Created on 11-03-2019 10:18 PM Edited on 12-16-2021 02:17 AM By Anonymous
Description
This article describes the steps to integrate Sysmon with FortiSIEM.
Sysmon is a powerful Windows Monitoring Tool which helps increasing situational awareness by mapping network traffic to the system processes and network users. Furthermore Sysmon helps detect several attacks such as:
1) Windows PowerShell Download from URL
2) Malicious HTML Applications Spawning Windows Shell
3) Windows Command Line Processes Started by MMC
The full list of FortiSIEM correlation rules based on Sysmon events is available in the user guide
Solution
High-Level Steps:
1) Prerequisites: FortiSIEM Windows Agent has to be installed and configured
2) Download Sysmon and Sysmon configuration file
3) Customize Sysmon configuration
4) Install Sysmon
5) Configure FortiSIEM to fetch Sysmon events
Steps:
1) Download Sysmon from here (V10.41 at the time of writing this document)
2) Extract the content to a folder (exp: %Homepath%\Downloads\Sysmon\)
3) Download here the latest Configuration template (Sysmonconfig.xml) file to the same directory above
4) Edit the configuration file Sysmonconfig.xml as shown below:
- Remove the network port section
- To monitor all ports over 1024 use the below syntax. This has to be tuned according to environment to avoid noise and false positives
<!--Ports: Suspicious-->- Create exception rules to exclude FortiSIEM Agent communications and other benign software then save the config file (Sysmonconfig.xml)
<DestinationPort name="AllPorts" condition="begin with">1024</DestinationPort>
<DestinationPort name="AllPorts" condition="end with">65535</DestinationPort>
</NetworkConnect>
<NetworkConnect onmatch="exclude">5) Install Sysmon: open a command prompt and cd to the download folder then run:
<Image condition="image">AoWinAgt.exe</Image> <!--FortiSIEM Agent-->
<Image condition="image">FortiESNAC.exe</Image> <!--FortiClient-->
#sysmon64.exe -accepteula -i sysmonconfig.xml
- Check Sysmon configuration with: sysmon64.exe -c
6) Update Windows Agent Monitor Template to include Sysmon logs:
FortiSIEM GUI: Go to Admin -> Setup -> Windows Agent
Edit Agent Template, Go to Event -> New and select:
- Type: Other
- Event Name: Microsoft-Windows-Sysmon/Operational as displayed within Windows Event Viewer
After few minute when the configuration is updated on the agent search for events with: Event Type CONTAINS Sysmon
Related Articles
Troubleshooting Tip: FortiSIEM Windows Agent 3.1 installation failed on cloned VM Windows Servers
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.