Enable Sysmon in Endpoint Agent
- Juan Tomás Alonso Nieto (Deactivated)
System Monitor (Sysmon) is a Windows system service and device driver that, once installed on a system, remains resident across system reboots to monitor and log system activity to the Windows event log. It provides detailed information about process creations, network connections, and changes to file creation time. By collecting the events it generates using Windows Event Collection or SIEM agents and subsequently analyzing them, you can identify malicious or anomalous activity and understand how intruders and malware operate on your network.
Configuration
To setup Devo EA Manager for Sysmon you must modify the windows_event_channels flag to enable Endpoint Agent to retrieve Sysmon events and add the new query to send the data to Devo.
This can be accomplished in two different ways:
- Using the admin page in the EA Manager.
- Modifying the file
options.yamland redeploying the deam-packs playbook.
Adding Sysmon channel to windows configuration
Using Ansible roles
Modify the options.yaml to add the flags and the paths to monitor.
- Search for
options.yamlfile in the Devo EA Manager installer (usually inplaybooks/roles/deam-packs/files/devo-packs/options.yaml) - Open it with your preferred text editor and search for the
windows_event_channelstag in windows section.
- Modify it by adding
Microsoft-Windows-Sysmon/Operationalat the end, as shown in the following screenshot:
- If this is the first time the EA Manager is deployed continue with the installation process normally. If the environment has already been deployed, run the
deam-packsplaybook:
cd $HOME/devo-ea-deployer ansible-playbook -i inventories/<inventory_name.yaml> playbooks/deam-packs.yaml
Use admin page in EA Manager Web UI
- Log into your Devo EA Manager administration console (
https://<devo_ea_manager_ip>:8080) - Go to the osquery configuration page by adding
/admin/osqueryto the URL (for example,https://<devo_ea_manager_ip>:8080/admin/osquery) - Here, you see a text editor with the loaded DEA Manager options.yaml file as in the following screenshot:
- You need to search for the
windows_event_channelsflag and modify it by addingMicrosoft-Windows-Sysmon/Operationalat the end, as shown in the following screenshot.
Excluding Sysmon from events_windows default query
You need to exclude Sysmon events from the default query to avoid duplicate events in the domain.
- In the Devo EA Manager, click on Queries in the left menu and search for the Create New Query button:
- Filter queries by
devo_other_sources_win_eventsand click on edit query:
- Modify the query by adding
microsoft-windows-sysmon/operationalto the excluded list and save the changes.
Complete query:
SELECT *, "events_windows.other_sources" || "." || eventid as __devoSubTag FROM windows_events WHERE lower(source) Not IN ('application', 'setup', 'security', 'system', 'microsoft-windows-powershell/operational', 'microsoft-windows-powershell/admin', 'microsoft-windows-sysmon/operational');
Sending to Devo
You must configure a new pack with two new queries so as to send the data to Devo.
- In the Devo EA Manager, click on Queries in the left menu and search for the Create New Query button:
- You must create a new query with the following SQL code:
SELECT *, "events_windows.sysmon" || "." || eventid as __devoSubTag
 FROM windows_events
 WHERE lower(source) IN ('microsoft-windows-sysmon/operational');
3. You can name it as you wish. Select the corresponding hosts group for each query and save it:
4. Now, click on Packs on the left menu and search for the New Pack button. Alternatively, it can be added to an existing pack:
5. Name it as you wish, select the hosts targets that are affected, and save it:
6. Once saved, add the previously created queries (adding the interval and the affected hosts for each query).
7. Save the changes.
Data access
By default, all uploaded content files will be ingested into Devo under box.devo_ea.windows_events.sysmon.