Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

...

This article explains how to install and configure Sysmon.  Sysmon is a service and device driver, that once installed on a system, logs indicators that can greatly help track malicious activity in addition to help with general troubleshooting. It is a part of popular set of troubleshooting tools called Sysinternals, the creation of none other than Mark Russonivich, Microsoft’s CTO of Azure.

Prerequisite:

Sysmon Official Download (from Microsoft): https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon

...

  1. Download both Sysmon and the Sysmon configuration. The configuration is a locally hosted xml file.
  2. Extract Sysmon to a directory and place the configuration.xml in the same directory.
  3. Open Windows command prompt in 'Run as Administrator' mode and navigate to the sysmon directory.
  4. Use the following command to install and enable the sysmon service. - .\Sysmon.exe -i .\config_v14.xml -accepteula

     Wait for Install to finish.

...

Code Block
languagexml
titleSysmon Specific NXLog Configuration
## This is a sample configuration file. See the nxlog reference manual about the
## configuration options. It should be installed locally and is also available
## online at http://nxlog.org/docs/
## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.
#define ROOT C:\Program Files\nxlog

define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

<Extension _json>
    Module xm_json
</Extension>

<Input in>
    Module im_msvistalog
    Query <QueryList>\
        <Query Id="0">\
              <Select Path="Security">* </Select>\
              <Select Path="Application">* </Select>\
              <Select Path="Setup">* </Select>\
              <Select Path="System">* </Select>\
              <Select Path="Microsoft-Windows-Sysmon/Operational">* </Select>\
        </Query>\
    </QueryList>
</Input>

<Output out>
    Module om_udp
    Host {CCE IP Address}
    Port 5154
    Exec to_json();
</Output>

<Route 1>
    Path in => out
</Route>


VERIFICATION OF CONFIGURATION

Verification can be done either from CCE Server or from UI.

Using UI


STEP 1: Login to UI >> SYSTEM

Image Added

STEP 2: >> LOGS AND FLOWS COLLECTION STATUS .

Image Added

STEP 3: >>Inside SOURCE DEVICE IP, IP will reflect.

Image Added

Using CCE SERVER

“sudo tcpdump -i any host 5154 and host <IP address> -AAA” command should be ran on CCE server to check whether or not we are getting logs .



Related articles:

Sysmon Download Page - https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon

...

Page Properties
hiddentrue


Related issues

VERIFICATION OF CONFIGURATION

Verification can be done either from CCE Server or from UI.

Using UI

STEP 1: Login to UI >> SYSTEM

Image Removed

STEP 2: >> LOGS AND FLOWS COLLECTION STATUS .

Image Removed

STEP 3: >>Inside SOURCE DEVICE IP, IP will reflect.

Image Removed

Using CCE SERVER

...