process_id set to "SYSMON:<ProcessGuid>
ProcessId target.process.pid
Image target.process.file.full_path

Ereignis-ID: 6

NXLog-Feld UDM-Feld
metadata.event_type set to "PROCESS_MODULE_LOAD"
RuleName security_result.rule_name
UtcTime metadata.event_timestamp
ImageLoaded principal.process.file.full_path
Hashes The field populated is determined by the Hash algorithm.
  • MD5 stored in target.process.file.md5
  • SHA256 stored in target.process.file.sha256
  • SHA1 stored in target.process.file.sha1
Signed target.resource.attribute.labels.key set to "Signed" and value set to target.resource.attribute.labels.value
Signature target.resource.attribute.labels.key set to "Signature" and value stored in target.resource.attribute.labels.value
SignatureStatus target.resource.attribute.labels.key set to "SignatureStatus" and value stored in target.resource.attribute.labels.value

Ereignis-ID: 7

NXLog-Feld UDM-Feld
metadata.event_type set to "PROCESS_MODULE_LOAD"
RuleName security_result.rule_name
UtcTime metadata.event_timestamp
ProcessGuid principal.process.product_specific_process_id set to "SYSMON:<ProcessGuid>
ProcessId principal.process.pid
Image principal.process.file.full_path
ImageLoaded target.process.file.full_path
Description metadata.description
Hashes The field populated is determined by the Hash algorithm.
  • MD5 stored in target.process.file.md5
  • SHA256 stored in target.process.file.sha256
  • SHA1 stored in target.process.file.sha1
Signed target.resource.attribute.labels.key set to "Signed" and value stored in target.resource.attribute.labels.value
Signature target.resource.attribute.labels.key set to "Signature"
Signature value in target.resource.attribute.labels.value
SignatureStatus target.resource.attribute.labels.key set to "SignatureStatus" and value stored in target.resource.attribute.labels.value

Ereignis-ID: 8

NXLog-Feld UDM-Feld
metadata.event_type set to "PROCESS_MODULE_LOAD"
RuleName security_result.rule_name
UtcTime metadata.event_timestamp
SourceProcessGuid principal.process.product_specific_process_id set to "SYSMON:<SourceProcessGuid>"
SourceProcessId principal.process.pid
SourceImage principal.process.file.full_path
TargetProcessGuid target.process.product_specific_process_id set to "SYSMON:<TargetProcessGuid>"
TargetProcessId target.process.pid
TargetImage target.process.file.full_path

Ereignis-ID: 9

NXLog-Feld UDM-Feld
metadata.event_type set to "FILE_READ"

If the Device log field, which is required to validate the FILE_READ UDM event type, is not available, then metadata.event_type is set to "GENERIC_EVENT".

RuleName security_result.rule_name
UtcTime metadata.event_timestamp
ProcessGuid principal.process.product_specific_process_id set to "SYSMON:<ProcessGuid>
ProcessId principal.process.pid
Image principal.process.file.full_path
Device target.file.full_path

Ereignis-ID: 10

NXLog-Feld UDM-Feld
metadata.event_type set to "PROCESS_OPEN"

target.resource.resource_subtype set to "GrantedAccess"
RuleName security_result.rule_name
UtcTime metadata.event_timestamp
SourceProcessGUID principal.process.product_specific_process_id set to "SYSMON:<SourceProcessGuid>"
SourceProcessId principal.process.pid
SourceImage principal.process.file.full_path
TargetProcessGUID target.process.product_specific_process_id set to "SYSMON:<TargetProcessGuid>"
TargetProcessId target.process.pid
TargetImage target.process.file.full_path
GrantedAccess target.resource.name

Ereignis-ID: 11

NXLog-Feld UDM-Feld
metadata.event_type set to "FILE_CREATION"

target.resource.resource_subtype set to "CreationUtcTime"
RuleName security_result.rule_name
UtcTime metadata.event_timestamp
ProcessGuid principal.process.product_specific_process_id set to "SYSMON:<ProcessGuid>"
ProcessId principal.process.pid
Image principal.process.file.full_path
TargetFilename target.file.full_path
CreationUtcTime target.resource.name

Ereignis-ID: 12

NXLog-Feld UDM-Feld
If the Message the field contains "CreateKey|CreateValue", then metadata.event_type set to "REGISTRY_CREATION"

If the Message field contains "DeleteKey|DeleteValue", then
metadata.event_type set to REGISTRY_DELETION

