Automating the deployment of Sysmon for Linux 🐧 and Azure Sentinel in a lab environment 🧪

Published Oct 14 2021 11:55 AM 13.5K Views
Microsoft

Blog-page.png

Thanks to Kevin Sheldrake, Russell McDonald, Jessen Kurien and Ofer Shezaf for making this blog possible.

 

Today, we celebrate 25 years of Sysinternals, a set of utilities to analyze, troubleshoot and optimize Windows systems and applications. Also, as part of this special anniversary, we are releasing Sysmon for Linux, an open-source system monitor tool developed to collect security events from Linux environments using eBPF (Extended Berkeley Packet Filter) and sending them to Syslog for easy consumption. Sysmon for Linux is built on a library also released today named sysinternalsEBPF which is built on libbpf including a library of eBPF inline functions used as helpers. 

 

In this post, I will show you how to automatically deploy a research lab environment with an Azure Sentinel instance and a few Linux virtual machines with Sysmon for Linux already installed and configured to take it for a drive and explore its coverage.

 

As always, before getting into the technical parts of the main topics, it is important to understand some of the fundamental concepts behind Sysmon for Linux.  

 

What is eBPF?

According to the eBPF Foundation, eBPF is a technology that allows programs to run in a sandbox in an operating system kernel. In other words, eBPF enables programmers to write code which gets executed in kernel space in a more secure and restricted way in order to add additional capabilities to the operating system at runtime. 

 

Some of the use cases for eBPF are: 

  • Security: Combining visibility and better level of control to secure systems. 
  • Tracing and profiling: Powerful and unique insights to troubleshoot system performance. 
  • Networking: A natural fit for all packet processing requirements of networking solutions. 
  • Observability and monitoring: Collection and in-kernel aggregation of custom metrics.

 

Why eBPF for Sysmon for Linux? 

From an event-tracing perspective, eBPF allows us to write event-driven programs and have pre-defined hooks into operations such as system calls, network connections, file write/read, etc. We can then collect those events and use them to understand adversary behavior during research or an investigation. As mentioned before, Sysmon for Linux uses its own library “sysinternalsEBPF” to handle the security events monitoring process.

 

Cyb3rWard0g_0-1634229152075.png

 

You can find more information about the implementation of the new sysinternals EBPF library in the following resources: 

 

Installing Sysmon for Linux 

All the information presented here about the installation is available in its own GitHub repository:

 

Register Microsoft Key and Feed 

Sysmon for Linux requires the following packages during installation: 

  • sysinternalsebpf (.DEB or .RPM) 
  • sysmonforlinux (.DEB or .RPM)

For example, for Ubuntu you can run the following (More examples in the INSTALL documents above):

 

 

wget -q https://packages.microsoft.com/config/ubuntu/$(lsb_release -rs)/packages-microsoft-prod.deb -O packages-microsoft-prod.deb
sudo dpkg -i packages-microsoft-prod.deb

 

 

Install Packages 

Depending on the Linux distribution and package manager, you can use the apt dependency resolver (Debian based distros) or the RPM package manager (Fedora based distros). 

 

Following the Ubuntu example, you can run the following commands to install sysinternalsEBPF and Sysmon in that order

 

 

sudo apt-get update
sudo apt-get install sysinternalsebpf
sudo apt-get install sysmonforlinux

 

 

Next, you should be able to run the sysmon command:

 

 

sysmon –h 

 

 

Cyb3rWard0g_1-1634229152079.png

 

Run Sysmon as a Service 

Finally, we can use the sysmon binary to install and run Sysmon as a service with a specific Sysmon config (like how one installs Sysmon for Windows).

 

 

sudo sysmon -accepteula -i sysmonconfig.xml

 

 

Cyb3rWard0g_2-1634229152004.png

 

Explore Syslog Events  

You can explore Sysmon events from the Syslog log. Later in this post, I will show you how to use other tools to show Sysmon events in a more user-friendly view ;)

 

 

tail –f /var/log/Syslog

 

 

Cyb3rWard0g_3-1634229152008.png

 

The Sysmon for Linux Configuration 

At the time of writing, the Sysmon schema version is 4.81, check here for latest version. An example of a config to collect all events can be found in the following link (Not recommended to use in a production environment due to the large number of events generated):

 

SysmonForLinux-CollectAll-Config.xml (github.com) 

 
Use the following command to update the Sysmon config:

 

 

sudo sysmon –c newconfig.xml

 

 

Configuration Options 

Option 

Description 

Sample 

FieldSizes 

specify how long you want fields to be so you can avoid the Syslog overrun/broken XML problem 

<FieldSizes>CommandLine:50,Image:50</FieldSizes> 

 

Available Events 

Event ID 

Description 

1 

Logs when a new process is created. 

3 

Logs TCP/UDP connections on the machine 

4

Logs the state of the Sysmon service (started or stopped).

5 

Logs when a process terminates. 

9 

Logs when a process conducts reading operations, from the drive. 

11 

Logs when a file is created or overwritten. 

16 

Logs when the local Sysmon configuration is updated. 

23 

Logs when a file is deleted by a process. 

 

All the events in Sysmon for Linux are already documented as data dictionaries in the open-source project OSSEM. You can access that information in the following link:

 

 https://github.com/OTRF/OSSEM-DD/tree/main/linux/sysmon 
 

The MSTIC Sysmon for Linux Configuration 

The MSTIC R&D team is sharing a few configuration files as part of the release of this project and will be maintaining them as we use them for research and development of detections.

 

MSTIC-Sysmon/linux/configs at main · microsoft/MSTIC-Sysmon (github.com)

How do we automate the installation process? 

The installation of Sysmon for Linux can be automated with the following bash script 

 

https://raw.githubusercontent.com/OTRF/Blacksmith/master/resources/scripts/bash/Install-Sysmon-For-L...  
 

What about a full lab environment? Enter Azure Sentinel To-go!  

Azure Sentinel2Go is an open-source project developed to expedite the deployment of an Azure Sentinel lab along with other Azure resources to expedite research and the development of detections. 
 
https://github.com/OTRF/Azure-Sentinel2Go

 

Azure Sentinel + Sysmon for Linux Environment 

We have updated our previous Linux environment and we can now deploy everything needed for a small research lab with Sysmon for Linux configured and an Azure monitor agent sending logs to Azure Sentinel:

 

Azure-Sentinel2Go/grocery-list/Linux at master · OTRF/Azure-Sentinel2Go (github.com)

 

We were able to use Azure Resource Manager (ARM) templates and a bash script to automate the whole setup. These are all the resources used for each component of the research lab:  

 

Deploying the Lab Environment  

 

Cyb3rWard0g_4-1634229152010.png

 

  • Fill out the following parameters:
    • Subscription (selected by default)
    • Resource group
    • Region (selected by default) 
    • Admin Username
    • Admin Password
    • Remote Access Mode (AllowPublicIP selected by default. You can also use Azure Bastion Host. You would just need to set the Allowed IP Addresses parameter to *)
    • Allowed IP Addresses (If you use the default access mode AllowPublicIP, use your home or office public IP address to only allow access from secure places. 
  • Click the Review > Create buttons to start the deployment 
  • You can go to your resource group and explore all the resources being deployed 

  

Cyb3rWard0g_5-1634229152012.png

 

  • Wait around 5-10 minutes! You should be good to go! 

