Security Onion with Winlogbeat and Sysmon (Update)

[Lenny Hansson]

Hi folks
Just a small update on the subject from my post on 26 JAN reguarding Security Onion with Winlogbeat and Sysmon .

After some feedback I have made some small changes to my release in this group.
Small corrections and new dashboards has been released for all to use.

You will get 46 dashboards and 380 Objects to play with.

New demo video from here:
https://networkforensic.dk/SecurityOnion/Files/SO-Demo.mp4

Download files:
Jason files for dashboards for Kibana and links for the navigation pane.
https://networkforensic.dk/SecurityOnion/Files/Dashboards-navigationpane.zip

Winlogbeat and Sysmon with setup instructions and config files.
https://networkforensic.dk/SecurityOnion/Files/Install_pack.zip

All can now be downloaded from my web-site here:

https://networkforensic.dk/SecurityOnion/default.html

Old links from previous post will be removed.

Thanks for all the feedback…..and happy hunting.

Best regards
Lenny Hansson
Web: https://networkforensic.dk

[Francois]

I would be curious to hear from people about the challenges of using Sysmon in the enterprise.  Unless I am wrong, I don't see this as a tool that is really meant to be used in an enterprise with 100's of end-points due to the difficulty in managing the configuration file.  I don't use Sysmon, so I don't even know if you have to modify that configuration file often.

What's the largest deployment of Sysmon that you have managed?  Are there any gotcha's that people should be aware of?

Thanks,

Francois

[Cliftyman]

We use it in our enterprise.  We only watch event ID 3 though. (Network connections).  That is a major shortcoming with Windows Event Logs... so we use it as a supplement to them.

We push sysmon with SCCM and the detection method is tied to the name of our XML template.  Everytime we make network config exclusions in our template we change the name, then create a new file detection method and push the content... we have a powershell script that reinstalls sysmon with the new template afterwards.

As I mentioned our template only watches event ID3.  We took the SwiftOnSecurity template... commented out most of it and added several binary exclusion paths for our unique approved apps and we also excluded all private ADDR ranges and localhost to reduce chatter.

What this means is when our computers apps connect to public IPs we know about it and we also know what which binary on the end user device initiated the outbound connection.

- Cliftyman

[Philip Robson]

I have used it on many networks of hundreds of computers each. Once you have tuned the sysmon config it will not need to be changed that often, also once tuned it does not create too many events.

We use a solution called pdq inventory and deploy. Inventory allows to track who and who does not have it running, deploy then can push to those that do not. Updating a config takes no time at all.

I use this as a basis

https://github.com/olafhartong/sysmon-modular

With the powershell he has created it makes it very easy to tweak sysmon for your own environment. 

--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/security-onion/54e7139d-0c95-403e-a2ce-eb9f0d74cfbb%40googlegroups.com.

[Lenny Hansson]

Hi
Here is my take on the subject. Management can be done from an AD / SCCM. The only gotcha's in my oppionion is that you may need more then one (1-5 files) sysmon config files for different systems, depending on what your logging and looking for. Ore else it can be quite noisy. Like I have a DNS system build with Java. My first implementation on that system gave me quite many logs, so i had to tune it out, and not do logging for java on that system. But i need logging for java on other systems.

My take on what to use Sysmon for is stright forward.... You have to take a look on the MITRE attack framework and find your/the missing gabs. You might collect the logs in a different way with other installed tools. Then there is no need collect the logs twise :-) Use Sysmon for what it can give you in the missing gabs. And working as an Security analyst for many years hunting for malware I like Sysmon.... It gives me what i often miss in Event logs from Microsoft. But it still has some limitations. Like you can't read from memory. Youe need other tools for that. But i can cover quite many Attack ID from the MITRE attack framework.

I can reccormend the following fra Black Hills Security:

https://www.blackhillsinfosec.com/getting-started-with-sysmon/
https://www.blackhillsinfosec.com/webcast-implementing-sysmon-and-applocker/

\Lenny

[Michael Kelley]

I've uploaded the JSON's multiple times and refreshed the Index multiple times and I'm still getting the following errors with the dashboards below.

