@bwarren unfortunately we’ve been stalled again by BSOD reports from customers. A few customers in our early phases reported an intermittent BSOD which appears to be a conflict between Sysmon and some of the MS 365 products. The team has built a work-around so that we’ll roll back to our old way of collecting process starts on an individual asset level if we encounter a BSOD in the future. This will unblock us here. We plan to resume the rollout on April 1.
Dan, I see Sysmon is active in our environment now. Is there anything we can subscribe to outside of this thread to keep informed with the latest developments around Sysmon in Rapid7? It looks like a select few Event ID’s are being captured for now, but I assume this will be expanded on in the future?
Thanks!
1 Like
Correct - right now we are just collecting Event ID 1 (Process Create) to replace the existing collection mechanism. Later this year we will begin adding additional events in order to enable new detections. When this happens we’ll be updating our documentation and will call it out in our release notes!
Hi Dan, we noticed more than Event ID 1. We also see Event ID 5 but noticed that log collection cutoff again on May 10th. Are you still making changes? Your above comment noted that any changes would be noted in release notes. Aside from that, could we have a quick call re: performance?
1 Like
Hey @matt_bruce - you are correct, of course. We collect Process Terminate on the endpoint so that we can more accurately track parent / child relationships (sometimes PIDs get re-used). But we do not send that data up to the platform right now.
We have not made any changes - so if you believe there is an issue with collection please make sure you open a support ticket and you can reference this post in case I can be of help.
Would love to have a call… if you can reach out to your CSM they can help us set this up!
hi,
where can i check if sysmon is running for endpoint with IDR agent installed?
thanks
Hi,
it’s not visible from within the product, however we can check your Org or a specific agent (hostname or ID) to confirm if Sysmon is running or not.
David
Hi All, whats is the latest on the integration?
Within my test environment I’ve edited the config to include additional events.
A few weeks ago, sysmon 14 was released, but the sysmon_installer service ships v13, is it possible to enforce the v14 install? Which allows blocking of executables
C:\Program Files\Rapid7\Insight Agent\components\sysmon_installer\common\Sysmon>Sysmon64.exe -V
System Monitor v13.30 - System activity monitor
@whissink the team is currently focused on the ingestion of other Sysmon event IDs in order to power additional InsightIDR detections. We’re currently building out metrics to make sure we’re careful adding additional resource load to machines before we “turn on” the new data collection.
On the topic of Sysmon v14, we had many BSOD reports over the last year with two different releases of Sysmon. Therefore we’ll keep a close eye on this for a while before making any changes.
Is there any update on this topic?
@whissink we are going to being to collect EID 8 and EID 25 (both filtered) across all customers next month to power new detections. We intend to collect additional EIDs after this, but we will first monitor customer resource impact of the previous EIDs before moving ahead.
For clarification, would you be able to state which EID’s are being collected as of today?
@pdominguez as of today we are only sending EID 1 up to the platform.
@dan_martin just seen in the release notes that the new EIDs are being collected as of yesterday. Can you tell us which EIDs will come up next? Network connections would also be very interesting to have.
@312312 over the next couple months we are aiming to turn on filtered collection of EID 3, 10, and 13 in phases.
Do you have any information on the timeline for EID 22? This is a very important one in the time of working from home (at least for our setup).
Sadly, we don’t have a timeline for EID 22 yet. I will note it and will take it up for discussion with our teams internally.
Our current approach for prioritizing which EIDs to ingest is by working with our detection engineering team to identify the next set of Sysmon-sourced data we want to ingest. The intent here is to provide broader detection coverage for customers per the MITRE ATT&CK framework. But we also will continue to look for customer-requested sysmon events as well.
I just checked the log search within IDR and couldn’t find the new collected events under the Endpoint Activity logset. Is that normal? Will it take some time till we can access the logs from there?
Yes sorry about that. The release was delayed, but it will happen next week (starting incrementally on Monday). You will be able to see a Log called ‘Sysmon’ under the ‘Endpoint Activity’ Logset where those events are going to be stored in Log Search.
1 Like
@312312 The events are now live, and you should be able to see them. Let us know if you run into any issues.
1 Like