The VMware Carbon Black Tech Zone is live! Checkout this great resource: Mastering Carbon Black Audit & Remediation.

Querying Sysmon logs

With the ability to query Windows Event Logs we can also query Sysmon logs as they show up in Event Viewer. This query is an example of what a query would look like, and in this case we are looking at network connections.

select datetime as 'datetime (UTC)', eventid,

split(split(json_extract(,'$.EventData.RuleName'),',',1),'=',1) as technique,
split(split(json_extract(,'$.EventData.RuleName'),',',0),'=',1) as technique_id,
json_extract(,'$.EventData.User') as 'username',
json_extract(,'$.EventData.Image') as 'process',
json_extract(,'$.EventData.ProcessId') as 'pid',
json_extract(,'$.EventData.SourceIp') as 'source_ip',
json_extract(,'$.EventData.SourcePort') as 'source_port',
json_extract(,'$.EventData.DestinationIp') as 'destination_ip',
json_extract(,'$.EventData.DestinationPort') as 'destination_port',
json_extract(,'$.EventData.Initiated') as 'initiated'
from windows_eventlog
where channel = 'Microsoft-Windows-Sysmon/Operational'
  and eventid ='3';

Here is what the data looks like:

  datetime (UTC) = 2022-01-07T20:30:32.1515030Z

eventid = 3
technique = Masquerading
technique_id = T1036
username = DESKTOP-030MC74\bit9se
process = C:\Users\bit9se\AppData\Local\Microsoft\OneDrive\21.230.1107.0004\Microsoft.SharePoint.exe
pid = 644
source_ip =
source_port = 49752
destination_ip =
destination_port = 443
initiated = true
1 Comment
Carbon Black Employee
Status changed to: Approved