Does all windows sigma rules requires Sysmon Logs..? #4110
-
Hello Team, We are ingesting the windows logs into the SIEM tool by using the forwarder from the windows hosts, But when i try to implement the sigma rules in our environment some of the fields are not available in the SIEM. Do we need to install Sysmon in windows host..? |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments
-
Hi, The short answer is. It depends on the logsource. You can use the following Taxonomy files to know which logs/events are required for each logsource as a starting point. https://github.com/SigmaHQ/sigma-specification/blob/main/Taxonomy_specification.md We're working on a log source guide for every log with its specific fields. We will publish an initial version of this in the next few weeks (hopefully). Hope this answers your questions. [Small Update] |
Beta Was this translation helpful? Give feedback.
-
We use our EDR to collect Windows logs and we've had to use a combination of modifying rules and modifying field mappings in PySigma to get the use of a lot of the sysmon-based rules. It is useful to familiarize yourself with the backend rule conversion for your SIEM (probably PySigma?) and modify the field mappings from your SIEM to match Sigma taxonomy. |
Beta Was this translation helpful? Give feedback.
Hi,
The short answer is. It depends on the logsource. You can use the following Taxonomy files to know which logs/events are required for each logsource as a starting point. https://github.com/SigmaHQ/sigma-specification/blob/main/Taxonomy_specification.md
We're working on a log source guide for every log with its specific fields. We will publish an initial version of this in the next few weeks (hopefully).
Hope this answers your questions.
[Small Update]
If I might also add while the fields are inspired by Sysmon sometime. The idea is fro you to map those fields to the closest thing that your EDR offers which in most case is very similar.