Quick Links

Integrating with Windows Sysmon

Overview

System Monitor (Sysmon) is one of the most commonly used Windows add-ons for logging. Sysmon is part of the Sysinternals software package owned by Microsoft, and it enriches the standard Windows logs by producing some higher-level monitoring of events such as process creations, network connections, and changes to the file system. With Sysmon, you can detect malicious activity by tracking code behavior and network traffic, as well as create detections based on the malicious activity.

Note: Blumira Agent eliminates the need to use the below log shipping method. If your Blumira license includes access to Blumira Agent, we recommend using our modern agent instead of the below legacy log shipping method. See Installing Blumira Agent on a remote device for more information about deploying the agent.

Sysmon is supported on Windows versions:

  • Windows Server 2019
  • Windows Server 2016
  • Windows Server 2012R2
  • Windows Server 2012

Reference: Additional information about usage and examples of each event type that Sysmon generates are located on Microsoft's Sysmon download page.

Before you begin

This integration requires a Blumira sensor to be installed before you can complete the steps below. Ensure that you complete the steps in Building a Blumira sensor with Ubuntu before you continue.

Gather the IP address of your Blumira sensor to use when configuring the external service.

To find and copy the IP address of the sensor, do the following:

  1. In Blumira, navigate to Settings > Sensors.
  2. Click the sensor row to open the details page.
  3. In the Overview section, next to Host Details, copy the IP address.

Using Poshim for automated Windows setup

To complete this integration, we recommend using Blumira’s Poshim (PowerShell Shim) script, which is designed to ensure that you are collecting the right data from hosts across your entire environment. Poshim handles the installation and configuration for NXLog and Sysmon to ship logs over Sysmon to a targeted IP.

Reference: See Automating Windows log collection with Poshim for instructions.

If you choose to use Poshim for this integration, nothing further is needed on this page. For manual configuration, continue reading below.

Installing Sysmon manually

To manually install Sysmon, follow the instructions below.

  1. Download Sysmon (or the entire Sysinternals suite).
  2. Download your chosen configuration (we recommend Sysmon Modular).
  3. Save as config.xml in c:\windows, or run the PowerShell command: 
    Invoke-WebRequest -Uri https://raw.githubusercontent.com/olafhartong/sysmon-modular/master/sysmonconfig.xml -OutFile C:\Windows\config.xml
  4. Install by opening up a command prompt as administrator and typing 
    sysmon64.exe –accepteula –i c:\windows\config.xml
    Note: Sysmon.exe is for 32-bit systems only, and Sysmon64.exe is for 64-bit systems only.

Sending Sysmon events to Blumira using NXLog

After Sysmon is manually installed, you must add the Sysmon event channel to your NXLog configuration in order to start sending logs to Blumira’s platform for detection and response.

Note: If you chose to use Poshim, this is automatically handled by the shim at the same time as the Sysmon installation.

You can use our latest version of Flowmira, or add the Sysmon route to your existing configuration. The latest version of Flowmira is located here: https://github.com/Blumira/Flowmira/blob/master/nxlog.conf

Additional Reference