Skip to main content

What is Sysmon?

Sysmon is a monitoring and logging agent that is part of the Microsoft Sysinternals suite of tools. It is designed to identify malicious or anomalous activity and help IT understand how intruders and malware operate on a company’s network.

Sysmon Architecture

Sysmon consists of a Windows system service and a device driver. Combined, they monitor system activity. Whenever Sysmon observes some activity that matches one of the rules of its XML configuration file, it writes an event to the Windows event log. The events generated by Sysmon are typically picked up by a log collecting tool and forwarded to a SIEM such as Splunk. Event forwarding and analysis are not handled by Sysmon but require additional software.

TL;DR

Why Consider Alternatives to Sysmon?

  • Sysmon is a tool, not a product.
    • There is no support and precious little documentation.
  • Sysmon requires intensive development and testing.
    • As it doesn’t come with detections, rule creation and maintenance are left to the user.
    • The same is true for SIEM dashboards and reports. Those need to be created from scratch by each organization individually.

Why Choose uberAgent ESA as Sysmon Alternative?

  • Easy start through predefined rules (docs)
  • Rule converters (Sysmon to ESA and Sigma to ESA)
  • Rule definitions: no XML but friendly uAQL
  • Rule editor: uAQL Studio
  • Splunk dashboards
  • Splunk Enterprise Security integration (blog)
  • MITRE ATT&CK technique ID integration (blog)
  • No additional log collection agent necessary
  • Support

uberAgent ESA as Sysmon Alternative

The following sections compare Sysmon with uberAgent ESA, highlighting the pros and cons of both products.

Ruleset

Sysmon

Sysmon does not ship with monitoring rules; it needs to be configured from scratch by the customer. Many rules are available on the internet. The rulesets published by SwiftOnSecurity and Olaf Hartong seem to be the most popular.

uberAgent ESA

uberAgent ESA ships with a comprehensive set of rules from two different sources: vast limits rules and third-party rules. The former are curated by vast limits, while the latter are converted from sources such as the Sigma project. All rules come enriched with MITRE ATT&CK technique ID annotations.

Converters for Sigma signatures and Sysmon rules to uberAgent ESA rules are part of the product. Rule development is facilitated by uAQL Studio, a free online tool to learn, build and test uberAgent ESA Threat Detection rules.

Agent

Sysmon

Sysmon is configured through an XML file that needs to be deployed to each endpoint. The resulting events are written to the Windows event log from where they need to be picked up and forwarded by another tool or agent.

uberAgent ESA

uberAgent ESA is configured either through Central Config File Management (docs) or through Active Directory Group Policy. The configuration file’s syntax is easy and intuitive. Configuration errors are clearly marked as such in the agent’s log file. Resulting events are transmitted directly to the SIEM backend without the need for additional log collection or forwarding software.

uberAgent ESA’s Threat Detection Engine comes with its own query language. uAQL borrows from SQL and popular scripting languages to provide a powerful yet easy-to-read query syntax for suspicious system activities.

uberAgent ESA is based on the digital employee experience monitoring product uberAgent UXM: rich application, inventory, and performance data are available for context. uberAgent ESA and UXM share a single agent. Consequently, uberAgent’s footprint on the endpoint is small: only minimal CPU and RAM resources are needed, third-party agents are not required. uberAgent’s endpoint agent maintains a detailed human-readable log file for easy troubleshooting.

Support

Sysmon

Sysmon is available free of charge. However, this also means that there is no technical support available. The Sysinternals Licensing FAQ states: All Sysinternals tools are offered ‘as is’ with no official Microsoft support. Without a vendor support channel, there is no way to get bugs fixes or request new features.

uberAgent ESA

uberAgent ESA is a fully supported commercial product (but much less expensive than most other security analytics products). Customer feedback is very welcome and influences development. In fact, some of uberAgent’s best features originated in customer suggestions.

Conclusion

Consider Sysmon if:

  • You’re on a budget
  • You don’t mind developing & maintaining a custom solution

Consider uberAgent ESA if:

  • You prefer a product that is ready to use
  • You need visibility into normal behavior

More Information on uberAgent ESA

For more detailed information on the capabilities of uberAgent Endpoint Security Analytics (ESA) please follow this link to the documentation.