Sysmon is a monitoring and logging agent that is part of the Microsoft Sysinternals suite of tools. It is designed to identify malicious or anomalous activity and help IT understand how intruders and malware operate on a company’s network.
Sysmon consists of a Windows system service and a device driver. Combined, they monitor system activity. Whenever Sysmon observes some activity that matches one of the rules of its XML configuration file, it writes an event to the Windows event log. The events generated by Sysmon are typically picked up by a log collecting tool and forwarded to a SIEM such as Splunk. Event forwarding and analysis are not handled by Sysmon but require additional software.
- Sysmon is a tool, not a product.
- There is no support and precious little documentation.
- Sysmon requires intensive development and testing.
- As it doesn’t come with detections, rule creation and maintenance are left to the user.
- The same is true for SIEM dashboards and reports. Those need to be created from scratch by each organization individually.
- Easy start through predefined rules (docs)
- Rule converters (Sysmon to ESA and Sigma to ESA)
- Rule definitions: no XML but friendly uAQL
- Rule editor: uAQL Studio
- Splunk dashboards
- Splunk Enterprise Security integration (blog)
- MITRE ATT&CK technique ID integration (blog)
- No additional log collection agent necessary
The following sections compare Sysmon with uberAgent ESA, highlighting the pros and cons of both products.
Sysmon does not ship with monitoring rules; it needs to be configured from scratch by the customer. Many rules are available on the internet. The rulesets published by SwiftOnSecurity and Olaf Hartong seem to be the most popular.
uberAgent ESA ships with a comprehensive set of rules from two different sources: vast limits rules and third-party rules. The former are curated by vast limits, while the latter are converted from sources such as the Sigma project. vast limits rules come enriched with MITRE ATT&CK technique ID annotations.
Converters for Sigma signatures and Sysmon rules to uberAgent ESA rules are part of the product. Rule development is facilitated by uAQL Studio, a free online tool to learn, build and test uberAgent ESA Threat Detection rules.
Sysmon is configured through an XML file. The resulting events are written to the Windows event log from where they need to be picked up and forwarded by another tool or agent.
uberAgent ESA is configured either through a configuration file or through Active Directory Group Policy. The configuration file’s syntax is easy and intuitive. Configuration errors are clearly marked as such in the agent’s log file. Resulting events are transmitted directly to the SIEM backend without the need for additional log collection or forwarding software.
uberAgent ESA’s Threat Detection Engine comes with its own query language. uAQL borrows from SQL and popular scripting languages to provide a powerful yet easy-to-read query syntax for suspicious system activities.
uberAgent ESA is based on the user experience monitoring product uberAgent UXM: rich application, inventory, and performance data are available for context. uberAgent ESA and UXM share a single agent. Consequently, uberAgent’s footprint on the endpoint is small: only minimal CPU and RAM resources are needed, third-party agents are not required. uberAgent’s endpoint agent maintains a detailed human-readable log file for easy troubleshooting.
Sysmon is available free of charge. However, this also means that there is no technical support available. The Sysinternals Licensing FAQ states: All Sysinternals tools are offered ‘as is’ with no official Microsoft support. Without a vendor support channel, there is no way to get bugs fixes or request new features.
uberAgent ESA is a fully supported commercial product (but much less expensive than most other security analytics products). Customer feedback is very welcome and influences development. In fact, some of uberAgent’s best features originated in customer suggestions.
Consider Sysmon if:
- You’re on a budget
- You don’t mind developing & maintaining a custom solution
Consider uberAgent ESA if:
- You prefer a product that is ready to use
- You need visibility into normal behavior
For more detailed information on the capabilities of uberAgent Endpoint Security Analytics (ESA) please follow this link to the documentation.