parsing sysmon logs with wazuh
141 views
Skip to first unread message
Walid Bzeouich
Oct 19, 2023, 7:29:55 AM10/19/23
to Wazuh | Mailing List
Hi everyone, I need some support !
I want to parse logs received from Sysmon installed on windows 7.
the purpose is to generate an alert when user ping a domain so i want wazuh to notify me and show which domain. So i can then verify if this domain is an IoC (integration wazuh with MISP). I follow this blog : https://opensecure.medium.com/wazuh-and-misp-integration-242dfa2f2e19
I want to parse logs received from Sysmon installed on windows 7.
the purpose is to generate an alert when user ping a domain so i want wazuh to notify me and show which domain. So i can then verify if this domain is an IoC (integration wazuh with MISP). I follow this blog : https://opensecure.medium.com/wazuh-and-misp-integration-242dfa2f2e19
Julio Gasco
Oct 19, 2023, 9:55:32 AM10/19/23
to Wazuh | Mailing List
HI Walid,
Sysmon events are saved on the windows event viewer and then ingested into Wazuh. They come in JSON format so all the fields that come will generate a field. You would not need to parse them manually as that is done by Wazuh. Below is a documentation explaning how to ingest sysmon events:
You can see that you would only need to configure Wazuh agent to read the location of the sysmon events. And then they will be ingested and parsed with all the details that it has in the Sysmon event generated.
In the document you shared you can also see that there is no parsing done on the incoming event. You will get the domain information on the Event 22 generated and the domain information is going to be there. Following that procedure should grant you the required information, if not let me know if anything did not work and we can help you out.
Let me know if this helps!
Regards!
Reply all
Reply to author
Forward
0 new messages