 

Cyb3rWard0g_6-1634229152015.png

 

  • You can go to the resource group and see all the resources  

 

Cyb3rWard0g_7-1634229152019.png

 

Validate Deployment 

It is very important to validate if everything was deployed properly before exploring events from Sysmon.

 

Sysmon running as a service 

SSH to all your VMs and run the following commands

 

 

systemctl status sysmon

 

 

Cyb3rWard0g_8-1634229152099.png

 

Explore Syslog Events  

You can explore Sysmon events from the Syslog log.

 

 

tail –f /var/log/Syslog

 

 

Cyb3rWard0g_9-1634229152043.png

 

Explore Sysmon Events via sysmonLogView 

Sysmon also comes with a binary named sysmonLogView to explore sysmon events in a friendly format.

 

Cyb3rWard0g_10-1634229152094.png

 

Cyb3rWard0g_11-1634229152083.png

 

Run the following commands to explore Sysmon event id 1 (ProcessCreate) events locally:

 

 

sudo tail -f /var/log/syslog | sudo /opt/sysmon/sysmonLogView -e 1

 

 

linux-sysmon-tail-sysmonlogview.png

 

Azure Sentinel 

Check if you are getting Syslog events via the Azure Sentinel interface: 

 

sysmon-azure-sentinel.png

 

Next, click on logs and run the following Kusto query to see if all your endpoints are generating events and are being collected by the Azure Log Analytics agent:

 

 

Syslog 
| summarize count() by Computer

 

 

sysmon-azure-sentinel-query.png

 

Querying Sysmon for Linux 

You can query Sysmon for Linux logs by using the Syslog table with the following Kusto query:

 

 

Syslog 
| extend EventID = parse_xml(SyslogMessage).Event.System.EventID 
| extend EventData = parse_xml(SyslogMessage).Event.EventData.Data 
| mv-expand bagexpansion=array EventData 
| evaluate bag_unpack(EventData) 
| extend Key=tostring(['@Name']), Value=['#text'] 
| evaluate pivot( 
    Key, any(Value), TimeGenerated, TenantId, SourceSystem, 
    EventID, Computer, Facility, SeverityLevel, HostIP, MG, Type, _ResourceId 
) 
| summarize count() by tostring(EventID)

 

 

Additionally, as part of the ASIM (Azure Sentinel Information Model) project, we have created parsers for Sysmon for Linux. The parsers get imported automatically by the template we use to deploy the lab environment. Therefore, you can simply use the parsers available under Functions > Workspace functions:

 

 

vimProcessCreateLinuxSysmon
| limit 10 

 

 

linux-sysmon-azure-sentinel.png

 

That’s it! You are now ready to use Sysmon for Linux in a lab environment for research and development of detections ;)  

 

Sysmon for Linux Resources 

 

References 

4 Comments
Senior Member

This is so awesome!!! I love it! Thanks for sharing!

 

Happy Azure Stacking!!!

New Contributor

How is this related to the Defender for Linux Agent?

 

Will this be part of the Defender Agent or a completely seperate product?

Occasional Visitor

Thank you for sharing, would this also work on an on-premise Linux Box, with an ARC Agent enabled and the use of the new Azure Monitoring Agent (as a extension for Azure Arc enabled servers) ?

 

I just do not seem to get it working...

 

kind regards,

 

Peter

Microsoft

Hi, @ErikOppedijk , Sysmon for Linux is a separate project that is just focused on logging and is open source. 

 

 

%3CLINGO-SUB%20id%3D%22lingo-sub-2847054%22%20slang%3D%22en-US%22%3EAutomating%20the%20deployment%20of%20Sysmon%20for%20Linux%20%3Apenguin%3A%3C%2Fimg%3E%20and%20Azure%20Sentinel%20in%20a%20lab%20environment%20%F0%9F%A7%AA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2847054%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Blog-page.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F317433i969852CF86E8D694%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Blog-page.png%22%20alt%3D%22Blog-page.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CEM%3E%3CSPAN%3EThanks%20to%20Kevin%20Sheldrake%2C%20Russell%20McDonald%2C%20Jessen%20Kurien%20and%20Ofer%20Shezaf%20for%20making%20this%20blog%20possible.%3C%2FSPAN%3E%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EToday%2C%20we%20celebrate%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fwindows-events%2Fsysinternals-25-a-special-anniversary-event%2Fev-p%2F2787286%22%20target%3D%22_blank%22%3E%3CSPAN%20data-contrast%3D%22none%22%3E25%20years%20of%20Sysinternals%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%2C%26nbsp%3Ba%20set%20of%20utilities%20to%20analyze%2C%20troubleshoot%20and%20optimize%20Windows%20systems%20and%20applications.%26nbsp%3BAlso%2C%26nbsp%3Bas%20part%20of%20this%20special%20anniversary%2C%26nbsp%3Bwe%20are%26nbsp%3Breleasing%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3ESysmon%20for%20Linux%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%2C%26nbsp%3Ban%20open-source%26nbsp%3Bsystem%20monitor%20tool%26nbsp%3Bdeveloped%26nbsp%3Bto%20collect%20security%20events%26nbsp%3Bfrom%20Linux%20environments%26nbsp%3Busing%26nbsp%3BeBPF%20(%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3EExtended%20Berkeley%20Packet%20Filter)%26nbsp%3Band%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bsending%26nbsp%3Bthem%20to%20Syslog%26nbsp%3Bfor%20easy%20consumption.%26nbsp%3BSysmon%20for%20Linux%20is%20built%20on%26nbsp%3Ba%26nbsp%3Blibrary%20also%20released%20today%20named%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FSysinternals%2FSysinternalsEBPF%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3EsysinternalsEBPF%3C%2FA%3E%20which%20is%20built%20on%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Flibbpf%2Flibbpf%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3Elibbpf%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bincluding%20a%20library%20of%20eBPF%20inline%20functions%20used%20as%20helpers.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EIn%20this%20post%2C%20I%20will%20show%20you%20how%20to%20automatically%20deploy%20a%20research%20lab%20environment%20with%26nbsp%3Ban%26nbsp%3BAzure%26nbsp%3BSentinel%26nbsp%3Binstance%20and%26nbsp%3Ba%26nbsp%3Bfew%20Linux%20virtual%20machines%26nbsp%3Bwith%20Sysmon%20for%20Linux%26nbsp%3Balready%26nbsp%3Binstalled%20and%20configured%20to%26nbsp%3Btake%20it%20for%26nbsp%3Ba%26nbsp%3Bdrive%20and%20explore%26nbsp%3Bits%26nbsp%3Bcoverage.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EAs%20always%2C%20before%20getting%20into%20the%20technical%20parts%20of%20the%20main%20topics%2C%26nbsp%3Bit%26nbsp%3Bis%26nbsp%3Bimportant%26nbsp%3Bto%20understand%20some%20of%20the%20fundamental%20concepts%20behind%20Sysmon%20for%20Linux.%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20aria-level%3D%221%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20aria-level%3D%221%22%20id%3D%22toc-hId--324655866%22%20id%3D%22toc-hId--324652049%22%3E%3CFONT%20size%3D%226%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EWhat%20is%20eBPF%3F%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FH2%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3EAccording%20to%20the%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Febpf.io%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EeBPF%20Foundation%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-contrast%3D%22none%22%3E%2C%26nbsp%3BeBPF%20is%20a%20technology%26nbsp%3Bthat%26nbsp%3Ballows%20programs%20to%26nbsp%3Brun%26nbsp%3Bin%20a%20sandbox%26nbsp%3Bin%20an%20operating%20system%20kernel.%26nbsp%3BIn%20other%20words%2C%26nbsp%3BeBPF%20enables%20programmers%20to%20write%20code%20which%20gets%20executed%20in%20kernel%20space%20in%20a%20more%20secure%20and%20restricted%26nbsp%3Bway%26nbsp%3Bin%20order%20to%20add%26nbsp%3Badditional%20capabilities%20to%20the%20operating%20system%20at%20runtime.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3ESome%20of%20the%20use%20cases%20for%20eBPF%20are%3A%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%2222%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%221%22%20data-aria-level%3D%221%22%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22none%22%3ESecurity%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-contrast%3D%22none%22%3E%3A%26nbsp%3BCombining%20visibility%20and%26nbsp%3Bbetter%20level%20of%20control%26nbsp%3Bto%20secure%20systems.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%2222%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%222%22%20data-aria-level%3D%221%22%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22none%22%3ETracing%26nbsp%3Band%20profiling%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-contrast%3D%22none%22%3E%3A%26nbsp%3BPowerful%20and%20unique%20insights%20to%20troubleshoot%20system%20performance.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%2222%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%223%22%20data-aria-level%3D%221%22%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22none%22%3ENetworking%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-contrast%3D%22none%22%3E%3A%20A%20natural%20fit%20for%20all%20packet%20processing%20requirements%20of%20networking%20solutions.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%2222%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%224%22%20data-aria-level%3D%221%22%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22none%22%3EObservability%20and%20monitoring%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-contrast%3D%22none%22%3E%3A%26nbsp%3BCollection%20and%20in-kernel%20aggregation%20of%20custom%20metrics.%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20aria-level%3D%221%22%20id%3D%22toc-hId--2132110329%22%20id%3D%22toc-hId--2132106512%22%3E%3CFONT%20size%3D%226%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EWhy%20eBPF%20for%20Sysmon%20for%20Linux%3F%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559738%26quot%3B%3A240%2C%26quot%3B335559739%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FH2%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3EFrom%20an%20event-tracing%20perspective%2C%26nbsp%3BeBPF%20allows%20us%20to%26nbsp%3Bwrite%20event-driven%20programs%20and%26nbsp%3Bhave%20pre-defined%26nbsp%3Bhooks%20into%26nbsp%3Boperations%20such%20as%20system%20calls%2C%20network%26nbsp%3Bconnections%2C%26nbsp%3Bfile%20write%2Fread%2C%20etc.%20We%20can%20then%26nbsp%3Bcollect%20those%20events%20and%26nbsp%3Buse%20them%20to%20understand%20adversary%20behavior%26nbsp%3Bduring%20research%20or%20an%20investigation.%26nbsp%3BAs%20mentioned%20before%2C%20Sysmon%20for%20Linux%20uses%26nbsp%3Bits%20own%20library%20%E2%80%9CsysinternalsEBPF%E2%80%9D%20to%20handle%20the%20security%20events%20monitoring%26nbsp%3Bprocess.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Cyb3rWard0g_0-1634229152075.png%22%20style%3D%22width%3A%20911px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F317395i91F2592563825D25%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Cyb3rWard0g_0-1634229152075.png%22%20alt%3D%22Cyb3rWard0g_0-1634229152075.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EYou%20can%20find%20more%20information%20about%26nbsp%3Bthe%20implementation%20of%20the%20new%20sysinternals%20EBPF%20library%20in%20the%20following%20resources%3A%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%2219%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%226%22%20data-aria-level%3D%221%22%3E%3CA%20href%3D%22https%3A%2F%2Fyoutu.be%2FsZDGyr669kc%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EEBPF%20Summit%3A%20Auto-discovery%20of%20Kernel%20Struct%20Offsets%20without%20BTF%20%E2%80%93%20Kevin%20Sheldrake%2C%20Microsoft%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FA%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20aria-level%3D%221%22%20id%3D%22toc-hId-355402504%22%20id%3D%22toc-hId-355406321%22%3E%3CFONT%20size%3D%226%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EInstalling%20Sysmon%20for%20Linux%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559738%26quot%3B%3A240%2C%26quot%3B335559739%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FH2%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EAll%20the%20information%20presented%20here%20about%20the%20installation%20is%20available%20in%20its%26nbsp%3Bown%20GitHub%20repository%3A%3C%2FSPAN%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FSysinternals%2FSysinternalsEBPF%2Fblob%2Fmain%2FINSTALL.md%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3ESysinternalsEBPF%2FINSTALL.md%20at%20main%20%C2%B7%20Sysinternals%2FSysinternalsEBPF%20(github