To enable network connections logging with Sysmon the -n switch is used and a configuration file must be specified (just enabling -n results in zero events).
The simplest rule is to catch everything as shown below (create the XML file in a text editor and save with a .xml file extension).
<Sysmon schemaversion="4.20"> <EventFiltering> <NetworkConnect onmatch="exclude"> </NetworkConnect> </EventFiltering> </Sysmon>
The above XML format catches everything of network connection events unless there is a match to a rule (onmatch=”exclude”), but we haven’t specified any rules, thus all network connection events will be captured. For a basic evaluation this is fine, but for production usage excluding various connections can be useful to reduce event volume.
The schema version depends on the version of sysmon, thus you may need to verify the schema version:
The output of the above command:
Now to install and enable sysmon run the below command (this assumes you have already installed Sysmon).
sysmon -c -n c:\windows\network-test.xml
“-c” updates sysmon configuration.
“-n” enables network connections logging.
“c:\windows\network-test.xml” is our network connections file defined earlier.
Reboot of the host machine is not required.
Output from the above command:
Validation of the updated configuration showing network connections now enabled and rule configuration applied: