SysmonForLinux: Custom Decoders and Rules [DL Series-5]

What is Sysmon?

Sysmon, short for System Monitor, is a Microsoft Windows -native system service and device driver. It provides detailed information on process creations, network connections, and changes to file creation time. This information is vital for detecting malicious activities and understanding system behavior in depth. Originally built for the Windows ecosystem, Sysmon has become a staple in endpoint monitoring and threat hunting scenarios.

With Sysmon for Linux, Microsoft brings the same powerful monitoring capabilities to the Linux platform. It enables security professionals to track process activities and network events.

How Sysmon Works on Linux

Sysmon for Linux operates using eBPF (Extended Berkeley Packet Filter). eBPF allows developers to run sandboxed programs within the Linux kernel without requiring kernel source code modifications or the loading of additional kernel modules. This design makes Sysmon lightweight and efficient while providing real-time insights into system activities. By leveraging eBPF, Sysmon for Linux can monitor and capture:

• Process creation and termination.

• Network connections.

• File creation and deletion.

Installing Sysmon for Linux

In our Detection Lab, we set up Sysmon on a Linux endpoint running Ubuntu 22.04.

Register Microsoft Key and Feed

Modify Permissions for the Key

Install Sysmon for Linux

Configure Sysmon

Paste the following configuration:

Validate the Configuration File

Run the following command to validate and apply the configuration file:

Test Sysmon Installation

Check the logs to ensure Sysmon is running:

You should see output similar to the following snippet:

By following these steps, you can successfully install and configure Sysmon for Linux.

Now that we’ve set up SysmonForLinux on our Ubuntu endpoint, let’s focus on integrating it with Wazuh . By default, while SysmonForLinux logs events in real time to the syslog file, Wazuh can’t parse these logs because there is no default decoder for SysmonForLinux. As illustrated in the snippet of the ruleset test below, no decoder is found.

To address this, we will add a custom decoder for SysmonForLinux and custom rules to trigger Sysmon events.

Steps to Integrate SysmonForLinux Logs

Add custom decoder

The custom decoder allows Wazuh to understand the structure of SysmonForLinux logs by matching specific fields using regex. Here’s a brief explanation of the setup process:

→ Log into to Wazuh dashboard.

→ Click the menu icon (☰) in the upper-left corner to open the navigation menu. From the menu, select ‘Decoders’.

→ Click on ‘Add new decoders file’ to create a new file for the decoder. Name the file sysmonforlinux.xml.

→ Copy and paste the decoder configuration from the GitHub repository.

→ Save the file and restart the Wazuh Manager.

Explaining the SysmonForLinux Decoder

• <decoder name=”sysmon-linux”>: This is the base decoder named sysmon-linux, which acts as a foundation for parsing Sysmon logs.

• <program_name>sysmon</program_name>: This specifies that logs with the program name sysmon should be matched to this decoder.

• <decoder name=”sysmon-linux-child”>: This defines a child decoder, inheriting the base decoder’s configuration.

• <parent>sysmon-linux</parent>: It specifies that this decoder is a child of the sysmon-linux decoder.

• <regex offset=”after_parent”>\pEventID\p(\d+)\p/EventID\p</regex>: Regex is applied after the log has been matched by the parent (sysmon-linux), so the regex will look inside the log for specific details like EventID.

• (\d+): \d Matches any digit (0–9). +: Means “one or more” of the preceding character (in this case, digits). and the parentheses() create a capture group, meaning the digits matched by \d+ will be captured. For example, if the log contains EventID is 12, the regex would capture 12.

• If the value to capture is alphanumeric or contains symbols (such as a GUID), we use a different regex pattern (\.+). The dot (.) in regex acts as a wildcard, matching any character except for whitespace. For example, if the log contains processGuid is {ca2cb1ca-2265–6791–0000–000000000000}, the regex would capture {ca2cb1ca-2265–6791–0000–000000000000}.

Add Custom Rules

Once the logs are decoded, rules are necessary to trigger alerts for specific events.

→ From the menu (☰), select ‘Rules’.

→ Click on ‘Add new rules file’ to create a new file for the sysmon rules. Name the file sysmonforlinux.xml.

→ Copy and paste the rules configuration from the GitHub repository.

→ Save the file and restart the Wazuh Manager.

Explaining the SysmonForLinux rules

• The parent rule 200150 detects Sysmon for Linux events by matching logs decoded as sysmon-linux, identifying any system.eventId field with one or more characters (\.+), and grouping them under <description>Sysmon For Linux Event</description>.

• <rule id=”200151" level=”10">: The rule ID 200151 uniquely identifies this rule, and the level=”10" specifies the severity of the alert generated when triggered.

• <if_sid>200150</if_sid>: The current rule will only execute if the parent rule 200150 has already matched a log entry.

• <field name=”system.eventId”>^1$</field>: It specifies a condition where the system.eventId field in the log must exactly match the value 1. The regex ^1$ ensures:

• ^ matches the beginning of the string.

• 1 matches the character “1”.

• $ matches the end of the string.

• Dynamic Data Insertion: $(eventdata.image) in the <description> tag is a placeholder that pulls the value from the event’s eventdata.image field, which contains the name or path of the process that was created. This helps in identifying the specific process involved.

Validating Sysmon log parsing

• Verify Decoder: To ensure the decoder is parsing properly, begin by copying a raw Sysmon log entry from the syslog file on your Ubuntu endpoint. Use the following command to locate the log:

• Wazuh's Ruleset Feature: Next, use the Wazuh Ruleset Test feature. Paste the copied Sysmon log into the tool and verify that the decoder parses the log correctly. If the decoder is working as expected, you should see results similar to the following snippet.

• Check Alerts in Discover: Finally, go to the Discover section in your Wazuh dashboard and search for the following query:

If everything is working, you should see alerts similar to the snippet shown below.

By following these steps, you can successfully ingest Sysmon for Linux logs into Wazuh and trigger alerts for process creation and termination, network connections, or file creation and deletion, which will be helpful in threat-hunting scenarios.

Acknowledgments

I would like to express my sincere gratitude to the following individuals and organizations for their invaluable contributions:

• Santiago Bassett for creating the powerful tool, Wazuh, which serves as the backbone for this article.

• Microsoft for making Sysmon available for Linux, enabling enhanced monitoring and detection capabilities.

• Taylor Walton from SOCFortress for developing the Custom Decoder and Rules configuration and making them available to the community, which greatly enhanced my understanding Custom Decoder and Rules of Wazuh .

Upcoming

In our next article, we’ll dive deep into suricata integration with Wazuh , exploring how this powerful intrusion detection and prevention system can enhance your security setup. From configuring Suricata to parsing its alerts with jq.

Check out the next article here: Suricata Integration with Wazuh [DL Series-6]

Feel free to ask questions or share your feedback in the comments section — I’d love to hear from you! You can also connect with me on Gibin John to to clarify any doubts or continue the conversation.

Follow my Medium profile to stay updated on the full series: Gibin John.

#wazuh #WazuhSecurity #CyberDetectionLab #WazuhSIEM #ThreatHunting #CybersecurityLab #Wazuh #SecurityMonitoring #SIEM #IncidentResponse #ThreatDetection #SecurityOps #WazuhDetection #SOCLab #CyberThreatIntel #WazuhAlerting #LogAnalysis #CyberDefense #MalwareDetection #Sysmon #SOCAnalysis