There are also some very interesting templates that can be applied to Sysmon 6.0 that help focus the logging on events that are relevant to endpoint investigations and threat detection. One of the best that I have seen so far is this one.
All of this is excellent but how do you get Sysmon 6.0 logs into NetWitness (NW) Logs and start using this knowledge to look for suspicious events in your environment (and by extension reduce you windows logging volumes to just those events that you need potentially).
Using the default Microsoft Windows Event Forwarding (WEF) that I have posted about previously I attempted to collect sysmon logs and pulling them into NW Logs to start using for reporting or alerting.
Events will look like this using the native windows parsers
I also noticed that there was an app from MHaggis that calls out a number of events to check for that could be flagged to highlight events to look for that I have translated into an application rule that you could import to begin to flag on the really important stuff from Sysmon.
There are other interesting rules that appear to be possible, that will be investigated but if anyone has done their own work please comment and add to this post.
name="sysmon-critical-processes" rule="device.class='windows hosts' && event.source = 'microsoft-windows-sysmon' && process ends process ends '\\powershell.exe','\\msbuild.exe','\\psexec.exe','\\at.exe','\\schtasks.exe','\\net.exe','\\vssadmin.exe','\\utilman.exe','\\wmic.exe','\\mshta.exe','\\wscript.exe','\\cscript.exe','\\cmd.exe','\\whoami.exe','\\mmc.exe','\\systeminfo.exe','\\csvde.exe'" alert=eoc type=application
added a fuller application rule list based on the splunk app that was posted by MHaggis. Still testing out some of the converted rules to nwr to see if they fire as expected but figured I'd post what I have for now if anyone else wants to test them out in a better environment]
Looks to be promising, as always test and verify but comments and suggestions are always welcome to help move this forward.