The next choice is how you intend to deploy Sysmon to the endpoints in your environment. If you decide to use SwiftOnSecurity’s configuration, I would recommend the following configuration additions, as the default configuration will not exclude Splunk processes and can create a large amount of events: So for a very simple, one-shot configuration it works great, but the second popular configuration is much better suited to a well-tuned environment. The main disadvantage is that, as you tune your configuration to your environment, the one file deployment makes it difficult to keep track of those changes. The advantages of this configuration are that it is simple to modify, roll out changes, and keep up to date. You can download it on GitHub and easily install Sysmon with it to be up and running in a few minutes. SwiftOnSecurity has a simplified one file configuration that is great to start out with to see what is possible with Sysmon. There are two popular configurations that are easy to deploy and have done a lot of the initial legwork, and both are great choices to start with. It is possible to make your own configuration, but it takes a good understanding of what logs you want to generate and can create a decent amount of unpredictable logs. The first major choice is the initial configuration of your Sysmon build. You’ll need to decide on an initial configuration, deployment method, and forwarding mechanism. Sysmon has a simple installation, although there are a few decisions you will need to make before you prepare to install it in your environment. This blog series will help prepare you to get Sysmon up and running, deploy it in your environment, and forward the event logs to your Splunk indexers. If you are curious about the potential of Sysmon, I did a short talk showing some of its capabilities. It generates much more detailed and expansive logs than the default Windows logs, and it provides a great, free alternative to many of the Endpoint Detection and Response (EDR) solutions available. Sysmon (System Monitor) is a system monitoring and logging tool that is a part of the Windows Sysinternals Suite.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |