Sysmon is a popular and powerful security utility that is a part of the free Sysinternals Suite. System Monitor (Sysmon) is a Windows service and device driver that, once installed, stays active across system reboots to track and log system activity in the Windows event log. Sysmon, when used together with some of EventSentry's security features (e.g. anomaly detection), can significantly improve security and be used to detect advanced threats.
A caveat of Sysmon is its lack of deployment options, which EventSentry's Sysmon Management feature addresses. With EventSentry, you can:
•Deploy Sysmon and keep it updated
•Manage the Sysmon configuration
Sysmon Management supports the following deployment options:
Mode
Determines to what degree Sysmon is managed by EventSentry:
Manage Configuration Only
This assumes that Sysmon is already installed on the monitored hosts, or that an alternate deployment solution for Sysmon exists. EventSentry only ensures that all hosts running Sysmon are using the specified configuration.EventSentry will update the configuration automatically when a change in the configuration is received by the agent.
Install & Keep Updated
In addition to managing the configuration, EventSentry will install and keep Sysmon update with the latest version specified in the Sysmon Source field. The frequency at which the source is checked can be configured with the "Refresh Version every" setting below.
Uninstall
Simply uninstalls Sysmon if it is installed on the monitored hosts.
Sysmon Source
The source from which Sysmon should be downloaded if it is not installed, or from which EventSentry should attempt to download the latest version if the mode is set to "Install & Keep Updated". The source can either be a URL or UNC path to a local network resource. Note that EventSentry agents need to download Sysmon from the specified source at the specified interval, in order to determine whether they have the latest version installed or not.
UNC Source
Remote agents will access the UNC path using the LocalSystem account (e.g. $SERVER01), as such it's important that the permissions allow READ access to them.
URL Source
If the specified URL is HTTPS, then the remote TLS certificate needs to be trusted.
Refresh Version Every
If the mode is set to "Install & Keep Updated", checks the configured URL or UNC path at the specified interval. Note that EventSentry agents need to download Sysmon from the specified source in order to determine the latest version so it's recommended to use a reasonable interval. On average, Sysmon is updated every other month.
Sysmon Configuration
The actual XML-based Sysmon configuration. EventSentry ships with a default configuration that is based on a template by SwiftOnSecurity, clicking the "Use Default" button will load this template. Configuration files can also be imported & exported with the respective Load/Save as button or pasted into the configuration field.
