Windows Sysmon and Splunk

Saturday, December 14, 2019 » splunk, sysmon, windows

The is by no means a detailed guide on Sysmon, but just a quick install and setup for reference.

Download windows sysmon from here.
Find a configuration file that works for the environment, I’m using this one.

Install Sysmon.

sysmon.exe -accepteula -i sysmonconfig-export.xml

Confirm the logs appear in event viewer.

Applications and Services Logs > Microsoft > Windows > Sysmon > Operational

On the deployment server, add the following stanza to whatever windows app inputs.conf is being used.
```
[WinEventLog://Microsoft-Windows-Sysmon/Operational]
disabled = 0
index = sysmon
```

Next, add the TA to the splunk indexing cluster and any searchhead clusters, depending on your environment. The app can be found here.

Starting with the searchhead cluster.

scp add-on-for-microsoft-sysmon_10.tgz root@shdeployer:~/
tar xzvf add-on-for-microsoft-sysmon_10.tgz -C /opt/splunk/etc/shcluster/apps/
./splunk apply shcluster-bundle -action stage --answer-yes
./splunk apply shcluster-bundle -action send -target https://sh:8089 --answer-yes

hawkdav.is

Windows Sysmon and Splunk

Saturday, December 14, 2019 » splunk, sysmon, windows