Setting up Sysmon

To use the QRadar® Sysmon Content Extension, install Sysmon on your Windows endpoints and then forward the Sysmon events to QRadar by using a Windows server.

Install Sysmon

Install Sysmon on your Windows endpoints.
  1. Download Sysmon from https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon.
  2. Extract the .zip file.
  3. Right-click the .exe file for your system and select Run as administrator.
    • For a 32-bit system, choose Sysmon.exe.
    • For a 64-bit system, choose Sysmon64.exe.
  4. Configure Sysmon. You might want to use one of the collaborative efforts as a basis for your Sysmon configuration, such as this one from SwiftonSecurity (https://github.com/SwiftOnSecurity/sysmon-config).

Create a log source

Use the following XPath query when you set up your log sources:


<QueryList>
<Query Id="0" Path="Microsoft-Windows-Sysmon/Operational">
<Select Path="Microsoft-Windows-Sysmon/Operational">*</Select>
</Query>
</QueryList>

Deploy Sysmon

The following examples provide ways that you can deploy Sysmon on your systems and feed the information that is collected into QRadar.
Figure 1. Example 1: Windows Event Forwarding
A diagram that shows Sysmon deployment by using Windows Event Forwarding.
  1. Install and configure Sysmon on each of your Windows endpoints.
  2. Set up a subscription for forwarded events in Windows Event Collector Service for Sysmon on a Windows server where WinCollect is installed.
  3. Feed the information in the forwarded events from the server into your QRadar system where the Sysmon content extension is installed.

You now have a log source for each Windows endpoint in QRadar.

For more information about setting up WinCollect agents, see the WinCollect User Guide (http://public.dhe.ibm.com/software/security/products/qradar/documents/iTeam_addendum/b_wincollect.pdf).

Figure 2. Example 2: Syslog relay
An image that displays the process of using a syslog relay to deploy Sysmon.
  1. Install and configure Sysmon and WinCollect agents on your Windows endpoints.
  2. Configure the destination of the WinCollect agents to a server that you're running as a syslog relay. You can use NXLog, Rsyslog, or another tool for your syslog relay.
  3. Relay the data from the Windows server to a QRadar appliance where the Sysmon content extension is installed.

Depending on the configuration that you use at the syslog relay, events come in as separate log sources or as 1 log source. If all the events come in as 1 log source, you can distinguish the endpoints by using a custom event property for the event name that can be found in the log.

For more information about setting up WinCollect agents, see the WinCollect User Guide (http://public.dhe.ibm.com/software/security/products/qradar/documents/iTeam_addendum/b_wincollect.pdf).