Wazuh and Sysmon: Understanding the Telemetry Behind EDR Alerts

  • Cybermap - Wazuh and Sysmon: Understanding the Telemetry Behind EDR Alerts
  • Reading Time: 5 minutes

šŸ‘ļø

4

People viewed this post

Back to all posts
Wazuh and Sysmon EDR Threat Hunting platforms

For a long time, I believed that learning the dashboard was the same thing as learning security.

If a SOC analyst used Microsoft Defender, CrowdStrike Falcon, SentinelOne, Wazuh, or any other security platform, I assumed the most important thing was understanding the interface.

After completing multiple endpoint investigations, I realized something much more important.

The dashboard is not the investigation. The evidence is.

This realization became obvious after completing a series of Windows Event Logs, Sysinternals, Sysmon, Osquery, Wazuh, Monday Monitor, and endpoint investigation exercises.

By the end of the journey, I no longer viewed alerts as isolated notifications.

I began seeing them as stories built from telemetry. And that changed everything.

The Mistake Most Beginners Make

When most of us first enter cybersecurity, we often asked:

  • Which SIEM should I learn?
  • Which EDR should I learn?
  • Which dashboard is used most often?

These are valid questions. However, there is a more important question.

What information does the tool actually show?

For example:

When an EDR displays:

Process Creation Alert

What generated that alert?

When an EDR displays:

Suspicious Network Connection

Where did that information originate?

When an EDR displays:

Registry Persistence Detected

What evidence supports that conclusion?

These questions led me down a path that completely changed how I approach investigations.

Learning Windows Event Logs

The journey began with Windows Event Logs.

Initially, Windows Event Viewer felt overwhelming.

Thousands of events. Hundreds of Event IDs. Multiple log sources.

It felt impossible to know where to start.

Eventually, I learned that Event IDs tell stories.

A single Event ID can reveal:

  • Logons
  • PowerShell execution
  • Service creation
  • User account activity
  • Scheduled tasks
  • Log clearing

One exercise involved analyzing PowerShell Operational Logs.

At first, finding the required events felt difficult.

I struggled to identify:

  • Event ID 4103
  • Event ID 4104
  • Event ID 800

Eventually I learned that filtering logs is often more important than reading logs.

That lesson carried forward into every investigation that followed.

Sysinternals ā€“ Understanding the Endpoint

The next stage introduced Sysinternals.

This was my first exposure to tools that interact directly with Windows internals.

I learned how to:

  • Identify Alternate Data Streams (ADS)
  • Examine digital signatures
  • Investigate TCP connections
  • Detect suspicious files
  • Understand secure deletion techniques

One lesson that stood out involved ADS.

I discovered how attackers can hide information within files without changing what users normally see.

At first it seemed like a niche technique.

Later, during persistence investigations, I discovered why it matters.

Sysmon Changed Everything

If there was one room that transformed my understanding of endpoint investigations, it was Sysmon.

Unlike Event Viewer, Sysmon felt purpose-built for defenders.

Instead of drowning me in logs, it provided highly relevant security telemetry.

The most valuable Event IDs quickly became:

  • Event ID 1 ā€“ Process Creation
  • Event ID 3 ā€“ Network Connections
  • Event ID 11 ā€“ File Creation
  • Event ID 13 ā€“ Registry Modifications

With just those events, I was able to reconstruct entire attack chains.

USB Malware Investigation

One investigation involved malware execution from a USB device.

Using Sysmon and registry artifacts, I identified:

  • Connected USB device
  • Raw disk access
  • rundll32.exe execution

The attack chain became visible.

HTA Malware Investigation

Another investigation involved a seemingly harmless HTML file.

The file eventually launched:

mshta.exe

which executed:

update.hta

and established outbound communications.

Without Sysmon telemetry, the activity would have appeared far less suspicious.

Persistence Investigations

The most interesting investigations involved persistence.

Attackers stored payloads:

  • In the registry
  • Within Alternate Data Streams
  • Through Scheduled Tasks

Instead of searching blindly, I learned to focus on:

  • Event ID 3
  • Event ID 13

Those two event types often revealed everything I needed.

For the first time, I felt less like a student solving lab questions and more like an analyst building a timeline.

Osquery ā€“ Asking Better Questions

After learning Sysmon, I assumed Osquery would be another monitoring tool.

Instead, it taught me a completely different skill.

Asking questions.

Sysmon tells you what happened.

Osquery helps you discover what exists.

Using Osquery, I investigated:

  • Installed applications
  • Running services
  • Registry entries
  • Startup programs
  • User execution history

One exercise required identifying:

DiskWipe.exe

Another involved locating:

ProtonVPN

I also discovered startup persistence through:

batstartup.bat

What made Osquery unique was that it encouraged investigation through questioning.

Instead of:

"Show me alerts."

The mindset became:

"What evidence should exist?"

That small shift had a major impact on how I approached endpoint investigations.

Finally Understanding Wazuh

Before using Wazuh, I had heard countless people talk about it.

I expected it to completely change my perspective.

Instead, my first reaction was:

"I don't get the hype." Sorry...

Initially, the room felt underwhelming.

Then I realized why.

By the time I reached Wazuh, I already understood:

  • Windows Event Logs
  • Sysmon
  • Osquery
  • Persistence mechanisms
  • PowerShell activity
  • Network telemetry

Wazuh wasn't teaching me new evidence.

Wazuh was showing me existing evidence through a dashboard.

That distinction was important. Eventually I understood Wazuh's real value.

It centralizes telemetry from multiple endpoints and makes investigations easier at scale.

Instead of manually checking:

  • Event Logs
  • Sysmon
  • Registry
  • Services

on dozens of systems, Wazuh provides centralized visibility.

Monday Monitor ā€“ The Missing Piece

The Monday Monitor scenario finally connected everything.

The attack chain included:

  • Malicious Excel document
  • Scheduled Task persistence
  • Registry-stored payload
  • Encoded PowerShell commands
  • Credential dumping
  • Data exfiltration

The investigation felt familiar because I had already seen similar techniques in Sysmon.

The difference was that Wazuh surfaced the activity through detections and alerts.

This was the moment I truly understood the relationship between telemetry and EDR platforms.

Retracted ā€“ Building the Full Timeline

The final investigation involved ransomware.

A user downloaded:

antivirus.exe

The malware:

  • Encrypted files
  • Added a .dmp extension
  • Contacted a remote IP
  • Displayed a ransom note

Then the story took an unexpected turn.

The attacker later connected through RDP.

After discovering the victim was a charity organization, the attacker downloaded a decryptor and restored the files.

The attacker then left a final message before disappearing.

This investigation reinforced one of the most important skills in digital forensics.

Timeline analysis.

Every artifact mattered:

  • Process execution
  • Network connections
  • File modifications
  • User activity

The timeline told the story.

What I Learned About EDR

One realization stayed with me throughout this journey.

Most EDR products are built on telemetry.

When Microsoft Defender, CrowdStrike Falcon, SentinelOne, or Wazuh displays an alert, there is usually underlying evidence behind it.

For example:

Process Creation Alert

often maps directly to:

Sysmon Event ID 1

Network Connection Alert

often maps directly to:

Sysmon Event ID 3

Persistence Detection

often maps directly to:

Registry or Scheduled Task telemetry

Learning Sysmon taught me how those alerts are created.

Learning Wazuh showed me how they are presented.

SOC Analyst Report Notes

Key Findings

  • Registry-based persistence identified.
  • Alternate Data Streams used to conceal payloads.
  • Scheduled Task persistence observed.
  • Empire C2 communications detected.
  • Credential dumping activity identified.
  • Malicious HTA execution detected.
  • User execution artifacts analyzed.
  • Ransomware activity reconstructed through timeline analysis.

Recommendations

  • Deploy Sysmon across Windows endpoints.
  • Centralize logs through SIEM or Wazuh.
  • Monitor PowerShell execution closely.
  • Alert on suspicious scheduled task creation.
  • Monitor registry modifications.
  • Conduct periodic endpoint threat hunting using Osquery.
  • Build investigations around telemetry rather than dashboards.

Final Thoughts

This journey taught me something I did not expect. The most valuable lesson was not learning a platform.

The most valuable lesson was understanding the evidence underneath the platform.

Sysmon taught me how attackers leave traces. Osquery taught me how to ask better questions. Wazuh taught me how organizations centralize visibility.

Together, they changed how I think about Endpoint Security Monitoring, Threat Hunting, and Incident Response.

And perhaps most importantly, they taught me that a good SOC analyst does not start with alerts.

A good SOC analyst starts with evidence.

Want to see what comes after Endpoint Security Monitoring: Active Directory Hardening

Visit my everyday Cyber Playground

  • Related post tags:

Enjoyed this?

Explore more intriguing topics and take a look at my cybermap for more.

Explore Lab & Incidents

Ā© 2026 Favour Gabriel. All rights reserved.