What You'll Learn
- Understand the visibility gap between standard Windows logging and Sysmon-enhanced telemetry
- Identify the 5 most critical Sysmon Event IDs (1, 3, 7, 11, 13) and what each detects
- Find process creation events (Sysmon 1) that reveal the full command line of every executed program
- Correlate Sysmon network connection events (Event 3) with firewall and SIEM alerts
- Build a visibility comparison matrix showing what standard Windows + Sysmon catches vs. what it misses
Lab Overview
| Detail | Value |
|---|---|
| Lab Profile | lab-wazuh |
| Containers | Wazuh Manager, Wazuh Indexer, Wazuh Dashboard |
| Estimated Time | 60–75 minutes |
| Difficulty | Intermediate |
| Browser Access | Wazuh Dashboard (Web UI) |
| Pre-Loaded Data | 505 alerts including Sysmon-enriched Windows events on WIN-SERVER-01 |
| Deliverable | Sysmon Visibility Assessment with detection gap analysis |
The Visibility Problem. Standard Windows logging tells you that a user logged in. Sysmon tells you what process they ran, what network connections it made, what DLLs it loaded, and what registry keys it modified. In modern SOC operations, the difference between "we detected the breach in 4 hours" and "we detected the breach in 4 weeks" often comes down to Sysmon.
The Scenario
Your CISO asks: "Our Wazuh is collecting Windows Security logs, but I keep reading that we need Sysmon. What visibility are we missing without it? Show me specific examples of attacks that standard logging misses but Sysmon catches."
Your lab environment has both standard Windows Security logs AND Sysmon events on WIN-SERVER-01. You'll compare them side-by-side and build the case for why Sysmon is essential.
Part 1: Understanding the Sysmon Event ID Landscape
Sysmon generates 29 distinct event types. SOC analysts focus on 5 that cover 90% of detection use cases:
| Sysmon Event ID | Name | SOC Value |
|---|---|---|
| 1 | Process Creation | See every program executed, with full command line and parent process |
| 3 | Network Connection | See every outbound/inbound TCP/UDP connection with process name |
| 7 | Image Loaded (DLL) | Detect DLL injection and sideloading attacks |
| 11 | File Created | Detect malware drops, web shells, and suspicious file writes |
| 13 | Registry Value Set | Detect persistence via registry modifications |
Sysmon vs. Windows Security Logs. Windows Security logs (Event IDs 4624, 4625, 4688, 7045, etc.) are generated by the OS. Sysmon events are generated by a separate Microsoft Sysinternals tool that hooks deeper into the kernel. They complement each other — you need BOTH for full visibility.
Part 2: Process Creation — Sysmon Event ID 1
Step 1: Find Process Creation Events
Search Wazuh for Sysmon Event ID 1 on WIN-SERVER-01:
agent.name: WIN-SERVER-01 AND data.win.system.eventID: 1 AND data.win.system.providerName: Microsoft-Windows-Sysmon
Step 2: Examine a Process Creation Event
Click on any Event ID 1 result and expand it. You'll find fields that standard logging doesn't capture:
| Sysmon Field | What It Contains | Why It Matters |
|---|---|---|
| data.win.eventdata.commandLine | Full command with all arguments | See exactly what was executed — not just "cmd.exe ran" but "cmd.exe /c whoami /all" |
| data.win.eventdata.parentCommandLine | The process that launched this one | Trace the execution chain — was this launched by Explorer (user) or by a script? |
| data.win.eventdata.parentImage | Parent process path | Identify suspicious parents (Word launching PowerShell = macro malware) |
| data.win.eventdata.hashes | File hash (SHA256, MD5, etc.) | Instantly check against threat intelligence feeds |
| data.win.eventdata.user | Account running the process | Know who's responsible |
| data.win.eventdata.currentDirectory | Working directory | Malware often runs from Temp or AppData folders |
Step 3: Compare with Windows 4688
Now search for the equivalent standard Windows event:
agent.name: WIN-SERVER-01 AND data.win.system.eventID: 4688
Compare the fields available:
| Field | Sysmon Event 1 | Windows 4688 |
|---|---|---|
| Command line | Full command with arguments | Requires separate GPO to enable |
| Parent process | Full path + command line | Only process ID (no path) |
| File hash | SHA256, MD5, IMPHASH | Not available |
| Working directory | Full path | Not available |
| Network user info | Logon ID + username | Limited |
The Command Line Gap. Without Sysmon, Windows 4688 only shows that "powershell.exe" started. With Sysmon Event 1, you see: powershell.exe -enc JABjAGwAaQBlAG4AdAA= — a base64-encoded command, which is a massive red flag. This single visibility difference catches most fileless malware.
Step 4: Find Suspicious Process Creation
Search for processes that should raise analyst attention:
agent.name: WIN-SERVER-01 AND data.win.system.eventID: 1 AND data.win.eventdata.parentImage: *cmd.exe
Or look for service installations that created suspicious processes:
agent.name: WIN-SERVER-01 AND data.win.system.eventID: 1 AND data.win.eventdata.image: *powershell*
Document what you find. What processes are running? Are any suspicious?
Part 3: Network Connections — Sysmon Event ID 3
Step 1: Find Network Connection Events
agent.name: WIN-SERVER-01 AND data.win.system.eventID: 3 AND data.win.system.providerName: Microsoft-Windows-Sysmon
Step 2: Analyze Connection Fields
Each Event 3 record shows a complete network connection with the PROCESS that made it:
| Field | Value | Analyst Use |
|---|---|---|
| data.win.eventdata.image | Process that made the connection | Which program is talking to the network? |
| data.win.eventdata.destinationIp | Remote IP | Where is it connecting to? |
| data.win.eventdata.destinationPort | Remote port | What service? (443=HTTPS, 4445=suspicious) |
| data.win.eventdata.protocol | tcp/udp | Connection type |
| data.win.eventdata.initiated | true/false | Did the local process initiate (outbound) or receive (inbound)? |
Step 3: Find Suspicious Outbound Connections
Search for outbound connections to unusual ports:
agent.name: WIN-SERVER-01 AND data.win.system.eventID: 3 AND data.win.eventdata.initiated: true AND NOT data.win.eventdata.destinationPort: (80 OR 443 OR 53)
This filters for connections that are NOT standard web (80/443) or DNS (53). What remains might be C2 communications, lateral movement, or data exfiltration.
Why Process + Network = Gold. Standard firewall logs show "10.0.2.20 connected to 185.220.101.42:4445." Sysmon Event 3 shows "powershell.exe on 10.0.2.20 connected to 185.220.101.42:4445." The process context transforms a network event from "something connected" to "this specific program made a suspicious connection" — which is immediately actionable.
Part 4: File Creation and Registry — Events 11 and 13
Step 1: Find File Creation Events (Event 11)
agent.name: WIN-SERVER-01 AND data.win.system.eventID: 11 AND data.win.system.providerName: Microsoft-Windows-Sysmon
Sysmon Event 11 captures every file created on disk. Key fields:
| Field | Analyst Use |
|---|---|
| data.win.eventdata.targetFilename | Full path of created file — watch for Temp folders, startup dirs |
| data.win.eventdata.image | Process that created the file — was it Explorer or a script? |
Search for files created in suspicious locations:
agent.name: WIN-SERVER-01 AND data.win.system.eventID: 11 AND data.win.eventdata.targetFilename: *Temp*
Step 2: Find Registry Modifications (Event 13)
agent.name: WIN-SERVER-01 AND data.win.system.eventID: 13 AND data.win.system.providerName: Microsoft-Windows-Sysmon
Registry modifications are the #1 persistence mechanism on Windows. Event 13 captures:
| Field | Analyst Use |
|---|---|
| data.win.eventdata.targetObject | Registry key modified — Run keys = auto-start |
| data.win.eventdata.details | Value written — the actual payload or path |
| data.win.eventdata.image | Process making the change |
Look for modifications to common persistence locations:
agent.name: WIN-SERVER-01 AND data.win.system.eventID: 13 AND data.win.eventdata.targetObject: *CurrentVersion\\Run*
Part 5: Build the Visibility Comparison Matrix
Create a comprehensive matrix comparing what each log source catches:
VISIBILITY COMPARISON MATRIX
════════════════════════════
Agent: WIN-SERVER-01
ATTACK TECHNIQUE | Win Security | Sysmon | Both | Neither
──────────────────────────────|──────────────|────────|──────|────────
User logon (4624/4625) | ✓ | | ✓ |
Brute force pattern | ✓ | | |
Process with command line | | ✓ | |
Parent → child process chain | | ✓ | |
Service installation (7045) | ✓ | | |
DLL loading | | ✓ | |
Network conn. with process | | ✓ | |
File creation with process | | ✓ | |
Registry persistence | | ✓ | |
Audit log clearing (1102) | ✓ | | |
Process hash | | ✓ | |
Lateral movement (PsExec) | Partial | ✓ | |
Fill In Your Findings
For each row, search for relevant events in Wazuh and confirm which log source provides the data. Note the specific Wazuh fields where you found each piece of information.
