Professional Documents
Culture Documents
Contents
Installation of Sysmon on Windows Server:................................................................................................3
Note:....................................................................................................................................................3
Note:....................................................................................................................................................3
Integrate Sysmon with Qradar:...................................................................................................................3
Note:....................................................................................................................................................3
Installation of Sysmon on Windows Server:
Sysmon.exe -c <configfile>
4. Now Sysmon is installed on server. Logs can be view in event viewer under below path:
%SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-Sysmon%4Operational.evtx
1. Oepn wincollect configuration console, If server is not integrated with Qradar please follow
Windows server Integration guide.
2. Under devices, Go to device created earlier. Double click on device.
3. Under Xpath query: Enter an Xpath query that will only filter events from Sysmon and Security
Logs.
Note: Xpath query can be created from event viewer using Create custom view.
Sample Xpath Query:
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">*</Select>
<Select Path="Microsoft-Windows-Sysmon/Operational">*</Select>
</Query>
</QueryList>
4. Click deploy changes. Now sysmon events can be found in Qradar under same log source.