Request for option to carry process creation detail fields into other Sysmon event types

Kevin Branch 0 Reputation points

In Sysmon "Process Create" events, the details are invaluable, but many times I have wished that at least key process creation details like CommandLine, ParentImage, ParentCommandLine, and Hashes, could be carried over to other event types that account for actions taken by those created processes.

Many times in tuning my SIEM's detection rules involving Sysmon network or registry change events, the key piece of information needed to identify the nature of the event, is only available in the original process creation event, likely in in CommandLine, ParentImage, ParentCommandLine, or Hashes.

When I manually follow up on a suspicious Sysmon event other than type "Process Create", I will pivot on the ProcessGuid over to the original "Process Create" event in order to inspect the details I need to more adequately evaluate the action taken by the created process. However, for multiple reasons, this does not translate over to automated orchestation very well at all for me.

For example, I want to be create SIEM detection rules for certain kinds of Sysmon "Network Connection" events that are able to directly factor in process creation attributes of the process that created the network connection. Many obvious false positives with suspicious network connections are only evident once I see the CommandLine details and/or the ParentImage/ParentCommandLine details for the process.

For this to be possible, I am requesting a Sysmon configuration option to enable the carrying of "Process Create" event detail fields over into the other Sysmon events tripped by those created processes. I'm sure there is already some kind of process state table being maintained by Sysmon at all times anyway, from which this kind of detail could be plucked for the enrichment of other kinds of Sysmon events.

This might involve a fixed set of higher-value process creation fields like CommandLine, ParentImage, ParentCommandLine, and Hashes. Or it could be a configurable list of what process creation event fields to carry over. Or it could just carry all process creation detail fields across in a simple all-or-nothing approach.

If this is at all architecturally feasible, I believe something along the lines of the above would ultimately prove invaluable to empower the Sysmon user community to create more powerful detection rules to scrutinize Sysmon records about actions taken by existing processes.

Would you all consider adding such an option? Is this the best place for me to make this request or should I take it elsewhere?

Thanks for your consideration of my request, and for all the value that Sysmon has brought to my work over the last number of years.

Kevin Branch

Advanced system utilities to manage, troubleshoot, and diagnose Windows and Linux systems and applications.
1,112 questions
0 comments No comments
{count} votes