Native Integrations

Microsoft Sysmon log monitoring with Log360

Overview

ManageEngine Log360 provides advanced collection, correlation, and analysis of logs generated by Microsoft's System Monitor (Sysmon). Sysmon provides deep visibility into process creations, network connections, and changes on endpoints that are not available in standard Windows logs. By transforming this highly detailed activity into actionable security intelligence, Log360 empowers organizations to detect sophisticated attacks, hunt for threats, and conduct in-depth forensic investigations.

How Log360 collects and analyzes Sysmon logs

Sysmon logs its data to a dedicated channel within the Windows Event Log (Applications and Services Logs/Microsoft/Windows/Sysmon/Operational). Log360 collects this data efficiently using its standard log collection agents.

Collection method:

  • Agent-based collection: The primary method involves deploying the lightweight Log360 agent to your Windows endpoints. The agent is configured to capture events directly from the Sysmon event log channel in real-time and securely forward them to the central Log360 server for analysis and storage.

Log360's intelligent parsing engine understands the structure of all Sysmon event IDs, automatically extracting critical fields like process names, command-line arguments, hashes, user information, and network details. This enriches the raw data, making it immediately available for alerting, reporting, and threat hunting.

Monitoring capabilities

Log360 collects and analyzes the full spectrum of events generated by Sysmon, providing a comprehensive view of endpoint activity.

  • Log source: Sysmon Event Logs (from the Windows Event Log channel: Microsoft-Windows-Sysmon/Operational)

Critical Sysmon events monitored

Log360 tracks essential security and operational events generated by Sysmon, including:

  • Event ID 1: Process creation: Tracks every process launched, including its command-line arguments, parent process, and file hash.
  • Event ID 3: Network connection: Monitors all outbound network connections made by processes on the system, including destination IP addresses and ports.
  • Event ID 7: Image loaded: Logs all DLLs loaded by processes, helping to detect process hollowing and malicious code injection.
  • Event ID 8: CreateRemoteThread: Detects when a process creates a thread in another process, a common technique used by malware.
  • Event ID 11: FileCreate: Logs the creation of new files, which is invaluable for tracking malware droppers and detecting ransomware activity.
  • Event ID 12, 13, 14: Registry events: Monitors the creation, modification, and deletion of registry keys and values, often used for persistence.
  • Event ID 22: DNS query: Logs all DNS queries made by processes, revealing command-and-control (C2) domains and other suspicious lookups.

Key benefits

  • Deep endpoint visibility: Gain unparalleled insight into process execution, inter-process communication, and network activity that standard logs completely miss.
  • Advanced threat detection: Identify stealthy malware, fileless attacks, and living-off-the-land techniques that evade traditional antivirus solutions.
  • Proactive threat hunting: Provide your security analysts with the granular data needed to proactively hunt for IOCs and APTs.
  • Accelerated incident response & forensics: Drastically reduce investigation time by providing a complete, time-stamped record of an attacker's actions on an endpoint.

Address key endpoint security challenges with Log360

The following table details common challenges and the solutions offered by Log360:

Challenges Solution offered by Log360
Detecting fileless malware & living-off-the-land attacks Identifies attacks that use legitimate tools like PowerShell by monitoring command-line arguments, suspicious process ancestry, and network connections made by trusted processes.
Early ransomware detection Detects common ransomware behaviors, such as the rapid creation of new files, and alerts on processes that delete volume shadow copies (vssadmin.exe Delete Shadows).
Tracking attacker lateral movement Provides a clear view of process-to-process interactions, remote thread creation, and network connections, helping to trace an attacker's path across the network.
Lack of forensic data Enriches incident investigations with highly granular data, including process GUIDs, command-line arguments, and file hashes, allowing for a complete reconstruction of an attack sequence.
Monitoring for persistence mechanisms Alerts on changes to critical registry keys (e.g., Run keys) and the creation of new services or scheduled tasks that attackers use to maintain persistence on a system.

Visualize your endpoint data

Want to see detailed examples? Explore Sysmon monitoring capabilities and use cases within Log360.

Get started

Ready to secure your Windows Environment with Log360?

Gain complete visibility, detect advanced threats faster, and supercharge your incident response capabilities.

Explore ManageEngine Log360  
Details
  • Category IT Operations
Support

  support@log360.com

  Get technical assistance

Relevant resources

 Sysmon auditing in Log360

 Log360 feature overview

 Step-by-step guide to monitor Sysmon in Log360

Talk to our security experts

Have questions about Log360’s integration capabilities or need technical guidance?

 
 
Home »

Awards & recognition

ManageEngine named in 2024 Gartner MQ for SIEM Gartner Peer Insights Customers' choice for SIEM

  Editor's choice  
  7th time in the MQ in 2024  
  Major player in 2024  
  Integrated cloud security Innovator  
  Technical excellence in SIEM  
  Market leader most innovative  

Gartner® Magic Quadrant™ for SIEM 2024

Features

Support

Secure your IT infrastructure with a cloud SIEM solution

Solutions by industry

Related solutions

One-stop solution to all Log Management and Active Directory Auditing

Free Trial Get Quote
Email Download Link