Sysmon Network Events Feature Request

[c2defense]

Two very popular open source programs (Zeek and Suricata) used as passive network sensors and Intrusion Detection Systems (IDS) have implemented a "Community Flow ID". This flow hash is a calculation of the IP src / IP dst / IP proto / source port / dest port fields that results in a common hash that be correlated between the two systems.

The original specification is here: https://github.com/corelight/community-id-spec

If this calculation is added as an additional field in the Network Event ID 3, then network connections could be correlated between a host sysmon's log and a network sensor's log in a SIEM.

See bro's implementation here: https://github.com/corelight/bro-community-id
See Suricata's implementation here: OISF/suricata#3507

Auditbeat by ElasticCo provides a "Sysmon" like capability for Linux systems by logging process creations and network events by process. They have also implemented the Community ID specification. This allows for correlation of the network connection logged by the host to the IDS events. See their implementation here: https://www.elastic.co/guide/en/beats/auditbeat/7.x/community-id.html

[analyze-v]

This is a great suggestion. Have added it to the Sysmon backlog for review

[ckreibich]

@analyze-v do you have any updates regarding this? Thanks!

[00willo]

Anything further? This would be great to see included.