Custom Wazuh rules for Sysmon
Sysmon – a Windows Sysinternals tool – provides an in-depth view into system-related activities. Sysmon helps us detect a wide range of activities, such as process creation, file creation and modification, registry changes, driver loading, DLL loading, named pipe creation, process access, and DNS query logging. In order to expand Wazuh’s detection capability, we need to build a custom Wazuh rule to generate alerts. There is a total of 30 Sysmon events, as explained on the official Microsoft website (https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon). However, we will cover the most important Sysmon events that are mapped with some specific MITRE ATT&CK techniques. These rules are developed by taking reference from the official GitHub account of SOCFortress – a SaaS-based cybersecurity platform. You can also refer to the list of all the Wazuh rules mapped with MITRE techniques against Sysmon events here: https...
