QRadar: How to configure and collect Sysmon DNS events

How To

Summary

This article provides information on how to configure Sysmon on WinCollect and create a log source for collecting events.

Objective

This document helps you configure Sysmon on your existing WinCollect implementation, and create log sources on QRadar®.

Sysmon integration is superior to DNS Debug and DNS Analytic integration of DNS logs because:

Disk usage is significantly reduced.
It has a lighter footprint.
Has High Availability support as a default.
In addition to monitoring DNS queries, Sysmon also monitors process creation, file creation, and registry modifications.
Granular filtering of events through a configuration file.

Environment

WinCollect Managed or Standalone

Steps

The following steps can be used to integrate Sysmon on a Windows® device.

Enable DNS query logging

Download Sysmon from the official Microsoft® website for Sysmon.
A command prompt with administrative rights is required to install Sysmon.
Once, the prompt is open, change the directory to where the Sysmon package is located.
Use the Sysmon -i command to install the package.
You can now see Sysmon logs under Applications and Services Log > Microsoft > Windows > Sysmon Operational.
DNS queries are not enabled by default. You have to enable them with a configuration file.
Create a text file with Notepad with the following XML snippet, and save it in text-format with the name config-dnsquery.xml.
Note: The DNS query log can generate a high volume of events, for example from Internet browsing and application use, and your configuration might need more exclusion filtering.
IBM does not endorse the default values in this sample configuration. Users must confirm the appropriate values with their security-, network-, or system administrator.
```
<Sysmon schemaversion="4.21">
 <EventFiltering>
  <DnsQuery onmatch="exclude" />
 </EventFiltering>
</Sysmon>
```
Use the following command on the command prompt to start logging of dns queries.
```
Sysmon.exe -c config-dnsquery.xml
```
The DNS events are visible in the following path Applications and Services Log > Microsoft > Windows > Sysmon Operational. A DNS query event has Event ID 22.

Create a log source in QRadar to collect Sysmon events

If you have an existing log source, simply edit the WindowsAuthServer log source, and add the XPath Query in the correct field.

If you need to create a log source, follow these steps.

Open the Log Source Management Application.
Create a log source.
Select Log Source type, Microsoft Windows Security Event Log.
Select Protocol type, WinCollect.
Complete all required details such as Name, Destination, and Log Source Identifier.

In Step 3 in the log source creation wizard, insert the XPath Query in the log source configuration.

<QueryList>
<Query Id="0" Path="Microsoft-Windows-Sysmon/Operational">
<Select Path="Microsoft-Windows-Sysmon/Operational">*</Select>
</Query>
</QueryList>

Save the log source and deploy changes.

Result

The Sysmon events are now integrated with QRadar and are visible in Log Activity.

Additional Information

Example of a more advanced Sysmon configuration file containing DNS query attributes: https://github.com/SwiftOnSecurity/sysmon-config/blob/master/sysmonconfig-export.xml, lines 885-1142.

QRadar content extensions: Setting up Sysmon, https://www.ibm.com/docs/en/qradar-common?topic=sysmon-setting-up

Related Information

Microsoft: Sysmon

Document Location

Worldwide

Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both.

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtwAAA","label":"WinCollect"}],"ARM Case Number":"TS008421854","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Tips