Collect Sysmon event logs
System Monitor (Sysmon) is a Windows system service, and device driver that remains resident across system reboots to monitor and log system activity to the Windows event log once installed on a system. It provides detailed information about process creations, network connections, and changes to file creation time. By collecting the events it generates using Windows Event Collection or SIEM agents and then analyzing them, you can identify malicious or anomalous activity and understand how intruders and malware operate on your network.
Note
Installing and configuring Sysmon is out of the scope of this training. Because Sysmon is a telemetry tool that many organizations use, it's essential to know how to configure the Log Analytics Agent and Workspace to collect the Sysmon events.
After connecting the Sysmon agent to the windows machine, perform the following to enable Microsoft Sentinel to query the logs:
Go to your Azure portal.
Select Log Analytics workspaces from Azure services.
Select your Log Analytics workspace for Sentinel.
In the Settings area, select Legacy agents management.
On, the Windows event logs tab select + Add windows event log.
In the Add windows event log search box, enter: Microsoft-Windows-Sysmon/Operational. Sysmon isn't in the list by default.
Then select the Apply button
This connection can also be made from within Sentinel under Settings > Workspace settings > Legacy agents management. Once configured, the Sysmon events will be available in the Event table.
