Setting up Sysmon
To use the QRadar Sysmon Content Extension, install Sysmon on your Windows endpoints and then forward the Sysmon events to QRadar by using a Windows server.
Install Sysmon
- Download Sysmon from https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon.
- Extract the .zip file.
- Right-click the .exe file for your system and select Run as
administrator.
- For a 32-bit system, choose Sysmon.exe.
- For a 64-bit system, choose Sysmon64.exe.
- Configure Sysmon. You might want to use one of the collaborative efforts as a basis for your Sysmon configuration, such as this one from SwiftonSecurity (https://github.com/SwiftOnSecurity/sysmon-config).
Create a log source
Use the following XPath query when you set up your log sources:
<QueryList>
<Query Id="0" Path="Microsoft-Windows-Sysmon/Operational">
<Select Path="Microsoft-Windows-Sysmon/Operational">*</Select>
</Query>
</QueryList>
Deploy Sysmon
- Install and configure Sysmon on each of your Windows endpoints.
- Set up a subscription for forwarded events in Windows Event Collector Service for Sysmon on a Windows server where WinCollect is installed.
- Feed the information in the forwarded events from the server into your QRadar system where the Sysmon content extension is installed.
You now have a log source for each Windows endpoint in QRadar.
For more information about setting up WinCollect agents, see the WinCollect User Guide (http://public.dhe.ibm.com/software/security/products/qradar/documents/iTeam_addendum/b_wincollect.pdf).
- Install and configure Sysmon and WinCollect agents on your Windows endpoints.
- Configure the destination of the WinCollect agents to a server that you're running as a syslog relay. You can use NXLog, Rsyslog, or another tool for your syslog relay.
- Relay the data from the Windows server to a QRadar appliance where the Sysmon content extension is installed.
Depending on the configuration that you use at the syslog relay, events come in as separate log sources or as 1 log source. If all the events come in as 1 log source, you can distinguish the endpoints by using a custom event property for the event name that can be found in the log.
For more information about setting up WinCollect agents, see the WinCollect User Guide (http://public.dhe.ibm.com/software/security/products/qradar/documents/iTeam_addendum/b_wincollect.pdf).