APPLOCKER EVENTS

------------------------

- Could not locate that visualization (id: b6912b90-3f67-11ea-bfa1-ebe53c54480d)

- Could not locate that visualization (id: d3cdccd0-3f68-11ea-bfa1-ebe53c54480d)

- Could not locate that visualization (id: c0062140-3ea3-11ea-bfa1-ebe53c54480d)

LOGON MONITOR

------------------------

- Could not locate that visualization (id: afe87f00-00e2-11ea-8aaa-6f6662299f1c)

NETWORK SHARE MONITOR

------------------------

- Could not locate that visualization (id: 3a486d60-344e-11ea-abda-b14ba808104b)

- Could not locate that visualization (id: 3cf755e0-3f74-11ea-bfa1-ebe53c54480d)

- Could not locate that visualization (id: 3e357420-3450-11ea-abda-b14ba808104b)

SRP-RULES

------------------------

- Could not locate that visualization (id: 48c22930-4655-11ea-9ec1-01b05c0c9805)

- Could not locate that visualization (id: 98b027e0-4654-11ea-9ec1-01b05c0c9805)

TASK SCHEDULER

------------------------

- Could not locate that visualization (id: 9ddc5860-2728-11ea-b1ef-45f46289ee5c)

USB MONITOR

- Could not locate that visualization (id: 90326d40-2e1b-11ea-a541-d16219d49e44)

WIRELESS ACTIVITIES

------------------------

- Could not locate that visualization (id: 28cd9b40-4651-11ea-9ec1-01b05c0c9805)

- Could not locate that visualization (id: ba3a7fc0-4652-11ea-9ec1-01b05c0c9805)

- Could not locate that visualization (id: c3753d70-4650-11ea-9ec1-01b05c0c9805)

[Michael Kelley]

What is the NETC_Alert,Metasploit Alert? It seems to be a false positive firing when it sees dns.exe run.

On Wednesday, February 5, 2020 at 1:47:23 AM UTC-6, Lenny Hansson wrote:

[Lenny Hansson]

Hi

Starting backwards.....

NETC_Alert,Metasploit Alert - Port watching on port 4444. Default metaploit port. - Rem it out from sysmn config file if you have issues. Have seen the issue on my own DNS server.

Check that you are runnnig these versions:

Made for:
Security Onion - 16.04.6.3
Kibana - 6.8.4
Wiinlogbeat - 6.8.4
Sysmon - 10.0.4.2

From the info-install-pack.txt. Please read. Located in Dashboards-navigationpane.zip
Have you enabled the log collection from the windows hosts ? If so wait until you have some logs from them.

The following Windows event logs must be enabled for collection:

  - name: Application
  - name: Security
  - name: System
  - name: Microsoft-Windows-Sysmon/Operational
  - name: Microsoft-Windows-Windows Defender/Operational
  - name: Microsoft-Windows-Bits-Client/Operational
  - name: Microsoft-Windows-Dhcp-Client/Admin
  - name: Microsoft-Windows-DriverFrameworks-UserMode/Operational
  - name: Microsoft-Windows-Hyper-V-Compute-Operational
  - name: Microsoft-Windows-Windows Firewall With Advanced Security/Firewall
  - name: Microsoft-Windows-TaskScheduler/Operational
  - name: Microsoft-Windows-WLAN-AutoConfig/Operational
  - name: Microsoft-Windows-AppLocker/EXE and DLL
  - name: Microsoft-Windows-AppLocker/Packaged app-Execution
  - name: Microsoft-Windows-AppLocker/MSI and Script
  - name: Microsoft-Windows-AppLocker/Packaged app-Deployment
  - name: Microsoft-Windows-TerminalServices-RDPClient/Operational
  - name: Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operationa

Do this when you have some logs -> Management -> Index Patteerns -> *:logstash-beats-* "Refesh field list"

Then import dashboards.

-------------------------------------

Applocker:
Be aware what i wrote about the app locker. You have to start the servise and have it running and have som logs comming from it.

Read in info-install-pack.tx

-------------------------------------

If you dont have any logs from what i have seen you get "Could not locate that visualization" This do not meen they don't work hust you dont have any logs. Reindex *:logstash-beats-*
In the info-install-pack.txt i wrote about this:

-----------------------------------

Security Onion - Import Dashboards, Searches and visualizations.

Unpack the zip file to your own location.
Go to -> Management - Saved Objects
Import the jason files from the zip file.

Go to Index Patterns
Select *:logstash-beats-* - Do a Refresh filed list.

Be aware that if you dont have any logs in Elastic - Wait until you have collected some logs, Dashboard can look like they are not working ore imported, but they do. You just need some logs.
Refresh the index pattern *:logstash-beats-*
************************You proberly need to do this more then once***************************

----------------------------------------
Add URLS to Navigation pane:
From the Navigation.TXT file.
Copy them into the Navigation pane run and save the Navigation pane.

Management -> Saved Objects (Search for Navi and hit Return) Select it and View visualization - Coyp the URLS in below **Host Hunting** and save the file.

---------------------------------------

To get the latest release:

Link

https://networkforensic.dk/SecurityOnion/default.html

---------------------------------------

Hope it helps

\Lenny