.com)%3C%2FA%3E%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FSysinternals%2FSysmonForLinux%2Fblob%2Fmain%2FINSTALL.md%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3ESysmonForLinux%2FINSTALL.md%20at%20main%20%C2%B7%20Sysinternals%2FSysmonForLinux%20(github.com)%3C%2FA%3E%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20aria-level%3D%222%22%20id%3D%22toc-hId-1045963978%22%20id%3D%22toc-hId-1045967795%22%3E%3CFONT%20size%3D%225%22%3E%3CSPAN%20data-contrast%3D%22none%22%3ERegister%20Microsoft%20Key%20and%20Feed%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559738%26quot%3B%3A40%2C%26quot%3B335559739%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FH3%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3ESysmon%20for%20Linux%20requires%20the%20following%26nbsp%3Bpackages%26nbsp%3Bduring%20installation%3A%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%2220%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%227%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22none%22%3Esysinternalsebpf%20(.DEB%20or%20.RPM)%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%2220%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%228%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22none%22%3Esysmonforlinux%26nbsp%3B(.DEB%20or%20.RPM)%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3EFor%20example%2C%20for%20Ubuntu%20you%20can%20run%20the%20following%20(More%20examples%20in%20the%20INSTALL%20documents%20above)%3A%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-bash%22%3E%3CCODE%3Ewget%20-q%20https%3A%2F%2Fpackages.microsoft.com%2Fconfig%2Fubuntu%2F%24(lsb_release%20-rs)%2Fpackages-microsoft-prod.deb%20-O%20packages-microsoft-prod.deb%0Asudo%20dpkg%20-i%20packages-microsoft-prod.deb%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20aria-level%3D%222%22%20id%3D%22toc-hId--761490485%22%20id%3D%22toc-hId--761486668%22%3E%3CFONT%20size%3D%225%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EInstall%20Packages%3C%2FSPAN%3E%3C%2FFONT%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559738%26quot%3B%3A40%2C%26quot%3B335559739%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FH3%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3EDepending%20on%26nbsp%3Bthe%20Linux%20distribution%20and%20package%20manager%2C%20you%20can%26nbsp%3Buse%26nbsp%3Bthe%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22none%22%3Eapt%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3Bdependency%20resolver%26nbsp%3B(Debian%20based%20distros)%20or%20the%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22none%22%3ERPM%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3Bpackage%20manager%26nbsp%3B(Fedora%26nbsp%3Bbased%20distros).%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3EFollowing%20the%20Ubuntu%20example%2C%20you%20can%20run%20the%20following%20commands%20to%20install%26nbsp%3B%3CSTRONG%3EsysinternalsEBPF%3C%2FSTRONG%3E%20and%26nbsp%3B%3CSTRONG%3ESysmon%3C%2FSTRONG%3E%20in%20that%20order%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-applescript%22%3E%3CCODE%3Esudo%20apt-get%20update%0Asudo%20apt-get%20install%20sysinternalsebpf%0Asudo%20apt-get%20install%20sysmonforlinux%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3ENext%2C%20you%20should%20be%20able%20to%20run%20the%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3Esysmon%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bcommand%3A%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-bash%22%3E%3CCODE%3Esysmon%20%E2%80%93h%20%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Cyb3rWard0g_1-1634229152079.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F317396i2E7AC23824EF1A63%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Cyb3rWard0g_1-1634229152079.png%22%20alt%3D%22Cyb3rWard0g_1-1634229152079.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20aria-level%3D%222%22%20id%3D%22toc-hId-1726022348%22%20id%3D%22toc-hId-1726026165%22%3E%3CFONT%20size%3D%225%22%3E%3CSPAN%20data-contrast%3D%22none%22%3ERun%20Sysmon%20as%20a%20Service%3C%2FSPAN%3E%3C%2FFONT%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559738%26quot%3B%3A40%2C%26quot%3B335559739%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FH3%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3EFinally%2C%20we%20can%20use%20the%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22none%22%3Esysmon%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3Bbinary%20to%20install%20and%20run%26nbsp%3BSysmon%20as%20a%20service%26nbsp%3Bwith%20a%20specific%20Sysmon%20config%20(like%26nbsp%3Bhow%20one%20installs%26nbsp%3BSysmon%20for%20Windows).%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-bash%22%3E%3CCODE%3Esudo%20sysmon%20-accepteula%20-i%20sysmonconfig.xml%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Cyb3rWard0g_2-1634229152004.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F317394i061BB3F893656A63%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Cyb3rWard0g_2-1634229152004.png%22%20alt%3D%22Cyb3rWard0g_2-1634229152004.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20aria-level%3D%222%22%20id%3D%22toc-hId--81432115%22%20id%3D%22toc-hId--81428298%22%3E%3CSPAN%20data-contrast%3D%22none%22%3E%3CFONT%20size%3D%225%22%3EExplore%20Syslog%20Events%3C%2FFONT%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559738%26quot%3B%3A40%2C%26quot%3B335559739%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FH3%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EYou%20can%20explore%20Sysmon%20events%20from%20the%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3ESyslog%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Blog.%20Later%20in%20this%20post%2C%20I%20will%20show%20you%20how%20to%20use%20other%20tools%20to%20show%20Sysmon%20events%20in%20a%20more%26nbsp%3Buser-friendly%26nbsp%3Bview%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%3B)%3C%2Fimg%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-bash%22%3E%3CCODE%3Etail%20%E2%80%93f%20%2Fvar%2Flog%2FSyslog%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Cyb3rWard0g_3-1634229152008.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F317398iDC9CCAE0C94B30DA%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Cyb3rWard0g_3-1634229152008.png%22%20alt%3D%22Cyb3rWard0g_3-1634229152008.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20aria-level%3D%221%22%20id%3D%22toc-hId--91935219%22%20id%3D%22toc-hId--91931402%22%3E%3CFONT%20size%3D%226%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EThe%20Sysmon%20for%20Linux%20Configuration%3C%2FSPAN%3E%3C%2FFONT%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559738%26quot%3B%3A240%2C%26quot%3B335559739%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FH2%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EAt%20the%20time%20of%20writing%2C%20the%26nbsp%3BSysmon%20schema%20version%20is%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3E4.81%2C%26nbsp%3B%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3Echeck%20here%20for%20latest%20version%3C%2FSPAN%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3E.%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3BAn%26nbsp%3Bexample%20of%20a%26nbsp%3Bconfig%20to%26nbsp%3Bcollect%20all%26nbsp%3Bevents%26nbsp%3Bcan%20be%20found%20in%20the%26nbsp%3Bfollowing%20link%26nbsp%3B(Not%20recommended%20to%20use%20in%20a%20production%20environment%20due%20to%20the%20large%26nbsp%3Bnumber%26nbsp%3Bof%20events%20generated)%3A%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fgist.github.com%2FCyb3rWard0g%2Fbcf1514cc340197f0076bf1da8954077%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3ESysmonForLinux-CollectAll-Config.xml%20(github.com)%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3EUse%20the%20following%20command%20to%20update%20the%20Sysmon%20config%3A%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-bash%22%3E%3CCODE%3Esudo%20sysmon%20%E2%80%93c%20newconfig.xml%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20aria-level%3D%222%22%20id%3D%22toc-hId-598626255%22%20id%3D%22toc-hId-598630072%22%3E%3CFONT%20size%3D%225%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EConfiguration%20Options%3C%2FSPAN%3E%3C%2FFONT%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559738%26quot%3B%3A40%2C%26quot%3B335559739%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FH3%3E%0A%3CTABLE%20data-tablestyle%3D%22MsoTable15Grid1LightAccent1%22%20data-tablelook%3D%221696%22%20aria-rowcount%3D%222%22%3E%0A%3CTBODY%3E%0A%3CTR%20aria-rowindex%3D%221%22%3E%0A%3CTD%20data-celllook%3D%22256%22%3E%3CP%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3EOption%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20data-celllook%3D%22256%22%3E%3CP%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3EDescription%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20data-celllook%3D%22256%22%3E%3CP%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3ESample%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%20aria-rowindex%3D%222%22%3E%0A%3CTD%20data-celllook%3D%220%22%3E%3CP%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3EFieldSizes%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20data-celllook%3D%220%22%3E%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3Especify%20how%20long%20you%20want%20fields%20to%20be%20so%20you%20can%20avoid%20the%20Syslog%20overrun%2Fbroken%20XML%20problem%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20data-celllook%3D%220%22%3E%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%3CFIELDSIZES%3ECommandLine%3A50%2CImage%3A50%3C%2FFIELDSIZES%3E%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3C%2FTBODY%3E%0A%3C%2FTABLE%3E%0A%3CP%20aria-level%3D%222%22%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559738%26quot%3B%3A40%2C%26quot%3B335559739%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CH3%20aria-level%3D%222%22%20id%3D%22toc-hId--1208828208%22%20id%3D%22toc-hId--1208824391%22%3E%3CFONT%20size%3D%225%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EAvailable%26nbsp%3BEvents%3C%2FSPAN%3E%3C%2FFONT%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559738%26quot%3B%3A40%2C%26quot%3B335559739%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FH3%3E%0A%3CTABLE%20data-tablestyle%3D%22MsoTable15Grid1LightAccent1%22%20data-tablelook%3D%221696%22%20aria-rowcount%3D%228%22%3E%0A%3CTBODY%3E%0A%3CTR%20aria-rowindex%3D%221%22%3E%0A%3CTD%20data-celllook%3D%22256%22%3E%3CP%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3EEvent%20ID%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20data-celllook%3D%22256%22%3E%3CP%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3EDescription%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%20aria-rowindex%3D%222%22%3E%0A%3CTD%20data-celllook%3D%220%22%3E%3CP%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3E1%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20data-celllook%3D%220%22%3E%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3ELogs%20when%20a%20new%20process%20is%26nbsp%3Bcreated.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%20aria-rowindex%3D%223%22%3E%0A%3CTD%20data-celllook%3D%220%22%3E%3CP%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3E3%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20data-celllook%3D%220%22%3E%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3ELogs%20TCP%2FUDP%20connections%20on%20the%20machine%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%20aria-rowindex%3D%224%22%3E%0A%3CTD%20data-celllook%3D%220%22%3E%3CP%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3E5%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20data-celllook%3D%220%22%3E%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3ELogs%20when%20a%20process%20terminates.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%20aria-rowindex%3D%225%22%3E%0A%3CTD%20data-celllook%3D%220%22%3E%3CP%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3E9%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20data-celllook%3D%220%22%3E%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3ELogs%20when%20a%20process%20conducts%20reading%20operations%2C%20from%20the%20drive.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%20aria-rowindex%3D%226%22%3E%0A%3CTD%20data-celllook%3D%220%22%3E%3CP%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3E11%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20data-celllook%3D%220%22%3E%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3ELogs%20when%20a%20file%20is%20created%20or%20overwritten.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%20aria-rowindex%3D%227%22%3E%0A%3CTD%20data-celllook%3D%220%22%3E%3CP%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3E16%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20data-celllook%3D%220%22%3E%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3ELogs%20when%20the%20local%26nbsp%3BSysmon%20configuration%20is%20updated.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%20aria-rowindex%3D%228%22%3E%0A%3CTD%20data-celllook%3D%220%22%3E%3CP%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3E23%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20data-celllook%3D%220%22%3E%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3ELogs%20when%20a%20file%20is%20deleted%20by%20a%20process.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3C%2FTBODY%3E%0A%3C%2FTABLE%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EAll%20the%20events%20in%20Sysmon%20for%20Linux%20are%20already%20documented%20as%20data%20dictionaries%20in%20the%20open-source%20project%20OSSEM.%20You%20can%20access%20that%20information%20in%20the%20following%20link%3A%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FOTRF%2FOSSEM-DD%2Ftree%2Fmain%2Flinux%2Fsysmon%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%3Ehttps%3A%2F%2Fgithub.com%2FOTRF%2FOSSEM-DD%2Ftree%2Fmain%2Flinux%2Fsysmon%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CH2%20aria-level%3D%221%22%20id%3D%22toc-hId-454438427%22%20id%3D%22toc-hId-454442244%22%3E%3CFONT%20size%3D%226%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EThe%20MSTIC%20Sysmon%20for%20Linux%20Configuration%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559738%26quot%3B%3A240%2C%26quot%3B335559739%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FH2%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3EThe%20MSTIC%20R%26amp%3BD%20team%20is%20sharing%20a%20few%20configuration%20files%20as%20part%20of%20the%20release%20of%20this%26nbsp%3Bproject%20and%20will%20be%20maintaining%26nbsp%3Bthem%26nbsp%3Bas%20we%20use%26nbsp%3Bthem%26nbsp%3Bfor%20research%20and%20development%20of%20detections.%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CH2%20aria-level%3D%221%22%20id%3D%22toc-hId--1353016036%22%20id%3D%22toc-hId--1353012219%22%3E%3CFONT%20size%3D%226%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EHow%20do%20we%20automate%20the%26nbsp%3Binstallation%20process%3F%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559738%26quot%3B%3A240%2C%26quot%3B335559739%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FH2%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EThe%20installation%20of%20Sysmon%20for%20Linux%20can%20be%20automated%20with%20the%20following%20bash%20script%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fraw.githubusercontent.com%2FOTRF%2FBlacksmith%2Fmaster%2Fresources%2Fscripts%2Fbash%2FInstall-Sysmon-For-Linux.sh%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3Ehttps%3A%2F%2Fraw.githubusercontent.com%2FOTRF%2FBlacksmith%2Fmaster%2Fresources%2Fscripts%2Fbash%2FInstall-Sysmon-For-Linux.sh%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CH3%20aria-level%3D%221%22%20id%3D%22toc-hId-1263579516%22%20id%3D%22toc-hId-1263583333%22%3E%3CFONT%20size%3D%225%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EWhat%26nbsp%3Babout%20a%20full%20lab%20environment%3F%26nbsp%3BEnter%20Azure%20Sentinel%20To-go!%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559738%26quot%3B%3A240%2C%26quot%3B335559739%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FH3%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3EAzure%20Sentinel2Go%20is%20an%20open-source%20project%20developed%20to%20expedite%20the%20deployment%20of%20an%20Azure%20Sentinel%20lab%20along%20with%20other%20Azure%20resources%26nbsp%3Bto%20expedite%26nbsp%3Bresearch%26nbsp%3Band%20the%20development%20of%20detections.%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FOTRF%2FAzure-Sentinel2Go%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2FOTRF%2FAzure-Sentinel2Go%3C%2FA%3E%3C%2FSPAN%3E%3CSPAN%3E%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20aria-level%3D%221%22%20id%3D%22toc-hId--672957666%22%20id%3D%22toc-hId--672953849%22%3E%3CFONT%20size%3D%226%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EAzure%20Sentinel%20%2B%20Sysmon%20for%20Linux%26nbsp%3BEnvironment%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559738%26quot%3B%3A240%2C%26quot%3B335559739%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FH2%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3EWe%20have%20updated%20our%20previous%26nbsp%3BLinux%20environment%26nbsp%3Band%20we%20can%20now%26nbsp%3Bdeploy%20everything%20needed%20for%20a%20small%20research%20lab%20with%20Sysmon%20for%20Linux%26nbsp%3Bconfigured%20and%26nbsp%3Ban%20Azure%20monitor%20agent%26nbsp%3Bsending%20logs%20to%20Azure%20Sentinel%3A%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FOTRF%2FAzure-Sentinel2Go%2Ftree%2Fmaster%2Fgrocery-list%2FLinux%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EAzure-Sentinel2Go%2Fgrocery-list%2FLinux%20at%20master%20%C2%B7%20OTRF%2FAzure-Sentinel2Go%20(github.com)%3C%2FSPAN%3E%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3EWe%20were%20able%20to%20use%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-resource-manager%2Ftemplates%2Foverview%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EAzure%20Resource%20Manager%20(ARM)%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3Btemplates%20and%20a%20bash%20script%20to%20automate%20the%20whole%20setup.%20These%20are%20all%20the%20resources%20used%20for%20each%20component%20of%20the%26nbsp%3Bresearch%26nbsp%3Blab%3A%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%2220%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%229%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EAzure%20Sentinel%26nbsp%3B%3C%2FSPAN%3E%3CUL%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%2220%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%229%22%20data-aria-level%3D%221%22%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FOTRF%2FAzure-Sentinel2Go%2Fblob%2Fmaster%2Fazure-sentinel%2Fazuredeploy.json%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EAzure%20Sentinel%20instance%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%2220%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%229%22%20data-aria-level%3D%221%22%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FOTRF%2FAzure-Sentinel2Go%2Fblob%2Fmaster%2Fazure-sentinel%2Flinkedtemplates%2Fdata-connectors%2FsyslogCollection.json%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3ESyslog%20data%20connector%3C%2FSPAN%3E%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%2220%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%229%22%20data-aria-level%3D%221%22%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FOTRF%2FAzure-Sentinel2Go%2Fblob%2Fmaster%2Fazure-sentinel%2Flinkedtemplates%2Flog-analytics%2FsyslogDataSources.json%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3ESyslog%20data%20collection%20from%20specific%20facilities%3C%2FSPAN%3E%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%2220%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%229%22%20data-aria-level%3D%221%22%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FAzure%2FAzure-Sentinel%2Ftree%2Fmaster%2FParsers%2FASim%2520Sysmon%2520for%2520Linux%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EASIM%20Sysmon%20for%20Linux%20Parser%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CUL%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%2220%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%2210%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22none%22%3ELinux%20Virtual%20Machines%3C%2FSPAN%3E%3CUL%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%2220%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%2210%22%20data-aria-level%3D%221%22%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FOTRF%2FBlacksmith%2Fblob%2Fmaster%2Ftemplates%2Fazure%2FLinux%2Fazuredeploy.json%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3ELinux%20virtual%20machines%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CUL%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%2220%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%2210%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EUbuntu%2018.04.6%20LTS%20(Kernel%20release%3A%205.4.0-1059-azure)%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%2220%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%2210%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3ECentos%208.2.2004%20(Kernel%20release%3A%204.18.0-193.28.1.el8_2.x86_64%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%2220%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%2210%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3ERed%20Hat%208.2%26nbsp%3B(Kernel%20release%3A%204.18.0-193.65.2.el8_2.x86_64)%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%2220%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%2210%22%20data-aria-level%3D%221%22%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FOTRF%2FBlacksmith%2Fblob%2Fmaster%2Ftemplates%2Fazure%2FAzure-Monitor-Agents%2Flinux.json%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EAzure%20Log%20Analytics%20Agent%26nbsp%3Bfor%20Linux%3C%2FSPAN%3E%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%2220%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%2210%22%20data-aria-level%3D%221%22%3E%3CA%20href%3D%22https%3A%2F%2Fraw.githubusercontent.com%2FOTRF%2FBlacksmith%2Fmaster%2Fresources%2Fscripts%2Fbash%2FInstall-Sysmon-For-Linux.sh%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3ESysmon%20for%20Linux%20Installer%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20aria-level%3D%221%22%20id%3D%22toc-hId-1814555167%22%20id%3D%22toc-hId-1814558984%22%3E%3CFONT%20size%3D%226%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EDeploying%20the%20Lab%20Environment%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559738%26quot%3B%3A240%2C%26quot%3B335559739%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FH2%3E%0A%3CUL%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%2219%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%2211%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EGo%20to%3A%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FOTRF%2FAzure-Sentinel2Go%2Ftree%2Fmaster%2Fgrocery-list%2FLinux%2Fdemos%2FSysmon-For-Linux%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3Ehttps%3A%2F%2Fgithub.com%2FOTRF%2FAzure-Sentinel2Go%2Ftree%2Fmaster%2Fgrocery-list%2FLinux%2Fdemos%2FSysmon-For-Linux%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%2219%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%2212%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EClick%20on%20the%20%E2%80%9C%3C%2FSPAN%3E%3CI%3E%3CSPAN%20data-contrast%3D%22none%22%3EDeploy%20to%20Azure%3C%2FSPAN%3E%3C%2FI%3E%3CSPAN%20data-contrast%3D%22none%22%3E%E2%80%9D%20Button%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Cyb3rWard0g_4-1634229152010.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F317397i75133BDDC2CAC385%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Cyb3rWard0g_4-1634229152010.png%22%20alt%3D%22Cyb3rWard0g_4-1634229152010.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%2219%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%2213%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EFill%20out%20the%20following%20parameters%3A%3C%2FSPAN%3E%3CUL%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%2219%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%2213%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22none%22%3ESubscription%20(selected%20by%20default)%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%2219%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%2213%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EResource%20group%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%2219%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%2213%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22none%22%3ERegion%20(selected%20by%20default)%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%2219%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%2213%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EAdmin%20Username%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%2219%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%2213%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EAdmin%20Password%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%2219%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%2213%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22none%22%3ERemote%20Access%20Mode%20(%3C%2FSPAN%3E%3CI%3E%3CSPAN%20data-contrast%3D%22none%22%3EAllowPublicIP%3C%2FSPAN%3E%3C%2FI%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3Bselected%20by%20default.%20You%20can%20also%20use%20Azure%20Bastion%20Host.%20You%20would%20just%20need%20to%20set%20the%26nbsp%3B%3C%2FSPAN%3E%3CI%3E%3CSPAN%20data-contrast%3D%22none%22%3EAllowed%20IP%20Addresses%3C%2FSPAN%3E%3C%2FI%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3Bparameter%20to%20*)%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%2219%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%2213%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EAllowed%20IP%20Addresses%20(If%20you%20use%20the%20default%20access%20mode%26nbsp%3B%3C%2FSPAN%3E%3CI%3E%3CSPAN%20data-contrast%3D%22none%22%3EAllowPublicIP%3C%2FSPAN%3E%3C%2FI%3E%3CSPAN%20data-contrast%3D%22none%22%3E%2C%20use%20your%20home%20or%20office%20public%20IP%20address%20to%20only%20allow%20access%20from%20secure%20places.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%2222%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%2214%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EClick%20the%20Review%20%26gt%3B%20Create%20buttons%20to%20start%20the%20deployment%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%2222%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%2215%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EYou%20can%20go%20to%20your%20resource%20group%20and%20explore%20all%20the%20resources%20being%20deployed%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Cyb3rWard0g_5-1634229152012.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F317399i6829CCDD6ED9B0E7%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Cyb3rWard0g_5-1634229152012.png%22%20alt%3D%22Cyb3rWard0g_5-1634229152012.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%2219%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%2216%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EWait%20around%205-10%20minutes!%20You%20should%20be%20good%20to%20go!%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Cyb3rWard0g_6-1634229152015.