sysmon - how does it works?

Mkr 21 Reputation points
2021-03-18T08:42:15.033+00:00

Hello,
I've tried found answer but unsuccessfully.

What exactly happen if i exclude something in config file e.g. cmd.exe file in section Network connection.
Does it mean that sysmon immediately stop monitoring cmd.exe for network traffic or maybe sysmon still monitors but only don't alert?
If sysmon still monitor what is performance cost this operation?

I've been asked about by my sysadmin colleagues because they are concerned about system performance.

Thanks in advance for answer.

Regards
Mkr

Sysinternals
Sysinternals
Advanced system utilities to manage, troubleshoot, and diagnose Windows and Linux systems and applications.
1,092 questions
0 comments
Accepted answer
  1. dstaulcu 351 Reputation points
    2021-03-19T12:11:29.673+00:00

    With that config:

    • Sysmon is monitoring all NetworkConnect transactions because you have one or more rules associated with either include or exclude rule groups. Sysmon has to monitor all NetworkConnect activity in order to determine if any of your rules apply.
    • For NetworkConnect events, Sysmon is only logging events whose DestinationPort is 25 and whose Image path is not c:\Windows\System32\cmd.exe

    Regarding performance:

    • With NetworkConnect monitoring, your sysadmin colleagues should be mostly worried about the impact to DNS servers if the DnsLookup configuration entry is not defined or set to True. When DnsLookup is enabled, Sysmon performs DnsLookups of IP addresses associated with new NetworkConnect events in order to populate the DestinationHostName and SourceHostName fields. Otherwise the performance cost of monitoring is inconsequential.
    • With NetworkConnect logging, impact to local host is inconsequential. If the logs from the host are forwarded to an upstream system you need to consider the network transmission, server storage, and log search computation costs due to the volume of events resulting from your sysmon configs.
    0 comments

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. dstaulcu 351 Reputation points
    2021-03-18T14:29:14.193+00:00

    system utilization increases based on the number of event types you have enabled and the amount of rules to process for each event type. these costs are magnified by the workload level of hosts. to disable an event type ensure its sysmon config includes nothing

    for an admin its all about value for cost assuming compatibility is not a problem. build trust with your admin by starting easy with logging of process creation event types only. as your experience administering sysmon increases enable collection of additional event types over time. make sure the administror is aware of your collection rules and planned changes.

    then imageload event type is going to be the most expensive from a utilization perspective.

    0 comments
  2. Mkr 21 Reputation points
    2021-03-19T08:54:41.83+00:00

    Thanks.

    I try ask more clearly:

    When i use a configuration:

    <NetworkConnect onmatch="include">
    <DestinationPort condition="is">25</DestinationPort>
    </NetworkConnect>

    <NetworkConnect onmatch="exclude">
    <Image condition="is">c:\Windows\System32\cmd.exe</Image
    </NetworkConnect>

    What will happen? Sysmon will monitor if cmd.exe is making connection to port 25 but won't write alerts to event log ? Or maybe will ignore event completely ?

    0 comments