Skip to content
/ TA-Sysmon_install Public

Splunk scripted input to push and install sysmon, with the sysmon config forked by securiyshrimp, from Taylor Swift, to ignore splunk executables.

License

MIT license
0 stars 2 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

f8al/TA-Sysmon_install

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

20 Commits
bin
bin
 
 
default
default
 
 
etc
etc
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

TA-Sysmon-Install

This is a Splunk Technology addon that will allow you to install sysmon via a splunk scripted input to get sysmon data into splunk.

You will need to use the Sysmon TA written by Dave Herald to actually collect the sysmon data (https://github.com/splunk/TA-microsoft-sysmon)

The configuration for sysmon pushed by this will ignore tracking connections for ParentImage splunkd.exe

Sysmon Threat Intelligence Configuration

This is a Microsoft Sysinternals Sysmon configuration file template with default high-quality event tracing.

This version is forked from @swiftonsecurity's masterful version with additions to avoid an infinite logging loop when running the Splunk universal forwarder, Splunk heavy forwarder, or full Splunk instance on a system being monitored by sysmon.

The file provided should function as a great starting point for system monitoring in a self-contained package. This configuration and results should give you a good idea of what's possible for Sysmon.

      sysmonconfig-export.xml

Because virtually every line is commented and sections are marked with explanations, it should also function as a tutorial for Sysmon and a guide to critical monitoring areas in Windows systems. It demonstrates a lot of what I wish I knew when I began with Sysmon in 2014.

Pull requests and issue tickets are welcome, and new additions will be credited in-line or on Git.

Note: Exact syntax and filtering choices are deliberate to catch appropriate entries and to have as little performance impact as possible. Sysmon's filtering abilities are different than the built-in Windows auditing features, so often a different approach is taken than the normal static listing of every possible important area.

This now has an Auto Updater script to update to the latest Sysmon config hourly. This is great for mass deployments without having to manually update thousands of systems.

Use

Auto-Install with Auto Update Script:###

Install Sysmon.bat

Install

Run with administrator rights

sysmon.exe -accepteula -i sysmonconfig-export.xml

Update existing configuration

Run with administrator rights

sysmon.exe -c sysmonconfig-export.xml

Uninstall

Run with administrator rights

sysmon.exe -u

Hide Sysmon from services.msc

Hide:
sc sdset Sysmon D:(D;;DCLCWPDTSD;;;IU)(D;;DCLCWPDTSD;;;SU)(D;;DCLCWPDTSD;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
Restore:
sc sdset Sysmon D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

TA-Sysmon_install

About

Splunk scripted input to push and install sysmon, with the sysmon config forked by securiyshrimp, from Taylor Swift, to ignore splunk executables.

Topics

splunk sysmon splunk-application splunk-addon technical-addon

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

2 watching

Forks

2 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 3

  •  
  •  
  •  

Languages