Sysmon and log Parse using KQL on Azure Sentinel
Hi Medium! Here we are again with a new article.
In this article, we will go through different tools and techniques that should be known to retrieve information from a target system and review its log on the Sentinel Azure platform.
Summary
- What is Sysmon
- Setup the environment
- Sysmon installation script
- Parse Events
- Conclusion
What is Sysmon?
System Monitor (Sysmon) is a Windows system service and device driver that, once installed on a system, remains resident across system reboots to monitor and log system activity to the Windows event log. — Source
However, Sysmon can be collected from any machine even from Linux, to have more details you can check Mando_elnino article Sysmon for log collection and analysis in elastic SIEM
Setup the environment
To set the environment for the log collection on Sentinel you can check this article Set a Sentinel environment and start collecting Windows logs on Azure
Sysmon installation script
For an automated install script, you can check this link on Github, that will walk you through the installation.
Parse Events
As we saw in the previous Article, the output of logs is not specific and not useful as most of the important information that we can collect in each log line.
To parse an event, we will need to run a script that will order the data by column, so we need to run a script called an ‘event parser’ that we can find on GitHub, here is a link:
https://github.com/Azure/Azure-Sentinel/tree/master/Parsers
In my case, I used the following code:
Using that function we will be able to retrieve a clearer log:
We can also store the function for later use if none of us want to rewrite it each time, and we can use it in other KQL scripts:
Conclusion
In this article, we checked how we can parse logs using KQL and how we can have a better view of logs.
In the next articles, we will talk more about more features on Sentinel, stay connected ;)
Hey, I hope that you enjoyed my article, if you have something to add or to correct please don’t hesitate to write a comment, see you soon ^^!
