Sysmon configuration for network activity RRS feed

  • Question

  • Hello, 

    We have been getting alerts in our antivirus server of multiple users trying to connect to blocked URLs ( and What is the best configuration to find out what triggers these alerts? I will analyze the logs in a ELK server.


    Tuesday, July 9, 2019 8:01 PM

All replies

  • A quick query on google with these words find many interesting results:

    "using sysmon with elk"

    Most of them point to this config file maintained on GitHub:

    I would start from there..


    Tuesday, July 9, 2019 8:38 PM
  • I used that one and I was not able to find anything that would help me with this. I should have mentioned that, my bad. I'll try adding ports 80 and 443, and Chrome and other browsers, but I was hoping that someone who has dealt with this could give me more ideas.
    Tuesday, July 9, 2019 8:43 PM
  • Have a look at this one:

    It includes a sample of the new DNS event filtering which may help you in this case..

    <RuleGroup name="" groupRelation="or">
    <DnsQuery onmatch="exclude">
    <QueryName condition="is"></QueryName>
    <QueryName condition="end with"></QueryName> <!--Ads-->
    <QueryName condition="is"></QueryName> <!--Google-->



    Wednesday, July 10, 2019 8:24 AM
  • A basic configuration that contains network connect and process create events should be a good start. By including the ProcessCreate events you should be able to correlate the two via the ProcessGuid.

    The most basic configuration that logs all ProcessCreate and NetworkConnect events would be

    <Sysmon schemaversion="4.21">
          <NetworkConnect onmatch="exclude"/>
          <ProcessCreate onmatch="exclude"/>

    MarkC (MSFT)

    Thursday, July 11, 2019 1:46 PM