/
Enable Sysmon in Endpoint Agent
Document toolboxDocument toolbox

Enable Sysmon in Endpoint Agent

Owned by Virginia Camuñas Núñez
Jan 20, 2025
5 min read
[ 1 Pre-requisites ] [ 2 Configuration ] [ 3 Adding Sysmon channel to windows configuration ] [ 4 Excluding Sysmon from events_windows default query ] [ 5 Sending to Devo ] [ 6 Data access ]

System Monitor (Sysmon) is a Windows system service and device driver that, once installed on a system, remains resident across system reboots to monitor and log system activity to the Windows event log. It provides detailed information about process creations, network connections, and changes to file creation time. By collecting the events it generates using Windows Event Collection or SIEM agents and subsequently analyzing them, you can identify malicious or anomalous activity and understand how intruders and malware operate on your network.

Pre-requisites

Windows system is required to have this installed.

If Sysmon is installed, the Log Name Microsoft-Windows-Sysmon/Operational is shown in the Event Viewer.

Configuration

These steps are only mandatory in versions 1.1 and below. From 1.2, queries will be included by default in a standard deployment.

To set up Devo EA Manager for Sysmon we need to modify deam_fleet_config_agent_opts_win_windows_event_channels flag to enable Universal Agent to retrieve Sysmon events and add the new query to send the data to Devo.

This can be accomplished in two different ways:

  • Using the admin page in the EA Manager.

  • Modifying the inventory file and redeploying the deam-packs playbook.

If you just installed Sysmon, remember to restart the Windows Endpoint.

Adding Sysmon channel to windows configuration

Using Ansible roles

Modify the inventory to add the flags and the paths to monitor.

  1. Locate the inventory file we used in our Devo EA Manager deployment.

  2. Open it with your preferred text editor and search for the deam_fleet_config_agent_opts_win_windows_event_channels key under vars (or add it if does not exist).

     

  3. Modify it by adding Microsoft-Windows-Sysmon/Operational at the end, as shown in the following screenshot.

     

  4. If this is the first time the EA Manager is deployed continue with the installation process normally. If the environment has already been deployed, run the deam-packs playbook:

    cd $HOME/devo-ea-deployer source "/opt/ansible-2.9/venv/bin/activate" ansible-playbook -i inventories/<inventory_name.yaml> playbooks/deam-packs.yaml

If you add the deam_fleet_config_agent_opts_win_windows_event_channels key, ensure to add all the channels that are in use. Adding this key will overwrite the default one.
Default deam_fleet_config_agent_opts_win_windows_event_channels values → System,Application,Setup,Security,Microsoft-Windows-PowerShell/Operational,ForwardedEvents

Use admin page in EA Manager Web UI

Please be aware that modifying the osquery configuration via the WebUI, just applies to the actual config instance of EA Manager and do not replicates the change to the inventory file in the ansible playbook. This means that the changes in configuration done in the Web UI, need to be consolidated to the inventory file in the ansible playbooks before performing any new deployment in the ansible or applied changes will be overwritten.

  1. Log in to your Devo EA Manager administration console (https://<devo_ea_manager_ip>:8080)

  2. Once logged in, access the osquery configuration in https://<DEAM_IP:8080>/ -> settings -> Global agent options

     

  3. Here, we will see a text editor with the default configuration values and the ones loaded from DEA Manager inventory file as in the following screenshot:

     

  4. We need to search for the windows_event_channels flag and modify it by adding Microsoft-Windows-Sysmon/Operational at the end, as shown in the following screenshot:

Excluding Sysmon from events_windows default query

These steps are only mandatory in versions 1.1 and below. From 1.2 onwards, the default query already excludes the sysmon events by default

We need to exclude Sysmon events from the default query to avoid duplicate events in our domain

  1. In the Devo EA Manager, click on “Queries“ in the left menu and search for the “Create New Query“ button:

     

     

  2. Filter queries by devo_other_sources_win_events and click on edit query:

     

  3. Modify the query just by adding 'microsoft-windows-sysmon/operational' in the excluded list:

    Complete query:

    SELECT *, "events_windows.other_sources" || "." || eventid as __devoSubTag FROM windows_events WHERE lower(source) Not IN ('application', 'setup', 'security', 'system', 'microsoft-windows-powershell/operational', 'microsoft-windows-powershell/admin', 'microsoft-windows-sysmon/operational');

  4. Save the changes.

Sending to Devo

We need to configure a new pack with two new queries for sending the data to Devo.

From version 1.2, the sysmon query is shipped with the default product, so it is not necessary to create it and it only needs to be added to a pack.

  1. In the Devo EA Manager, click on “Queries“ in the left menu and search for the “Create New Query“ button.

     

  2. We need to create a new query with the following SQL code:

    SELECT *, "events_windows.sysmon" || "." || eventid as __devoSubTag FROM windows_events WHERE lower(source) IN ('microsoft-windows-sysmon/operational');

     

  3. Save it and will ask for a name and a description.

  4. Now, click on “Packs“ in the left menu and search for the “New Pack“ button. Alternatively, it can be added to an existing pack.

     

  5. Name it as you wish, select the hosts targets that are affected and save it.

     

  6. Once saved, add the previously created queries or the existing ones (adding the interval and the affected hosts for each query).

     

  7. Save the changes.

Data access

By default, all uploaded content files will be ingested into Devo under box.devo_ea.windows_events.sysmon

 

Related content