Enable Sysmon in Endpoint Agent

System Monitor (Sysmon) is a Windows system service and device driver that, once installed on a system, remains resident across system reboots to monitor and log system activity to the Windows event log. It provides detailed information about process creations, network connections, and changes to file creation time. By collecting the events it generates using Windows Event Collection or SIEM agents and subsequently analyzing them, you can identify malicious or anomalous activity and understand how intruders and malware operate on your network.

Configuration

To setup Devo EA Manager for Sysmon you must modify the windows_event_channels flag to enable Endpoint Agent to retrieve Sysmon events and add the new query to send the data to Devo.

This can be accomplished in two different ways:

• Using the admin page in the EA Manager.
• Modifying the file options.yaml and redeploying the deam-packs playbook.

Adding Sysmon channel to windows configuration

Using Ansible roles

Modify the options.yaml to add the flags and the paths to monitor.

1. Search for options.yaml file in the Devo EA Manager installer (usually in playbooks/roles/deam-packs/files/devo-packs/options.yaml)
2. Open it with your preferred text editor and search for the windows_event_channels tag in windows section.
   
3. Modify it by adding Microsoft-Windows-Sysmon/Operational at the end, as shown in the following screenshot:
   
4. If this is the first time the EA Manager is deployed continue with the installation process normally. If the environment has already been deployed, run the deam-packs playbook:

cd $HOME/devo-ea-deployer
ansible-playbook -i inventories/<inventory_name.yaml> playbooks/deam-packs.yaml

Use admin page in EA Manager Web UI

1. Log into your Devo EA Manager administration console (https://<devo_ea_manager_ip>:8080)
2. Go to the osquery configuration page by adding /admin/osquery to the URL (for example, https://<devo_ea_manager_ip>:8080/admin/osquery)
3. Here, you see a text editor with the loaded DEA Manager options.yaml file as in the following screenshot:
   
4. You need to search for the windows_event_channels flag and modify it by adding Microsoft-Windows-Sysmon/Operational at the end, as shown in the following screenshot.
   

Excluding Sysmon from events_windows default query

You need to exclude Sysmon events from the default query to avoid duplicate events in the domain.

1. In the Devo EA Manager, click on Queries in the left menu and search for the Create New Query button:
   
2. Filter queries by devo_other_sources_win_events and click on edit query:
   
   
3. Modify the query by adding microsoft-windows-sysmon/operational to the excluded list and save the changes.
   

Complete query:

SELECT *, "events_windows.other_sources" || "." || eventid as __devoSubTag FROM windows_events WHERE lower(source) Not IN ('application', 'setup', 'security', 'system', 'microsoft-windows-powershell/operational', 'microsoft-windows-powershell/admin', 'microsoft-windows-sysmon/operational');

Sending to Devo

You must configure a new pack with two new queries so as to send the data to Devo.

1. In the Devo EA Manager, click on Queries in the left menu and search for the Create New Query button:
   
2. You must create a new query with the following SQL code:

SELECT *, "events_windows.sysmon" || "." || eventid as __devoSubTag
  FROM windows_events
  WHERE lower(source) IN ('microsoft-windows-sysmon/operational');

3. You can name it as you wish. Select the corresponding hosts group for each query and save it:

4. Now, click on Packs on the left menu and search for the New Pack button. Alternatively, it can be added to an existing pack:

5. Name it as you wish, select the hosts targets that are affected, and save it:

6. Once saved, add the previously created queries (adding the interval and the affected hosts for each query).

7. Save the changes.

Data access

By default, all uploaded content files will be ingested into Devo under box.devo_ea.windows_events.sysmon.