FortiSIEM provides Security Information and Event Management (SIEM) and User and Entity Behavior Analytics (UEBA)
Article Id 192285


This article describes the steps to integrate Sysmon with FortiSIEM.

Sysmon is a powerful Windows Monitoring Tool which helps increasing situational awareness by mapping network traffic to the system processes and network users. Furthermore Sysmon helps detect several attacks such as:


1) Windows PowerShell Download from URL
Malicious HTML Applications Spawning Windows Shell

Windows Command Line Processes Started by MMC


The full list of FortiSIEM correlation rules based on Sysmon events is available in the user guide

High-Level Steps:

1) Prerequisites: FortiSIEM Windows Agent has to be installed and configured
2) Download Sysmon and Sysmon configuration file
3) Customize Sysmon configuration
4) Install Sysmon
5) Configure FortiSIEM to fetch Sysmon events


1) Download Sysmon from
here (V10.41 at the time of writing this document)
2) Extract the content to a folder (exp: %Homepath%\Downloads\Sysmon\)
3) Download
here the latest Configuration template (Sysmonconfig.xml) file to the same directory above
4) Edit the configuration file Sysmonconfig.xml as shown below:

- Remove the network port section

- To monitor all ports over 1024 use the below syntax. This has to be tuned according to environment to avoid noise and false positives
<!--Ports: Suspicious-->
<DestinationPort name="AllPorts" condition="begin with">1024</DestinationPort>
<DestinationPort name="AllPorts" condition="end with">65535</DestinationPort>
- Create exception rules to exclude FortiSIEM Agent communications and other benign software then save the config file (Sysmonconfig.xml)
<NetworkConnect onmatch="exclude">
<Image condition="image">AoWinAgt.exe</Image> <!--FortiSIEM Agent-->
<Image condition="image">FortiESNAC.exe</Image> <!--FortiClient-->
5) Install Sysmon: open a command prompt and cd to the download folder then run:
#sysmon64.exe -accepteula -i sysmonconfig.xml

   - Check Sysmon configuration with: sysmon64.exe -c

6) Update Windows Agent Monitor Template to include Sysmon logs:

FortiSIEM GUI: Go to Admin -> Setup -> Windows Agent
Edit Agent Template, Go to Event -> New and select:
- Type: Other
- Event Name: Microsoft-Windows-Sysmon/Operational as displayed within Windows Event Viewer




After few minute when the configuration is updated on the agent search for events with: Event Type CONTAINS Sysmon




Related Articles

Troubleshooting Tip: FortiSIEM Windows Agent 3.1 installation failed on cloned VM Windows Servers