Comparing Sysmon and EclecticIQ Endpoint Response — Event Filters
For effective information monitoring, modern security software uses sensors that generate various data types depending on the monitoring purpose. A sensor collects data and information for the attached system and to ensure a sensor system or network of sensors is effective, the noise that accompanies the collected data must first be filtered out. Sensors allow you to perform tasks such as file integrity monitoring, network sniffing, and process execution control, the results of which can then be analyzed to help make informed decisions when it comes to the security of your environment.
System Monitor (Sysmon) is a Windows system service and device driver that, once installed, remains resident across system reboots so it can monitor and log system activity to the Windows event log. Sysmon is a popular tool used to deploy sensor systems because it is easy to use and configure and provides extensive information on system activity. It uses Windows Event Collection or SIEM agents to collect events that can be examined by an analyst to detect and identify malicious activity and recognize how intruders and malware operate in the network.
Sysmon provides event filtering and can be set up in a predefined format using a configuration file. Note that events can generate more information than sensors may be gathering. For example, to receive information for network connections for a certain process (and not all processes), one can filter output based on the host, reducing the amount of data that’s collected. A strong user community matures and refines Sysmon filters based on collaboration on many use cases. One of the best known Sysmon filter configs is provided by SwiftOnSecurity. This is popular because it is community driven and offers an extensive set of filters.
Real-time Event Collection On Windows
Like Sysmon, the EclecticIQ Endpoint Response extension is built to collect events and activity in real-time as they happen on endpoint devices. EclecticIQ Endpoint Response goes a step further, providing functionality similar to Sysmon but wrapped in a native osquery extension. Users get to enjoy the best of both worlds without having to deploy and manage two different agents, possibly supplied by two different vendors.
EclecticIQ Endpoint Response provides a similar filtering mechanism to allow for meaningful data collection, and with the intent of giving back to the community, EclecticIQ also provides the free EclecticIQ Endpoint Response Community Edition.
Here is a comparative analysis of Sysmon and EclecticIQ Endpoint Response filters. The following depicts a simple Sysmon configuration XML file to capture NetworkConnect events:
In the sample config above, filters are defined in the <EventFiltering> tag. All <NetworkConnect> events are captured when the “onmatch” filter is applied and “include” and “exclude” operators define the events to select and ignore, respectively. A value of “include” shows that only matched events are selected. Similarly, the “exclude” value shows the events to ignore (all other events are selected). You can specify both an “include”-filter set and an “exclude”-filter set for each event type, where “exclude” matches take precedence. In the sample above, the networking filter uses both an “include” and “exclude” rule to capture activity for port 80 and 443 by all processes except those with iexplore.exe in their name.
To allow comparison, the following depicts a simple EclecticIQ Endpoint Response configuration JSON file to capture “win_socket_events” (equivalent to <NetworkConnect> events in Sysmon).
As visible in the sample config above, in the EclecticIQ Endpoint Response configuration, filters are defined under the “plgx_event_filters” tag. Within the “win_socket_events” tagevent filter, you can include different filter variables, such as “remote_port” and “process_name”.similar to how the Sysmon <NetworkConnect> event can be filtered using the “DestinationPort” and “Image” variables. Also, the “values” tag within the “include” and “exclude” tags can further be filtered using wild card expressions, such as (*) and (?), similar to how Sysmon variables can be filtered using conditions like “begin with”, “end with”, or “contains” conditions. The (* operator represents one or more characters while the ? operator represents a single character.
Here, the “win_socket_events” event filter uses the “include” operator for the “remote_port” section and the “exclude” operator for the “process_name” section to capture activity to port 80 and 443 by all processes except those with iexplore.exe in their name (using the * operator ).
The following table compares the filter elements available in by Sysmon and EclecticIQ Endpoint Response for various filter types. It provides a high-level overview of how close both tools are in the grammar and rules defined for event filters.
The above samples illustrate how both Sysmon and EclecticIQ Endpoint Response filters, although different in format (XML vs JSON), achieve the common aim of allowing meaningful and targeted data collection. Because EclecticIQ Endpoint Response leverages osquery’s SQL form factor to provide the visibility of real-time data collection, the filters combined with query syntax provide an efficient mechanism for threat hunting and data collection from endpoint devices at scale at low cost and high efficiency.