Help
FortiSIEM
FortiSIEM provides Security Information and Event Management (SIEM) and User and Entity Behavior Analytics (UEBA)
mnaili
Staff
Staff

Created on ‎11-03-2019 10:18 PM Edited on ‎12-16-2021 02:17 AM By Anonymous

Article Id 192285

Technical Tip: Configure Sysmon with Windows Agent

Description

This article describes the steps to integrate Sysmon with FortiSIEM.

Sysmon is a powerful Windows Monitoring Tool which helps increasing situational awareness by mapping network traffic to the system processes and network users. Furthermore Sysmon helps detect several attacks such as:

 

1) Windows PowerShell Download from URL
2) Malicious HTML Applications Spawning Windows Shell
3) Windows Command Line Processes Started by MMC

 

The full list of FortiSIEM correlation rules based on Sysmon events is available in the user guide


Solution
High-Level Steps:

1) Prerequisites: FortiSIEM Windows Agent has to be installed and configured
2) Download Sysmon and Sysmon configuration file
3) Customize Sysmon configuration
4) Install Sysmon
5) Configure FortiSIEM to fetch Sysmon events

Steps:

1) Download Sysmon from here (V10.41 at the time of writing this document)
2) Extract the content to a folder (exp: %Homepath%\Downloads\Sysmon\)
3) Download here the latest Configuration template (Sysmonconfig.xml) file to the same directory above
4) Edit the configuration file Sysmonconfig.xml as shown below:
- Remove the network port section

010101_netcfg.jpg
- To monitor all ports over 1024 use the below syntax. This has to be tuned according to environment to avoid noise and false positives
<!--Ports: Suspicious-->
<DestinationPort name="AllPorts" condition="begin with">1024</DestinationPort>
<DestinationPort name="AllPorts" condition="end with">65535</DestinationPort>
</NetworkConnect>
- Create exception rules to exclude FortiSIEM Agent communications and other benign software then save the config file (Sysmonconfig.xml)
<NetworkConnect onmatch="exclude">
<Image condition="image">AoWinAgt.exe</Image> <!--FortiSIEM Agent-->
<Image condition="image">FortiESNAC.exe</Image> <!--FortiClient-->
5) Install Sysmon: open a command prompt and cd to the download folder then run:
#sysmon64.exe -accepteula -i sysmonconfig.xml
010101_install_sysmon.jpg

   - Check Sysmon configuration with: sysmon64.exe -c


6) Update Windows Agent Monitor Template to include Sysmon logs:
FortiSIEM GUI: Go to Admin -> Setup -> Windows Agent
Edit Agent Template, Go to Event -> New and select:
- Type: Other
- Event Name: Microsoft-Windows-Sysmon/Operational as displayed within Windows Event Viewer

 

 

 

010101_agent_template.jpg
 
After few minute when the configuration is updated on the agent search for events with: Event Type CONTAINS Sysmon

 

 

 

Related Articles

Troubleshooting Tip: FortiSIEM Windows Agent 3.1 installation failed on cloned VM Windows Servers

Labels:
4174
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.