Ossec Sysmon Events

[senatorh...@gmail.com]

Getting started with OSSEC for Sysmon > OSSEC > SO - but I am not seeing all the sysmon data in ELSA.

Listing in ELSA I get the following.

SYSMON_DRIVERLOADED - 0
SYSMON_FILECREATE - 0
SYSMON_IMAGE - 0
SYSMON_NETWORK - 7111
SYSMON_PROCESS - 33677
SYSMON_PROCESSACCESS - 0
SYSMON_RAWACCESS - 0
SYSMON_REMOTETHREAD - 282

Looking in CLASS=WINDOWS I am able to find events for ex. SYSMON_FILECREATE

2017 Dec 21 07:04:40 (SERVER) 10.1.1.2->WinEvtLog 2017 Dec 21 08:34:17 WinEvtLog: Microsoft-Windows-Sysmon/Operational: INFORMATION(11): Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: SERVER.fqdn.com: File created: UtcTime: 2017-12-21 07:34:17.589 ProcessGuid: {26BC4594-63F9-5A3B-0000-0010747BC107} ProcessId: 9664 Image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe TargetFilename: C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\SH140JT71D0JK6EZKV9O.temp CreationUtcTime: 2017-12-21 07:34:17.589

Why is not listed in the predefined view/filter?

Hope something can help me adjust my settings to make it usable. Thanks.

[Wes Lambert]

Senatorhotchkiss,

It's likely that log type was not yet parsed.  You could modify the patterns/parsers for ELSA using the following documentation.

https://github.com/Security-Onion-Solutions/security-onion/wiki/CustomELSAParsers

Since we are moving towards Elastic, we likely won't be developing or modifying ELSA pattern/parsers.

Thanks,

Wes    

--
You received this message because you are subscribed to the Google Groups "enterprise-log-search-and-archive" group.
To unsubscribe from this group and stop receiving emails from it, send an email to enterprise-log-search-and-archive+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.