Use https://seceonhelp.freshdesk.com/support/login to access updated Knowledge Base Articles, Submit Technical Support Tickets and Review Status of submitted support tickets.

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 5 Next »

This article explains how to install and configure Sysmon.  Sysmon is a service and device driver, that once installed on a system, logs indicators that can greatly help track malicious activity in addition to help with general troubleshooting. It is a part of popular set of troubleshooting tools called Sysinternals, the creation of none other than Mark Russonivich, Microsoft’s CTO of Azure.

Sysmon Official Download (from Microsoft): https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon

Sysmon Configuration: Sysmon_configuration.xml

Instructions

Follow these steps

  1. Download both Sysmon and the Sysmon configuration. The configuration is a locally hosted xml file.
  2. Extract Sysmon to a directory and place the configuration.xml in the same directory.
  3. Open Windows command prompt in 'Run as Administrator' mode and navigate to the sysmon directory.
  4. Use the following command to install and enable the sysmon service. - .\Sysmon.exe -i .\config_v14.xml -accepteula

     Wait for Install to finish.


Note: 

  1. Sysmon is an agent that needs to be installed on each Windows System that needs to be monitored.
  2. Sysmon will generate events that are visible in Windows Event Viewer.
  3. NXLog must be configured to send the Sysmon events to CCE using an updated Config.
Sysmon Specific NXLog Configuration
## This is a sample configuration file. See the nxlog reference manual about the
## configuration options. It should be installed locally and is also available
## online at http://nxlog.org/docs/
## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.
#define ROOT C:\Program Files\nxlog

define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

<Extension _json>
    Module xm_json
</Extension>

<Input in>
    Module im_msvistalog
    Query <QueryList>\
        <Query Id="0">\
              <Select Path="Security">* </Select>\
              <Select Path="Application">* </Select>\
              <Select Path="Setup">* </Select>\
              <Select Path="System">* </Select>\
              <Select Path="Microsoft-Windows-Sysmon/Operational">* </Select>\
        </Query>\
    </QueryList>
</Input>

<Output out>
    Module om_udp
    Host {CCE IP Address}
    Port 5154
    Exec to_json();
</Output>

<Route 1>
    Path in => out
</Route>


Sysmon Download Page - https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon

Filter by label

There are no items with the selected labels at this time.



  • No labels

Seceon Inc. All rights reserved. https://www.seceon.com