Part 6: Write the CISO Brief
Write a 1-page brief answering the CISO's question: "What are we missing without Sysmon?"
Structure your brief:
- Executive Summary (2-3 sentences): What visibility gap exists
- Top 3 Detection Gaps: Specific attack types that standard logging misses
- Evidence: Reference specific events from your lab showing the difference
- Recommendation: Deploy Sysmon with a specific configuration focus
Deliverable Checklist
Before completing the lab, ensure you have:
- Process Creation Analysis — compared Sysmon Event 1 vs. Windows 4688 for at least 3 events
- Network Connection Analysis — found Sysmon Event 3 events and identified the connecting process
- File/Registry Analysis — searched for Event 11 and Event 13 in suspicious locations
- Visibility Comparison Matrix — completed for all 12 attack techniques
- CISO Brief — 1-page document with evidence-backed recommendations
Key Takeaways
- Standard Windows Security logs provide authentication and high-level system events
- Sysmon adds process command lines, parent-child chains, network connections with process context, file creation, and registry modifications
- The combination of Windows Security + Sysmon provides near-complete endpoint visibility
- Process + Network correlation (which program made which connection) is the single most valuable Sysmon capability for SOC analysts
- Without Sysmon, most fileless malware, living-off-the-land attacks, and lateral movement go undetected
What's Next
You've completed the SIEM Mastery module. In Module 3 — OS Internals, you'll dive deeper into the operating system artifacts that Sysmon monitors — processes, registry, file systems, and event logs — learning to investigate them directly on endpoints.
Lab Challenge: Sysmon Visibility Boost
10 questions · 70% to pass
Search for Sysmon Event ID 1 on WIN-SERVER-01. What field contains the full command line including all arguments of the executed process?
Sysmon Event ID 3 shows network connections. What critical context does it provide that standard firewall logs do NOT?
Compare Windows Event 4688 (Process Creation) with Sysmon Event 1 (Process Creation). Which critical field is available in Sysmon but NOT in standard 4688?
You search for Sysmon Event 13 (Registry Value Set) with targetObject containing 'CurrentVersion\Run'. What attack technique does this detect?
A Sysmon Event 1 shows: parentImage: 'C:\Program Files\Microsoft Office\WINWORD.EXE', image: 'C:\Windows\System32\cmd.exe'. Why is this parent-child relationship suspicious?
Which Sysmon Event ID would detect an attacker using DLL sideloading — placing a malicious DLL in the same directory as a legitimate application?
You filter for outbound connections (Event 3, initiated: true) excluding ports 80, 443, and 53. A result shows svchost.exe connecting to an external IP on port 4445. What should you investigate?
Sysmon Event 11 (File Created) shows a file created at 'C:\Users\admin\AppData\Local\Temp\update.exe' by the process 'powershell.exe'. What two indicators make this suspicious?
Without Sysmon, a 'living-off-the-land' attack using only built-in Windows tools (PowerShell, certutil, bitsadmin) would be nearly invisible. Which Sysmon Event ID is MOST critical for detecting this type of attack?
Based on your visibility comparison matrix, how many of the 12 common attack techniques are ONLY detectable with Sysmon (not by Windows Security logs alone)?
0/10 answered