Document toolboxDocument toolbox

Enable Sysmon in Endpoint Agent

Owned by Juan Tomás Alonso Nieto (Deactivated)
May 08, 2023
5 min read
[ 1 Pre-requisites ] [ 2 Configuration ] [ 3 Data access ]

System Monitor (Sysmon) is a Windows system service and device driver that, once installed on a system, remains resident across system reboots to monitor and log system activity to the Windows event log. It provides detailed information about process creations, network connections, and changes to file creation time. By collecting the events it generates using Windows Event Collection or SIEM agents and subsequently analyzing them, you can identify malicious or anomalous activity and understand how intruders and malware operate on your network.

Pre-requisites

Windows system is required to have this installed.

If Sysmon is installed, the Log Name Microsoft-Windows-Sysmon/Operational is shown in the Event Viewer.

Configuration

These steps are only mandatory in versions 1.1 and below. From 1.2, queries will be included by default in a standard deployment.

To set up Devo EA Manager for Sysmon we need to modify deam_fleet_config_agent_opts_win_windows_event_channels flag to enable Universal Agent to retrieve Sysmon events and add the new query to send the data to Devo.

This can be accomplished in two different ways:

  • Using the admin page in the EA Manager.

  • Modifying the inventory file and redeploying the deam-packs playbook.

If you just installed Sysmon, remember to restart the Windows Endpoint.

Adding Sysmon channel to windows configuration

Using Ansible roles

Modify the inventory to add the flags and the paths to monitor.

  1. Locate the inventory file we used in our Devo EA Manager deployment.

  2. Open it with your preferred text editor and search for the deam_fleet_config_agent_opts_win_windows_event_channels key under vars (or add it if does not exist).

     

  3. Modify it by adding Microsoft-Windows-Sysmon/Operational at the end, as shown in the following screenshot.

     

  4. If this is the first time the EA Manager is deployed continue with the installation process normally. If the environment has already been deployed, run the deam-packs playbook:

    cd $HOME/devo-ea-deployer source "/opt/ansible-2.9/venv/bin/activate" ansible-playbook -i inventories/<inventory_name.yaml> playbooks/deam-packs.yaml

Use admin page in EA Manager Web UI

  1. Log in to your Devo EA Manager administration console (https://<devo_ea_manager_ip>:8080)

  2. Once logged in, access the osquery configuration in https://<DEAM_IP:8080>/ -> settings -> Global agent options

     

  3. Here, we will see a text editor with the default configuration values and the ones loaded from DEA Manager inventory file as in the following screenshot:

     

  4. We need to search for the windows_event_channels flag and modify it by adding Microsoft-Windows-Sysmon/Operational at the end, as shown in the following screenshot:

Excluding Sysmon from events_windows default query

We need to exclude Sysmon events from the default query to avoid duplicate events in our domain

  1. In the Devo EA Manager, click on “Queries“ in the left menu and search for the “Create New Query“ button:

     

     

  2. Filter queries by devo_other_sources_win_events and click on edit query:

     

  3. Modify the query just by adding 'microsoft-windows-sysmon/operational' in the excluded list:

    Complete query:

    SELECT *, "events_windows.other_sources" || "." || eventid as __devoSubTag FROM windows_events WHERE lower(source) Not IN ('application', 'setup', 'security', 'system', 'microsoft-windows-powershell/operational', 'microsoft-windows-powershell/admin', 'microsoft-windows-sysmon/operational');

  4. Save the changes.

Sending to Devo

We need to configure a new pack with two new queries for sending the data to Devo.

  1. In the Devo EA Manager, click on “Queries“ in the left menu and search for the “Create New Query“ button.

     

  2. We need to create a new query with the following SQL code:

    SELECT *, "events_windows.sysmon" || "." || eventid as __devoSubTag FROM windows_events WHERE lower(source) IN ('microsoft-windows-sysmon/operational');

     

  3. Save it and will ask for a name and a description.

  4. Now, click on “Packs“ in the left menu and search for the “New Pack“ button. Alternatively, it can be added to an existing pack.

     

  5. Name it as you wish, select the hosts targets that are affected and save it.

     

  6. Once saved, add the previously created queries or the existing ones (adding the interval and the affected hosts for each query).

     

  7. Save the changes.

Data access

By default, all uploaded content files will be ingested into Devo under box.devo_ea.windows_events.sysmon

Â