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F317400i1D75B919086B26FF%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Cyb3rWard0g_6-1634229152015.png%22%20alt%3D%22Cyb3rWard0g_6-1634229152015.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%2215%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%2217%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3EYou%20can%20go%20to%20the%20resource%20group%20and%20see%20all%20the%20resources%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Cyb3rWard0g_7-1634229152019.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F317401i87ABC8A50825354E%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Cyb3rWard0g_7-1634229152019.png%22%20alt%3D%22Cyb3rWard0g_7-1634229152019.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20aria-level%3D%221%22%20id%3D%22toc-hId-7100704%22%20id%3D%22toc-hId-7104521%22%3E%3CFONT%20size%3D%226%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EValidate%20Deployment%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559738%26quot%3B%3A240%2C%26quot%3B335559739%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FH2%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3EIt%20is%20very%20important%20to%20validate%20if%20everything%20was%20deployed%20properly%20before%20exploring%20events%20from%20Sysmon.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20aria-level%3D%222%22%20id%3D%22toc-hId--1671271040%22%20id%3D%22toc-hId--1671267223%22%3E%3CFONT%20size%3D%225%22%3E%3CSPAN%20data-contrast%3D%22none%22%3ESysmon%20running%20as%20a%20service%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559738%26quot%3B%3A40%2C%26quot%3B335559739%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FH3%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3ESSH%20to%20all%20your%20VMs%20and%20run%20the%20following%20commands%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-bash%22%3E%3CCODE%3Esystemctl%20status%20sysmon%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Cyb3rWard0g_8-1634229152099.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F317402i7A22A0606A1F473C%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Cyb3rWard0g_8-1634229152099.png%22%20alt%3D%22Cyb3rWard0g_8-1634229152099.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20aria-level%3D%222%22%20id%3D%22toc-hId-816241793%22%20id%3D%22toc-hId-816245610%22%3E%3CSPAN%20data-contrast%3D%22none%22%3E%3CFONT%20size%3D%225%22%3EExplore%20Syslog%26nbsp%3BEvents%3C%2FFONT%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559738%26quot%3B%3A40%2C%26quot%3B335559739%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FH3%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EYou%20can%20explore%20Sysmon%20events%20from%20the%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3ESyslog%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Blog.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-bash%22%3E%3CCODE%3Etail%20%E2%80%93f%20%2Fvar%2Flog%2FSyslog%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Cyb3rWard0g_9-1634229152043.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F317403i1F1B0DF4472A998D%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Cyb3rWard0g_9-1634229152043.png%22%20alt%3D%22Cyb3rWard0g_9-1634229152043.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20aria-level%3D%222%22%20id%3D%22toc-hId--991212670%22%20id%3D%22toc-hId--991208853%22%3E%3CFONT%20size%3D%225%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EExplore%20Sysmon%20Events%26nbsp%3Bvia%26nbsp%3BsysmonLogView%3C%2FSPAN%3E%3C%2FFONT%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559738%26quot%3B%3A40%2C%26quot%3B335559739%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FH3%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3ESysmon%20also%20comes%20with%20a%20binary%20named%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3EsysmonLogView%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bto%20explore%20sysmon%20events%20in%20a%20friendly%20format.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Cyb3rWard0g_10-1634229152094.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F317405i17846EDADA3116D1%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Cyb3rWard0g_10-1634229152094.png%22%20alt%3D%22Cyb3rWard0g_10-1634229152094.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Cyb3rWard0g_11-1634229152083.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F317404iD7E431E932169DBA%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Cyb3rWard0g_11-1634229152083.png%22%20alt%3D%22Cyb3rWard0g_11-1634229152083.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3ERun%20the%20following%20commands%20to%20explore%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3ESysmon%26nbsp%3Bevent%20id%201%20(ProcessCreate)%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bevents%20locally%3A%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-bash%22%3E%3CCODE%3Esudo%20tail%20-f%20%2Fvar%2Flog%2Fsyslog%20%7C%20sudo%20%2Fopt%2Fsysmon%2FsysmonLogView%20-e%201%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22linux-sysmon-tail-sysmonlogview.png%22%20style%3D%22width%3A%20940px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F317436i8FE92F43AA410997%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22linux-sysmon-tail-sysmonlogview.png%22%20alt%3D%22linux-sysmon-tail-sysmonlogview.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20aria-level%3D%222%22%20id%3D%22toc-hId-1496300163%22%20id%3D%22toc-hId-1496303980%22%3E%3CFONT%20size%3D%225%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EAzure%20Sentinel%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559738%26quot%3B%3A40%2C%26quot%3B335559739%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FH3%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3ECheck%20if%20you%20are%20getting%20Syslog%20events%20via%20the%20Azure%20Sentinel%20interface%3A%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%2214%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%2218%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fportal.azure.com%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3Ehttps%3A%2F%2Fportal.azure.com%2F%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%2214%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%2219%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3ESearch%20%26gt%3B%20Azure%20Sentinel%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22sysmon-azure-sentinel.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F317442iC2315774403A05F8%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22sysmon-azure-sentinel.png%22%20alt%3D%22sysmon-azure-sentinel.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3ENext%2C%20click%20on%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3Elogs%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Band%20run%20the%20following%26nbsp%3BKusto%26nbsp%3Bquery%20to%20see%20if%20all%20your%20endpoints%20are%20generating%20events%20and%20are%20being%20collected%20by%20the%20Azure%20Log%20Analytics%20agent%3A%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-basic%22%3E%3CCODE%3ESyslog%20%0A%7C%20summarize%20count()%20by%20Computer%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22sysmon-azure-sentinel-query.png%22%20style%3D%22width%3A%20824px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F317444iB0EB18AE4C1A1BD0%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22sysmon-azure-sentinel-query.png%22%20alt%3D%22sysmon-azure-sentinel-query.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20aria-level%3D%221%22%20id%3D%22toc-hId-257924922%22%20id%3D%22toc-hId-257928739%22%3E%3CFONT%20size%3D%226%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EQuerying%20Sysmon%20for%20Linux%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559738%26quot%3B%3A240%2C%26quot%3B335559739%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FH2%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EYou%20can%20query%20Sysmon%20for%20Linux%20logs%20by%20using%20the%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3ESyslog%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Btable%20with%20the%20following%20Kusto%20query%3A%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-basic%22%3E%3CCODE%3ESyslog%20%0A%7C%20extend%20EventID%20%3D%20parse_xml(SyslogMessage).Event.System.EventID%20%0A%7C%20extend%20EventData%20%3D%20parse_xml(SyslogMessage).Event.EventData.Data%20%0A%7C%20mv-expand%20bagexpansion%3Darray%20EventData%20%0A%7C%20evaluate%20bag_unpack(EventData)%20%0A%7C%20extend%20Key%3Dtostring(%5B'%40Name'%5D)%2C%20Value%3D%5B'%23text'%5D%20%0A%7C%20evaluate%20pivot(%20%0A%20%20%20%20Key%2C%20any(Value)%2C%20TimeGenerated%2C%20TenantId%2C%20SourceSystem%2C%20%0A%20%20%20%20EventID%2C%20Computer%2C%20Facility%2C%20SeverityLevel%2C%20HostIP%2C%20MG%2C%20Type%2C%20_ResourceId%20%0A)%20%0A%7C%20summarize%20count()%20by%20tostring(EventID)%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EAdditionally%2C%20as%20part%20of%20the%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fnam06.