Microsoft Windows - Sysmon
- rthornton
Analytics
Snare can forward log data to Securonix using their pre-configured parsers. This guide outlines the steps to configure the Snare agent to forward Microsoft Windows Sysmon logs to Securonix. Along with links to the Securonix documentation on how to finalise configuration within Securonix itself.
This guide is broken into 2 sections:
Windows Configuration
Follow Microsoft steps to download install and configure Sysmon logging here: Sysmon - Sysinternals | Microsoft Learn
Note: Snare supports bundling of sysmon and the the Snare agent (along with configurations) within a single .msi package. More information can be found here: Snare MSI Documentation v3 - Confluence
Snare Agent Configuration
Follow steps outlined here to install the Snare agent. Agent Installation - Snare Windows Agent v5 Documentation - Confluence
Once the agent is installed and licensed, login to the web UI (https://localhost:6161) and select “Audit policy configuration ”.
By default Snare comes with a set of default logging policies that are based on experience with customers and Microsoft best practises. By default, Snare collects filtered logs from the “Security” channel and everything from “Application”, “System”, “Applications and Services” (“Custom”) and others in the final wildcard policy.
If the default policies remain, then Snare will automatically collect Sysmon logs from “Applications and Services” → “Microsoft” → “Windows” → “Sysmon” → “Operational”.
Further information on policy configuration and options for filtering Windows log data can be found here. Audit Policies - Snare Windows Agent v5 Documentation - Confluence
Once you have configured policies according to your internal monitoring strategies, select “Destination Configuration” in the left hand navigation menu.
Under the “Network Destinations” section, enter the domain/IP address for Snare Reflector, set the port to “6161”, ensure Format is “Snare” and “Delimiter Character” is “Tab”.
Scroll to the bottom of the page, select “Update Destinations” and the select “Apply Configuration and Restart service” on the left hand navigation menu.
Note: Once configured, this configuration can be pulled into the Snare Agent Manager (Agents Policies Management - Snare Agent Manager Documentation - Confluence) or bundled into an .msi using the Snare MSI builder (Creating the MSI package - Snare MSI Documentation v3 - Confluence).
Snare Reflector Configuration
Login to Snare Central. Navigate to the Reflector UI (System->Administrative Tools-> Configure Collector/Reflector) and select “Destinations” on the left hand menu.
Select “Add Destination” at the bottom of the page and create a new destination with the following configuration and select “Update”, the “Proceed with update” and scroll to the top of the window and select “Restart Reflector” to apply the settings.
Configuration option | Value |
|---|---|
Hostname | IP/Hostname of the SNYPR instance in Securonix. |
Port | Port associated with the Snare Microsoft Windows parser |
Format | Set the format to “QRadar” |
Protocol | Set the protocol to UDP, TCP or TLS as per the configuration in SNYPR. |
Add Regular Expression | Create a new policies with the following regular expression and mode set to “Include” (not including quotes): |
Once applied, return to the Reflector dashboard by selecting “Dashboard” and locate the chart for the destination that was just configured. Ensure the “Status” is “Sending” and that the chart has values.
Once applied, return to the Reflector dashboard by selecting “Dashboard” and locate the chart for the destination that was just configured. Ensure the “Status” is “Sending” and that the chart has values.
Finally, validate the delivery of logs to Securonix using the “Spotter” feature within the Securonix platform.