Otherwise, metadata.event_type set to "REGISTRY_MODIFICATION"
RuleName security_result.rule_name
UtcTime metadata.event_timestamp
ProcessGuid principal.process.product_specific_process_id set to "SYSMON:<ProcessGuid>"
ProcessId principal.process.pid
Image principal.process.file.full_path
TargetObject target.registry.registry_key

Ereignis-ID: 13

NXLog-Feld UDM-Feld
metadata.event_type set to "REGISTRY_MODIFICATION"
RuleName security_result.rule_name
UtcTime metadata.event_timestamp
ProcessGuid principal.process.product_specific_process_id set to "SYSMON:<ProcessGuid>"
ProcessId principal.process.pid
Image principal.process.file.full_path
TargetObject target.registry.registry_key
Details target.registry.registry_value_data

Ereignis-ID: 14

NXLog-Feld UDM-Feld
metadata.event_type set to "REGISTRY_MODIFICATION"
RuleName security_result.rule_name
UtcTime metadata.event_timestamp
ProcessGuid principal.process.product_specific_process_id set to "SYSMON:<ProcessGuid>"
ProcessId principal.process.pid
Image principal.process.file.full_path
TargetObject src.registry.registry_key
NewName target.registry.registry_key

Ereignis-ID: 15

NXLog-Feld UDM-Feld
metadata.event_type set to FILE_CREATION
RuleName security_result.rule_name
UtcTime metadata.event_timestamp
ProcessGuid principal.process.product_specific_process_id set to "SYSMON:<ProcessGuid>"
ProcessId principal.process.pid
Image principal.process.file.full_path
TargetFilename target.file.full_path
CreationUtcTime target.resource.attribute.labels.key set to "CreationUtcTime" and value stored in target.resource.attribute.labels.value
Hash The field populated is determined by the Hash algorithm.
  • If MD5, the value is stored in target.process.file.md5
  • If SHA256 set to the value is stored in target.process.file.sha256
  • If SHA1, the value is stored in target.process.file.sha1

Ereignis-ID: 16

NXLog-Feld UDM-Feld
metadata.event_type set to "SETTING_MODIFICATION"
UtcTime metadata.event_timestamp
ProcessID target.process.pid
Configuration The value is stored in target.process.command_line when this field value contains any command line or process

The value is stored in target.process.file.full_path when this field value contains the configuration file path.
ConfigurationFileHash The field populated is determined by the Hash algorithm.
  • If MD5, the value is stored in target.process.file.md5
  • If SHA256 set to the value is stored in target.process.file.sha256
  • If SHA1, the value is stored in target.process.file.sha1

Ereignis-ID: 17

NXLog-Feld UDM-Feld
metadata.event_type set to "PROCESS_UNCATEGORIZED"

target.resource.resource_type set to "PIPE"
RuleName security_result.rule_name
UtcTime metadata.event_timestamp
ProcessGuid target.process.product_specific_process_id set to "SYSMON:<ProcessGuid>"
ProcessId target.process.pid
PipeName target.resource.name
Image target.process.file.full_path

Ereignis-ID: 18

NXLog-Feld UDM-Feld
metadata.event_type set to "PROCESS_UNCATEGORIZED"

target.resource.resource_type set to "PIPE"
RuleName security_result.rule_name
UtcTime metadata.event_timestamp
ProcessGuid target.process.product_specific_process_id set to "SYSMON:<ProcessGuid>"
ProcessId target.process.pid
PipeName target.resource.name
Image target.process.file.full_path

Ereignis-ID: 19

NXLog-Feld UDM-Feld
metadata.event_type set to USER_RESOURCE_ACCESS
RuleName security_result.rule_name
UtcTime metadata.event_timestamp
Operation
User The Domain is stored in principal.administrative_domain

The Username is stored in principal.user.userid
EventNamespace target.file.full_path
Name target.application
Query target.resource.name

Ereignis-ID: 20

NXLog-Feld UDM-Feld
metadata.event_type set to "USER_RESOURCE_ACCESS"
RuleName security_result.rule_name
UtcTime metadata.event_timestamp
Operation target.resource.attribute.labels.key set to "Operation" and the value is stored in target.resource.attribute.labels.value
User The domain is stored in principal.administrative_domain

The Username is stored in principal.user.userid
Name target.resource.attribute.labels.key set to "Name"
Name value in target.resource.attribute.labels.value
Type target.resource.attribute.labels.key set to "Type" and the value is stored in target.resource.attribute.labels.value
Destination target.resource.name