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fdocs.microsoft.com%252Fen-us%252Fazure%252Fsentinel%252Fnormalization-content%26amp%3Bdata%3D04%257C01%257CRodriguez.Roberto%2540microsoft.com%257C2cda2eba784743bd614e08d983efc889%257C72f988bf86f141af91ab2d7cd011db47%257C1%257C0%257C637685888180807874%257CUnknown%257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%253D%257C1000%26amp%3Bsdata%3DCyva%252BZrn9nq6SUDZWWUGaBPUp5XtP1z4bk1teYuYhFA%253D%26amp%3Breserved%3D0%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EASIM%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B(Azure%20Sentinel%20Information%20Model)%20project%2C%20we%20have%20created%20parsers%20for%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FAzure%2FAzure-Sentinel%2Ftree%2Fmaster%2FParsers%2FASim%2520Sysmon%2520for%2520Linux%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3ESysmon%26nbsp%3Bfor%26nbsp%3BLinux%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-contrast%3D%22auto%22%3E.%26nbsp%3BThe%20parsers%20get%20imported%20automatically%20by%20the%20template%20we%20use%20to%20deploy%20the%20lab%20environment.%20Therefore%2C%20you%20can%20simply%20use%20the%26nbsp%3Bparsers%26nbsp%3Bavailable%26nbsp%3Bunder%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3EFunctions%20%26gt%3B%20Workspace%20functions%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%3A%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-basic%22%3E%3CCODE%3EVimProcessCreateLinuxSysmon%20%0A%7C%20limit%2010%20%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22linux-sysmon-azure-sentinel.png%22%20style%3D%22width%3A%20808px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F317446i333963A050022498%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22linux-sysmon-azure-sentinel.png%22%20alt%3D%22linux-sysmon-azure-sentinel.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EThat%E2%80%99s%20it!%20You%20are%20now%20ready%20to%20use%20Sysmon%20for%20Linux%20in%20a%20lab%20environment%20for%20research%20and%20development%20of%20detections%26nbsp%3B%3CSPAN%20data-contrast%3D%22auto%22%3E%3B)%3C%2Fimg%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20aria-level%3D%221%22%20id%3D%22toc-hId--1549529541%22%20id%3D%22toc-hId--1549525724%22%3E%3CFONT%20size%3D%226%22%3E%3CSPAN%20data-contrast%3D%22none%22%3ESysmon%20for%20Linux%26nbsp%3BResources%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559738%26quot%3B%3A240%2C%26quot%3B335559739%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FH2%3E%0A%3CUL%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%2217%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%2221%22%20data-aria-level%3D%221%22%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FAzure%2FAzure-Sentinel%2Ftree%2Fmaster%2FParsers%2FASim%2520Sysmon%2520for%2520Linux%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EAzure-Sentinel%2FParsers%2FASim%20Sysmon%20for%20Linux%20at%20master%20%C2%B7%20Azure%2FAzure-Sentinel%20(github.com)%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%2217%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%2222%22%20data-aria-level%3D%221%22%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FOTRF%2FAzure-Sentinel2Go%2Ftree%2Fmaster%2Fgrocery-list%2FLinux%2Fdemos%2FSysmon-For-Linux%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EAzure-Sentinel2Go%2Fgrocery-list%2FLinux%2Fdemos%2FSysmon-For-Linux%20at%20master%20%C2%B7%20OTRF%2FAzure-Sentinel2Go%20(github.com)%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%2217%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%2223%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22none%22%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FSysinternals%2FSysinternalsEBPF%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3ESysinternals%2FSysinternalsEBPF%3A%20The%20Linux%20port%20of%20the%20Sysinternals%20Sysmon%20tool.%20(github.com)%3C%2FA%3E%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%2217%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%2223%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22none%22%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FSysinternals%2FSysmonForLinux%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3ESysinternals%2FSysmonForLinux%20(github.com)%3C%2FA%3E%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20aria-level%3D%221%22%20id%3D%22toc-hId-937983292%22%20id%3D%22toc-hId-937987109%22%3E%3CFONT%20size%3D%226%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EReferences%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559738%26quot%3B%3A240%2C%26quot%3B335559739%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FH2%3E%0A%3CUL%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%2221%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%2224%22%20data-aria-level%3D%221%22%3E%3CA%20href%3D%22https%3A%2F%2Febpf.io%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EeBPF%20-%20Introduction%2C%20Tutorials%20%26amp%3B%20Community%20Resources%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%2221%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%2225%22%20data-aria-level%3D%221%22%3E%3CA%20href%3D%22https%3A%2F%2Febpf.io%2Fwhat-is-ebpf%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EWhat%20is%20eBPF%3F%20An%20Introduction%20and%20Deep%20Dive%20into%20the%20eBPF%20Technology%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%2221%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%2226%22%20data-aria-level%3D%221%22%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FOTRF%2FAzure-Sentinel2Go%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EOTRF%2FAzure-Sentinel2Go%3A%20Azure%20Sentinel2Go%20is%20an%20open%20source%20project%20developed%20to%20expedite%20the%20deployment%20of%20an%20Azure%20Sentinel%20lab.%20(github.com)%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%2221%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%2227%22%20data-aria-level%3D%221%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Fazure-sentinel-to-go-a-linux-lab-with-auoms-set-up-to-learn%2Fba-p%2F2772581%22%20target%3D%22_blank%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EAzure%20Sentinel%20To-Go!%20A%20Linux%20%3Apenguin%3A%20Lab%20with%20AUOMS%20Set%20Up%20to%20Learn%20About%20the%20OMI%20Vulnerability%20%3Acollision%3A%20-%20Microsoft%20Tech%20Community%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FUL%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-2847054%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EToday%2C%20we%20celebrate%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fwindows-events%2Fsysinternals-25-a-special-anniversary-event%2Fev-p%2F2787286%22%20target%3D%22_blank%22%3E%3CSPAN%20data-contrast%3D%22none%22%3E25%20years%20of%20Sysinternals%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%2C%26nbsp%3Ba%20set%20of%20utilities%20to%20analyze%2C%20troubleshoot%20and%20optimize%20Windows%20systems%20and%20applications.%26nbsp%3BAlso%2C%26nbsp%3Bas%20part%20of%20this%20special%20anniversary%2C%26nbsp%3Bwe%20are%26nbsp%3Breleasing%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3ESysmon%20for%20Linux%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%2C%26nbsp%3Ban%20open-source%26nbsp%3Bsystem%20monitor%20tool%26nbsp%3Bdeveloped%26nbsp%3Bto%20collect%20security%20events%26nbsp%3Bfrom%20Linux%20environments%26nbsp%3Busing%26nbsp%3BeBPF%20(%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3EExtended%20Berkeley%20Packet%20Filter)%26nbsp%3Band%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bsending%26nbsp%3Bthem%20to%20Syslog%26nbsp%3Bfor%20easy%20consumption.%26nbsp%3BSysmon%20for%20Linux%20is%20built%20on%26nbsp%3Ba%26nbsp%3Blibrary%20also%20released%20today%20named%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FSysinternals%2FSysinternalsEBPF%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3EsysinternalsEBPF%3C%2FA%3E%20which%20is%20built%20on%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Flibbpf%2Flibbpf%22%20rel%3D%22noopener%20noreferrer%22%20target%3D%22_blank%22%3E%3CSPAN%20data-contrast%3D%22none%22%3Elibbpf%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bincluding%20a%20library%20of%20eBPF%20inline%20functions%20used%20as%20helpers.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EIn%20this%20post%2C%20I%20will%20show%20you%20how%20to%20automatically%20deploy%20a%20research%20lab%20environment%20with%26nbsp%3Ban%26nbsp%3BAzure%26nbsp%3BSentinel%26nbsp%3Binstance%20and%26nbsp%3Ba%26nbsp%3Bfew%20Linux%20virtual%20machines%26nbsp%3Bwith%20Sysmon%20for%20Linux%26nbsp%3Balready%26nbsp%3Binstalled%20and%20configured%20to%26nbsp%3Btake%20it%20for%26nbsp%3Ba%26nbsp%3Bdrive%20and%20explore%26nbsp%3Bits%26nbsp%3Bcoverage.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2847054%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Sentinel%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EDetection%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EHunting%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Co-Authors
Version history
Last update:
‎Oct 15 2021 07:10 PM
Updated by: