Table of Contents |
---|
...
This article explains how to install and configure Sysmon. Sysmon is a service and device driver, that once installed on a system, logs indicators that can greatly help track malicious activity in addition to help with general troubleshooting. It is a part of popular set of troubleshooting tools called Sysinternals, the creation of none other than Mark Russonivich, Microsoft’s CTO of Azure.
Prerequisite:
Sysmon Official Download (from Microsoft): https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
...
- Download both Sysmon and the Sysmon configuration. The configuration is a locally hosted xml file.
- Extract Sysmon to a directory and place the configuration.xml in the same directory.
- Open Windows command prompt in 'Run as Administrator' mode and navigate to the sysmon directory.
- Use the following command to install and enable the sysmon service. - .\Sysmon.exe -i .\config_v14.xml -accepteula
Wait for Install to finish.
...
Code Block | ||||
---|---|---|---|---|
| ||||
## This is a sample configuration file. See the nxlog reference manual about the ## configuration options. It should be installed locally and is also available ## online at http://nxlog.org/docs/ ## Please set the ROOT to the folder your nxlog was installed into, ## otherwise it will not start. #define ROOT C:\Program Files\nxlog define ROOT C:\Program Files (x86)\nxlog Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log <Extension _json> Module xm_json </Extension> <Input in> Module im_msvistalog Query <QueryList>\ <Query Id="0">\ <Select Path="Security">* </Select>\ <Select Path="Application">* </Select>\ <Select Path="Setup">* </Select>\ <Select Path="System">* </Select>\ <Select Path="Microsoft-Windows-Sysmon/Operational">* </Select>\ </Query>\ </QueryList> </Input> <Output out> Module om_udp Host {CCE IP Address} Port 5154 Exec to_json(); </Output> <Route 1> Path in => out </Route> |
VERIFICATION OF CONFIGURATION
Verification can be done either from CCE Server or from UI.
Using UI
STEP 1: Login to UI >> SYSTEM
STEP 2: >> LOGS AND FLOWS COLLECTION STATUS .
STEP 3: >>Inside SOURCE DEVICE IP, IP will reflect.
Using CCE SERVER
“sudo tcpdump -i any host 5154 and host <IP address> -AAA” command should be ran on CCE server to check whether or not we are getting logs .
Related articles:
Sysmon Download Page - https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
...
Page Properties | ||
---|---|---|
| ||
|
VERIFICATION OF CONFIGURATION
Verification can be done either from CCE Server or from UI.
Using UI
STEP 1: Login to UI >> SYSTEM
STEP 2: >> LOGS AND FLOWS COLLECTION STATUS .
STEP 3: >>Inside SOURCE DEVICE IP, IP will reflect.
Using CCE SERVER
...