Enable Sysmon in Endpoint Agent
System Monitor (Sysmon) is a Windows system service and device driver that, once installed on a system, remains resident across system reboots to monitor and log system activity to the Windows event log. It provides detailed information about process creations, network connections, and changes to file creation time. By collecting the events it generates using Windows Event Collection or SIEM agents and subsequently analyzing them, you can identify malicious or anomalous activity and understand how intruders and malware operate on your network.
Pre-requisites
Windows system is required to have this installed.
If Sysmon is installed, the Log Name Microsoft-Windows-Sysmon/Operational
is shown in the Event Viewer.
Configuration
These steps are only mandatory in versions 1.1 and below. From 1.2, queries will be included by default in a standard deployment.
To set up Devo EA Manager for Sysmon we need to modify deam_fleet_config_agent_opts_win_windows_event_channels
flag to enable Universal Agent to retrieve Sysmon events and add the new query to send the data to Devo.
This can be accomplished in two different ways:
Using the admin page in the EA Manager.
Modifying the inventory file and redeploying the
deam-packs
playbook.
If you just installed Sysmon, remember to restart the Windows Endpoint.
Adding Sysmon channel to windows configuration
Using Ansible roles
Modify the inventory to add the flags and the paths to monitor.
Locate the inventory file we used in our Devo EA Manager deployment.
Open it with your preferred text editor and search for the
deam_fleet_config_agent_opts_win_windows_event_channels
key undervars
(or add it if does not exist).Modify it by adding
Microsoft-Windows-Sysmon/Operational
at the end, as shown in the following screenshot.If this is the first time the EA Manager is deployed continue with the installation process normally. If the environment has already been deployed, run the
deam-packs
playbook:cd $HOME/devo-ea-deployer source "/opt/ansible-2.9/venv/bin/activate" ansible-playbook -i inventories/<inventory_name.yaml> playbooks/deam-packs.yaml
Use admin page in EA Manager Web UI
Log in to your Devo EA Manager administration console (
https://<devo_ea_manager_ip>:8080
)Once logged in, access the osquery configuration in
https://<DEAM_IP:8080>/
-> settings -> Global agent optionsHere, we will see a text editor with the default configuration values and the ones loaded from DEA Manager inventory file as in the following screenshot:
We need to search for the
windows_event_channels
flag and modify it by addingMicrosoft-Windows-Sysmon/Operational
at the end, as shown in the following screenshot:
Excluding Sysmon from events_windows default query
We need to exclude Sysmon events from the default query to avoid duplicate events in our domain
In the Devo EA Manager, click on “Queries“ in the left menu and search for the “Create New Query“ button:
Filter queries by
devo_other_sources_win_events
and click on edit query:Modify the query just by adding
'microsoft-windows-sysmon/operational'
in the excluded list:Complete query:
SELECT *, "events_windows.other_sources" || "." || eventid as __devoSubTag FROM windows_events WHERE lower(source) Not IN ('application', 'setup', 'security', 'system', 'microsoft-windows-powershell/operational', 'microsoft-windows-powershell/admin', 'microsoft-windows-sysmon/operational');
Save the changes.
Sending to Devo
We need to configure a new pack with two new queries for sending the data to Devo.
In the Devo EA Manager, click on “Queries“ in the left menu and search for the “Create New Query“ button.
We need to create a new query with the following SQL code:
SELECT *, "events_windows.sysmon" || "." || eventid as __devoSubTag FROM windows_events WHERE lower(source) IN ('microsoft-windows-sysmon/operational');
Save it and will ask for a name and a description.
Now, click on “Packs“ in the left menu and search for the “New Pack“ button. Alternatively, it can be added to an existing pack.
Name it as you wish, select the hosts targets that are affected and save it.
Once saved, add the previously created queries or the existing ones (adding the interval and the affected hosts for each query).
Save the changes.
Data access
By default, all uploaded content files will be ingested into Devo under box.devo_ea.windows_events.sysmon