What is the purpose of Sysmon in Windows incident response, and what kind of events should you collect?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $24.99Unlock all

Study for the SANS Advanced Incident Response, Threat Hunting, and Digital Forensics (FOR508) Test. Prepare with comprehensive materials, flashcards, and multiple choice questions with hints and explanations. Ace your exam with confidence!

Multiple Choice

What is the purpose of Sysmon in Windows incident response, and what kind of events should you collect?

Explanation:
Sysmon gives visibility into what ends up being hidden from standard Windows logs by logging detailed, structured events about system activity. In incident response, this means you get a clear view of the actions that processes take, how they communicate, and what files or registry keys they touch, all in a format that’s easy to search and correlate with other data. Its purpose is to provide rich telemetry that goes beyond typical logging: detailed process creation (including the exact command line and the parent process), network connections (source and destination, ports, and protocol), and file and registry activity (such as file creation times and registry changes), plus other events like driver and image loads. This enables you to trace attacker techniques—like how a backdoor launches, what utilities it uses, where it moves laterally, or what persistence mechanisms it employs—and to assemble a coherent timeline of activity. You should collect Sysmon events and correlate them with other logs (security, network, application, and threat intel) to enhance detection and investigation. It’s not an antivirus tool, nor a memory capture tool, nor limited to user logons, but a focused source of detailed behavioral telemetry that strengthens threat hunting and incident response.

Sysmon gives visibility into what ends up being hidden from standard Windows logs by logging detailed, structured events about system activity. In incident response, this means you get a clear view of the actions that processes take, how they communicate, and what files or registry keys they touch, all in a format that’s easy to search and correlate with other data.

Its purpose is to provide rich telemetry that goes beyond typical logging: detailed process creation (including the exact command line and the parent process), network connections (source and destination, ports, and protocol), and file and registry activity (such as file creation times and registry changes), plus other events like driver and image loads. This enables you to trace attacker techniques—like how a backdoor launches, what utilities it uses, where it moves laterally, or what persistence mechanisms it employs—and to assemble a coherent timeline of activity.

You should collect Sysmon events and correlate them with other logs (security, network, application, and threat intel) to enhance detection and investigation. It’s not an antivirus tool, nor a memory capture tool, nor limited to user logons, but a focused source of detailed behavioral telemetry that strengthens threat hunting and incident response.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy