Sysmon Script not pulling in logs

Hi everyone!

I am trying to use the method /script located at (https://www.graylog.org/post/back-to-basics-enhance-windows-security-with-sysmon-and-graylog) to try and pull the sysmon logs into a pipeline, then change the field names and declutter with the custom rule in the article. I am getting the data flowing through the pipeline, but none of the logs get put through the pipeline rule. It makes me feel as if the script needs changed because it is not recognizing the data, but I know absolutely no Java(I’m assuming it is Java). I was wondering if anyone else ran into this issue and knows how to fix it or if anyone else thinks the script may need altered.

My colleagues and I have solved the issue. The script indeed did need altered. It appears that the script in https://www.graylog.org/post/back-to-basics-enhance-windows-security-with-sysmon-and-graylog is missing some logic in a few areas. We have updated the script and removed portions that were not needed anymore. Below are the scripts that worked for us. We also broke apart the Threat Intel script into 2 separate scripts and removed the first script from the webpage.

Script 1 - Stage 0
// Sysmon Installation
// – Sysmon has to be installed on Windows, and be run with: sysmon –i –accepteula –h md5 –n -l
// – Transport should be a winlogbeat
// – Consider using the Graylog Sidecar to manage winlogbeat remotely

rule "Stage 0 Sysmon Cleanup"

when

 // Only run for Sysmon messages
 has_field("winlogbeat_source_name") && $message.winlogbeat_source_name == "Microsoft-Windows-Sysmon"

then

  // Rename some fields to clean up
  rename_field("winlogbeat_computer_name", "sysmon_computer_name");
  rename_field("winlogbeat_event_data_Image", "sysmon_data_process");
  rename_field("winlogbeat_event_data_UtcTime", "sysmon_data_utc_time");
  rename_field("winlogbeat_event_id", "sysmon_event_id");
  rename_field("winlogbeat_level", "sysmon_data_level");
  rename_field("winlogbeat_task", "sysmon_task");
  rename_field("winlogbeat_event_data_User", "sysmon_data_user");
  rename_field("winlogbeat_event_data_TargetFilename", "sysmon_data_file_created");
  rename_field("winlogbeat_event_data_CreationUtcTime", "sysmon_data_file_created_time");
  rename_field("winlogbeat_event_data_PreviousCreationUtcTime", "sysmon_data_file_created_time_previous");
  rename_field("winlogbeat_user_name", "sysmon_data_user_name");
  rename_field("winlogbeat_thread_id", "sysmon_thread_id"); 
  rename_field("winlogbeat_user_domain", "sysmon_user_domain");
  rename_field("winlogbeat_user_identifier", "sysmon_user_identifier");
  rename_field("winlogbeat_user_type", "sysmon_user_type");
  rename_field("winlogbeat_event_data_DestinationHostname", "sysmon_dns_lookup");
  rename_field("winlogbeat_event_data_DestinationIp", "sysmon_dns_lookup_ip");
  rename_field("winlogbeat_event_data_DestinationPort", "sysmon_dest_port");
  rename_field("winlogbeat_event_data_DestinationPortName", "sysmon_dest_port_name");
  rename_field("winlogbeat_event_data_Initiated", "sysmon_con_initiated");
  rename_field("winlogbeat_event_data_Protocol", "sysmon_con_proto");
  rename_field("winlogbeat_event_data_SourceHostname", "sysmon_src_name");
  rename_field("winlogbeat_event_data_SourceIp", "sysmon_src_ip");
  rename_field("winlogbeat_event_data_SourcePort", "sysmon_src_port");
  rename_field("winlogbeat_event_data_SourcePortName", "sysmon_src_port_name");
  rename_field("winlogbeat_event_data_CommandLine", "sysmon_cmd_event");
  rename_field("winlogbeat_event_data_CurrentDirectory", "sysmon_cmd_location");
  rename_field("winlogbeat_event_data_Hashes", "sysmon_cmd_hash");
  rename_field("winlogbeat_event_data_IntegrityLevel", "sysmon_cmd_integrity");
  rename_field("winlogbeat_event_data_LogonId", "sysmon_cmd_logon_id");
  rename_field("winlogbeat_event_data_ParentCommandLine", "sysmon_cmd_parent_cmd");
  rename_field("winlogbeat_event_data_ParentImage", "sysmon_cmd_parent_file");
  rename_field("winlogbeat_event_data_ParentProcessId", "sysmon_cmd_parent_pid");
  rename_field("winlogbeat_event_data_TerminalSessionId", "sysmon_cmd_terminal_pid");
  rename_field("winlogbeat_event_data_LogonGuid", "sysmon_cmd_logon_guid");
  rename_field("winlogbeat_event_data_ParentProcessGuid", "sysmon_cmd_parent_guid");


  // Remove clutter.
  let fix = regex("^\\{(\\S+)\\}$", to_string($message.winlogbeat_event_data_ProcessGuid));
  set_field("sysmon_data_process_guid", to_string(fix["0"]));
  remove_field("winlogbeat_event_data_ProcessGuid");

  let fix = regex("^\\{(\\S+)\\}$", to_string($message.winlogbeat_provider_guid));
  set_field("sysmon_data_provider_gui", to_string(fix["0"]));
  remove_field("winlogbeat_provider_guid");


  // Remove unwanted fields
  remove_field("name");
  remove_field("tags");
  remove_field("type");

  // Remove winlogbeats fields we don't need
  remove_field("winlogbeat_event_data_ProcessId");
  remove_field("winlogbeat_log_name");
  remove_field("winlogbeat_opcode");
  remove_field("winlogbeat_process_id");
  remove_field("winlogbeat_record_number");
  remove_field("winlogbeat_source_name");
  remove_field("winlogbeat_tags");
  remove_field("winlogbeat_type");
  remove_field("winlogbeat_version");
  remove_field("winlogbeat_event_data_SourceIsIpv6");
  remove_field("winlogbeat_event_data_DestinationIsIpv6");

end 

Script 2 - Stage 1
// Threat Intelligence enrichment
// — Needs installed Graylog Threat Intel plugin : https://github.com/Graylog2/graylog-plugin-threatintel

rule "Stage 1 Sysmon Threatintel"

when

 // To save CPU cycles, only run if there is something to look up
 has_field("ip")

then

  // look up the requested DNS captured by sysmon
  // this will be the most fired rule
  let sysmon_dns_lookup_intel = threat_intel_lookup_domain(to_string($message.query_domain), "sysmon_dns_lookup");
  set_fields(sysmon_dns_lookup_intel);

  // look up the ip from the DNS answer
  // if we do not monitor the dns, then this might be nice to have
  let sysmon_lookup_ip_answer_intel = threat_intel_lookup_ip(to_string($message.query_answer), "sysmon_dns_lookup_ip");
  set_fields(sysmon_lookup_ip_answer_intel);

  // look up the requesting IP
  // this is useful if dealing with non internal IPs 
  // so you know if your IP is seen as a problem
  let sysmon_src_ip_answer_intel = threat_intel_lookup_ip(to_string($message.query_answer), "sysmon_src_ip");
  set_fields(sysmon_src_ip_answer_intel);

  // WHOIS lookup. This is disabled by default. Enable and carefully watch latency and performance.
  // let sysmon_dns_lookup_ip_whois = whois_lookup_ip(to_string($message.query_answer), "sysmon_dns_lookup_ip");
  // set_fields(sysmon_dns_lookup_ip_whois);

end

Script 3 - Stage 2

rule "Stage 2 Sysmon Threatintel Inflate"

when

 // run only if one of the fields is true
 to_bool($message.src_threat_indicated) || to_bool($message.dst_threat_indicated)

then

  // This is to make Graylog searches easy
  // -- Enables searches like threat_indicated:true
  set_field("threat_indicated", true);

end

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.