Ereignis-ID: 21

NXLog-Feld UDM-Feld
metadata.event_type set to "USER_RESOURCE_ACCESS"
RuleName security_result.rule_name
UtcTime metadata.event_timestamp
Operation target.resource.attribute.labels.key set to "Operation" and the value is stored in target.resource.attribute.labels.value
User The domain is stored in principal.administrative_domain

The username is stored in principal.user.userid
Consumer target.resource.attribute.labels.key set to "Consumer" and the value is stored in target.resource.attribute.labels.value
Filter target.resource.name

Ereignis-ID: 22

NXLog-Feld UDM-Feld
metadata.event_type set to "NETWORK_DNS"

network.application_protocol set to "DNS"
RuleName security_result.rule_name
UtcTime metadata.event_timestamp
ProcessGuid principal.process.product_specific_process_id set to "SYSMON:<ProcessGuid>"
ProcessId principal.process.pid
QueryName network.dns.questions
QueryStatus Stored in security_result.summary as "Query Status: "
QueryResults Type is saved to network.dns.answers.type with values separated by a semicolon (;)
Data is saved to network.dns.answers.data
Values that do not have type are mapped to network.dns.answers.data.
Image principal.process.file.full_path

Ereignis-ID: 23

NXLog-Feld UDM-Feld
metadata.event_type set to "FILE_DELETION"
RuleName security_result.rule_name
UtcTime metadata.event_timestamp
ProcessGuid principal.process.product_specific_process_id set to "SYSMON:<ProcessGuid>"
ProcessId principal.process.pid
User Domain stored into principal.administrative_domain

Username stored in principal.user.userid
Image principal.process.file.full_path
TargetFilename target.file.full_path
Hashes The field populated is determined by the Hash algorithm.
  • MD5 set to target.process.file.md5
  • SHA256 set to target.process.file.sha256
  • SHA1 set to target.process.file.sha1
IsExecutable Field target.resource.attribute.labels.key set to "IsExecutable" and the value is stored in target.resource.attribute.labels.value
Archived target.resource.attribute.labels.key set to "Archived" and the value is stored in target.resource.attribute.labels.value

Ereignis-ID: 24

NXLog-Feld UDM-Feld
metadata.event_type set to "RESOURCE_READ"
RuleName security_result.rule_name
UtcTime metadata.event_timestamp
ProcessGuid target.process.product_specific_process_id set to "SYSMON:<ProcessGuid>"
ProcessId principal.process.pid
Image target.process.file.full_path

target.resource.name
ClientInfo ip stored in target.ip
hostname stored in target.hostname
user stored in principal.user.userid
Hashes The field populated is determined by the Hash algorithm.
  • If MD5, value stored in target.process.file.md5
  • If SHA256, value stored in target.process.file.sha256
  • If SHA1, value stored in target.process.file.sha1
Archived target.resource.attribute.labels.key set to "Archived" and value stored in target.resource.attribute.labels.value

Ereignis-ID: 25

NXLog-Feld UDM-Feld
metadata.event_type set to "PROCESS_LAUNCH"
RuleName security_result.rule_name
UtcTime metadata.event_timestamp
ProcessGuid target.process.product_specific_process_id stored as "SYSMON:<ProcessGuid>"
ProcessId principal.process.pid
Image target.process.file.full_path

Ereignis-ID: 26

NXLog-Feld UDM-Feld
metadata.event_type set to FILE_DELETION
RuleName security_result.rule_name
UtcTime metadata.event_timestamp
ProcessGuid principal.process.product_specific_process_id set to "SYSMON:%{ProcessGuid}
ProcessId principal.process.pid
User Domain set to principal.administrative_domain

Username set to principal.user.userid
Image principal.process.file.full_path
TargetFilename target.file.full_path
Hashes Based on Hash algorithm.
MD5 set to target.process.file.md5
SHA256 set to target.process.file.sha256
SHA1 set to target.process.file.sha1
IsExecutable target.resource.attribute.labels.key set to "IsExecutable" & value in target.resource.attribute.labels.value

Ereignis-ID: 255

NXLog-Feld UDM-Feld
metadata.event_type set to SERVICE_UNSPECIFIED

metadata.product_event_type set to "Error - [255]"

target.application set to "Microsoft Sysmon"
UtcTime metadata.event_timestamp
ID security_result.summary
Description security_result.description