Sysmundo fully unleashes the power of Microsoft’s Sysmon DFIR utility for maximum observability, security, and incident response in your Windows environment. Perfect not only for EUC environments (such as RDS, Citrix, Parallels RAS, AVD, VMWare Horizon) but for all Windows networks, it takes the auditing provided by the Sysinternals Sysmon utility and extends it to the next level.
What is Sysmon?
Sysmon is a freeware utility developed by the Sysinternals team at Microsoft, which is led by luminary Mark Russinovich, CTO of Microsoft Azure. Sysmon is one of a myriad of tools the Sysinternals team provides to Windows system administrators to make their jobs easier.
When deployed on Windows servers and workstations in your environment, Sysmon becomes a “second Security log,” auditing important user and program actions on your systems.
Indispensable for detecting malware, hunting for Advanced Persistent Threats, or analyzing user activity in depth, Sysmon tracks nearly 30 different categories of behavior on Windows systems. From programs run, DNS queries made, files created and files deleted, clipboard activity, registry keys created and modified, Sysmon keeps tabs on what your users are doing and whether their behavior is normal or aberrant and suggestive of intrusion.
In fact, as recently as November of 2022, CISA and the FBI released a joint Cyber Security Advisory (CSA) report where they recommend deploying Sysmon on all networked systems to reduce the risk of compromise by Hive ransomware.
Suffice it to say, Sysmon at this point is a must have DFIR (Digital Forensics and Incident Response) tool which should be deployed on all Windows systems in a network.
What is Sysmundo and What Problems Does it Solve?
The traditional approach to deploying and utilizing Sysmon on Windows systems has been:
- Deploy it via scripts to servers and workstations on your network
- Use a SIEM or log aggregation product to ingest the data
- Write your own reports and queries in the SIEM to examine the collected data
The shortcomings of this approach center around:
- Difficulty of Sysmon deployment, reconfiguration, and removal
- High data ingestion costs charged by the SIEM vendor
- Costs (and the domain knowledge) associated with writing reports/correlations for Sysmon data loaded inside the SIEM
We designed Sysmundo to tackle these shortcomings head on, so that Windows administrators can deploy and change Sysmon configurations more easily, archive and use the generated log data in a way that avoids the costs associated with SIEM ingestion, quickly search for and analyze events of interest, plus schedule routine reports to detect critical activity. Some of these features are provided for free, and some of them are provided with a commercial license at a very low cost relative to SIEM or log aggregation products.
Key Sysmundo Features
- Automatic download of the Sysmon tool from the Microsoft Sysinternals website. Sysmundo also automatically checks for updates to Sysmon and will notify you and offer to download the latest version (FREE FEATURE).
- Organization of computers into logical groupings (associated with Active Directory Organizational Units or manual lists) for automatic streamlined Sysmon deployments (FREE FEATURE).
- Links to the most popular Sysmon config file repositories on Github, such as those maintained by SwiftOnSecurity, Olaf Hartong, and Florian Roth. Sysmundo users can add additional config file repositories to the program and can automatically download the latest config files to audition or modify when deploying Sysmon with Sysmundo (FREE FEATURE).
- Simple to use GUI wizard for deploying, upgrading, reconfiguring, and removing Sysmon on groups of computers, without need for scripting (FREE FEATURE).
- Automatic, AGENTLESS archiving of Sysmon logs from computers once or multiple times a day to local “hot storage.” Logs are also stored compressed in long term “cold storage.”
- Logs in “cold storage” can be thawed at any time and reindexed for analysis.
- Lightweight indexing of archived Sysmon logs into SQL, making it easy to analyze and review certain types of activity by date/time range, users, computers, and programs.
- Additional analysis is supported for “live” Sysmon logs and previously saved Sysmon logs.
- “Pre-load” filtering on key fields for specific Sysmon categories is supported, whereby discovered values are pre-populated to filter against, drastically reducing log load times. For instance, perhaps you want to see all programs launched by Windows Explorer by a select group of users. After a few clicks, that information is loaded into an analysis window.
- Sysmundo’s Data Analyzer window parses and normalizes key fields from specific Sysmon event categories, making them easily groupable, sortable, and filterable.
- Right mouse clicking on events of interest raises a context menu to learn more about specific field data via a Google search.
- Sysmundo understands correlatable fields between different Sysmon event categories, and lets you perform “drill down” correlation when performing analysis against a set of log data.
- Discovered/filtered events can be exported to CSV and Excel files.
- Sysmundo ships with over two dozen reports that focus on different Sysmon categories and user/program behavior. Reports can be run manually or scheduled against prior day collected log data.
Setting Up Sysmundo – A Video Walkthrough
Sysmundo Licensing and Pricing
Sysmundo licensing and pricing options will be published soon, at the conclusion of the Beta Testing period.
Sysmundo Beta Signup
To participate in the Sysmundo Beta Testing program, please click here to sign up.
