Microsoft Sysmon

Supported OS Windows

통합 버전1.0.0
Microsoft Sysmon - Overview 1
Microsoft Sysmon - Overview 2
Microsoft Sysmon - Overview 3
Microsoft Sysmon - Overview 4
Microsoft Sysmon - Overview 5
Microsoft Sysmon - Overview 6
Microsoft Sysmon - Overview 7
Microsoft Sysmon - Overview 8
이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Overview

Microsoft Sysmon is a Windows system service and device driver that provides detailed logging of system activity, including process creation, network connections, file modifications, and registry changes.

This integration enriches and ingests the Sysmon event logs. Use the pre-built dashboard to get a high-level view of the Sysmon events helping security teams monitor system activity.

Setup

Installation

To install the Microsoft Sysmon integration, run the following Agent installation command and the steps below. For more information, see the Integration Management documentation.

Note: This step is not necessary for Agent version >= 7.66.0.

Run powershell.exe as admin and execute the following command:

& "$env:ProgramFiles\Datadog\Datadog Agent\bin\agent.exe" integration install datadog-microsoft_sysmon==1.0.0

Configuration

Configure Log Collection

  1. Collecting logs is disabled by default in the Datadog Agent. Enable it in the datadog.yaml file with:

      logs_enabled: true

  2. Add this configuration block to your microsoft_sysmon.d/conf.yaml file to start collecting your Microsoft Sysmon logs:

      logs:
  - type: windows_event
    channel_path: "Microsoft-Windows-Sysmon/Operational"
    source: microsoft-sysmon
    service: microsoft-sysmon
    sourcecategory: windowsevent

  3. Restart the Agent.

Configure Sysmon

Follow these steps to install Sysmon:

  1. Download the zip file from the Sysmon download page. Extract its zip file content.
  2. Create an XML file for configuring Sysmon. For example, if you want to monitor processes created by apps from AppData folders, the configuration file will look like content shown below. You can add more event filters under the EventFiltering XML tag for other events in the same way.
  <Sysmon schemaversion="4.90">
      <EventFiltering>
        <ProcessCreate onmatch="include">
            <Image condition="contains">C:\Users\*\AppData\Local\Temp\</Image>
            <Image condition="contains">C:\Users\*\AppData\Roaming\</Image>
        </ProcessCreate>
      </EventFiltering>
  </Sysmon>
  1. Execute the command as admin from the extracted folder:
  .\Sysmon -i [<configfile>]

Note: Sysmon is highly configurable using the configuration (XML) file which allows you to:

  • Control which events to monitor
  • Filter events based on processes, paths, etc.

Enabling too many event types can result in excessive data ingestion. Only critical security events should be enabled based on the threat model and monitoring needs. These events should be selectively enabled for critical system directories, processes, and users to avoid unnecessary log noise.

For more details on configuration, please refer to the Sysmon docs.

Validation

Run the Agent’s status subcommand and look for microsoft_sysmon under the Checks section.

Data Collected

Logs

The Microsoft Sysmon integration collects the following Sysmon event logs:

  • Process activity logs
  • Network activity logs
  • File activity logs
  • Registry activity logs
  • WMI activity logs
  • Sysmon service activity logs
  • Named Pipe and Clipboard activity logs

Metrics

The Microsoft Sysmon integration does not include any metrics.

Events

The Microsoft Sysmon integration does not include any events.

Service Checks

The Microsoft Sysmon integration does not include any service checks.

Support

Need help? Contact Datadog support.