Scribd
Upload
207 views3 pages

Sysmon Integration With Qradar

This document provides instructions for installing Sysmon on a Windows server and integrating it with Qradar to forward Sysmon logs. It explains how to download and install Sysmon using commands, upload a configuration file, and view logs in the Event Viewer. It also outlines the steps to open the Wincollect configuration console in Qradar, select the server device, add an XPath query to filter only Sysmon and Security logs, deploy the changes, and see the forwarded Sysmon events in Qradar.

Uploaded by

Hamza Idris
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
207 views3 pages

Sysmon Integration With Qradar

This document provides instructions for installing Sysmon on a Windows server and integrating it with Qradar to forward Sysmon logs. It explains how to download and install Sysmon using commands, upload a configuration file, and view logs in the Event Viewer. It also outlines the steps to open the Wincollect configuration console in Qradar, select the server device, add an XPath query to filter only Sysmon and Security logs, deploy the changes, and see the forwarded Sysmon events in Qradar.

Uploaded by

Hamza Idris
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 3

Sysmon Integration with Qradar:

Contents
Installation of Sysmon on Windows Server:................................................................................................3
Note:....................................................................................................................................................3
Note:....................................................................................................................................................3
Integrate Sysmon with Qradar:...................................................................................................................3
Note:....................................................................................................................................................3
Installation of Sysmon on Windows Server:

1. Download Sysmon from sysinternal.


2. After download is complete, Open CMD with admin privileges and type below mentioned
command:

Sysmon.exe -i [-h <[sha1|md5|sha256|imphash|*],...>] [-n [<process,...>]]


[-l (<process,...>)]

This command will install sysmon with all events.

3. Once installed, upload configuration file with below mentioned command:

Sysmon.exe -c <configfile>

Note: Write path of file instead of <configfile>


Note: We have to create customize configuration file for each server, which defines what
events should be logged and what should be excluded.

4. Now Sysmon is installed on server. Logs can be view in event viewer under below path:

%SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-Sysmon%4Operational.evtx

Integrate Sysmon with Qradar:

1. Oepn wincollect configuration console, If server is not integrated with Qradar please follow
Windows server Integration guide.
2. Under devices, Go to device created earlier. Double click on device.
3. Under Xpath query: Enter an Xpath query that will only filter events from Sysmon and Security
Logs.
Note: Xpath query can be created from event viewer using Create custom view.
Sample Xpath Query:

<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">*</Select>
<Select Path="Microsoft-Windows-Sysmon/Operational">*</Select>
</Query>
</QueryList>
4. Click deploy changes. Now sysmon events can be found in Qradar under same log source.

You might also like