Microsoft Windows Sysmon

About The Device

Windows Sysmon, short for System Monitor, is a powerful system monitoring utility developed by Microsoft. Designed to enhance the visibility of system activity and aid in the detection of malicious behavior, Sysmon provides detailed information about processes, network connections, registry changes, and more. Its features include the logging of process creation, termination, and network connections, allowing security professionals to analyze system behavior and identify potential threats.

Device Information

Collection Method

Port Requirements

To facilitate secure communication and align with our best practice, we strongly encourage the use of Transport Layer Security (TLS) between your security devices and our Adaptive MxDR platform for event forwarding.

While we understand that TLS support may not be available on all devices, if your devices do support TLS communication, we recommend utilizing port 6514 for seamless integration.

In some cases, the upgraded version of the device might incorporate TLS support without prior notice. If you come across such a scenario or for further assistance in configuring TLS, we kindly ask you to reach out to your dedicated Adaptive MxDR Service Delivery Lead.

Device Configuration

Pre-requisite: Generate certificate on CyberHub using the following steps.

1. Navigate to support user mode by executing following command "su - support" on CyberHub terminal and choose “option 29 - Manage the TLS certificates".

2. Choose “option 2 - View EA Server TLS certificate" and this will print Private Key and Certificate content on console.

3. Copy certificate from the console output to a file and save it.

1. Download and install the NXLog agent from the following location: https://nxlog.co/products/nxlog-community-edition/download.

2. Navigate to services.msc and stop the nxlog service.

3. Navigate to the folder "C:\Program Files\nxlog\data" and delete the file "configcache.dat" if it is present.

4. Navigate to the installed location "C:\Program Files\nxlog\conf." Rename the attached file to "nxlog.conf" and copy it into this folder.

5. Replace the placeholder "CyberHub IP" with the actual CyberHub IP in the nxlog.conf file.

6. Copy the certificate on Windows machine where nxlog agent is installed and mentioned this cert path in nxlog.conf against "CAFile" on line number 55.

7. Now, start the nxlog service from services.msc.

8. NXLog agent logs will be available at the location "C:\Program Files\nxlog\data\nxlog.log".

9. The log flow should work, and you can check it using tcpdump with the command "tcpdump -AA port 6514"

To Configure the Splunk for log forwarding

Pre-requisite:

1. All the windows machines should have Splunk Forwarder installed.

2. All the windows machines Sysmon logs should be forwarded to Splunk indexer with inputs.conf file with property renderXml=true to forward logs in xml format.

Steps to perform on Splunk Server

1. Navigate to the Splunk installation root folder: %Splunk_Installation_Path%\etc\system\local\outputs.conf. All the configuration changes must to be performed on the file in the local folder.

2. Edit the outputs.conf file and do one of the configuration steps: [ If you do not have existing syslog configuration, add the following configuration under syslog. ]

   [syslog] defaultGroup = AccentureMxDR [syslog:AccentureMxDR] server = Cyberhub_IP_Address:Port_Number type = tcp maxEventSize = 16384 sendCookedData = false priority = NO_PRI syslogSourceType = XmlWinEventLog ==================================== ------- Notes ----------- ==================================== Server: Add Cyberhub IP address and Port number Type: Default is udp for Splunk, but MDR recommends TCP. MaxEventSize: MDR recommended value. All events exceeding this size will be truncated.

3. Edit the props.conf file and add the below routing attribute at the bottom.

   [source::WinEventLog:*] TRANSFORMS-WinEventLog=AccentureMxDRStanza - This can be any name.

4. Save and close the file.

5. Navigate to the Splunk installation root folder %Splunk_Installation_Path%\etc\system\local\transforms.conf. All the configuration changes must be performed on the file in the local folder.

6. Edit the transforms.conf file and add the below stanza at the bottom.

7. Edit $SPLUNK_HOME/etc/system/local/transforms.conf and set rules to match your props.conf stanza (i.e. AccentureMxDRStanza):

   [AccentureMxDRStanza] # This is stanza name which is defined in props.conf. REGEX=. DEST_KEY=_TCP_ROUTING FORMAT=AccentureMxDR #This is group name which defined in outputs.conf file

8. Restart the splunk service.

Integration Parameters

Parameters required from customer for Integration.