Splunk SysMon setup

System Monitor (Sysmon) is a Windows system service and device driver that, once installed on a system, remains resident across system reboots to monitor and log system activity to the Windows event log. It provides detailed information about process creations, network connections, and changes to file creation time. By collecting the events it generates using Windows Event Collection or SIEM agents and subsequently analyzing them, you can identify malicious or anomalous activity and understand how intruders and malware operate on your network.

This guide will explain the basics of installing and configuring SysMon on an endpoint for data collection into Splunk.

1. Download SysMon https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
2. Download a configuration file, I like to use the SwiftOnSecurity one. https://github.com/SwiftOnSecurity/sysmon-config
3. Install SysMon with the config (64-bit version in this example, remove the 64 for a 32-bit install)
   sysmon64.exe -i <name-of-config-file.xml> -accepteula
4. Next, install the TA for SysMon:
   -Download and extract from here https://splunkbase.splunk.com/app/5709/
   -Copy the TA-microsoft-sysmon directory to C:\Program Files\SplunkUniversalForwarder\etc\apps\TA-microsoft-sysmon
   -Create a subfolder called local, and the copy the inputs.conf file from the default folder, into the new local.
   -Finally, edit the inputs.conf file so the line disabled = false. It should look something like this:
5. [WinEventLog://Microsoft-Windows-Sysmon/Operational]
   disabled = false
   renderXml = 1
   source = XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
6. Restart the splunk forwarder service
7. And that should be it, you should now see SysMon events being logged in Splunk!