It's important to mention that Sysmon isn’t required in many cases as we already have you covered with our native events. Check this article to see how LimaCharlie events map with Sysmon events on Windows.

If, however, you decide that you still need Sysmon, below are the details of how to deploy and get Sysmon data from your Windows endpoints into LimaCharlie.

Deploy Sysmon

1. Install Sysmon on the endpoint. You may use LimaCharlie's Payload functionality to deploy Sysmon.

Get Sysmon Data Flowing into LimaCharlie

2. Go to the Exfil Control section add a rule to bring in Windows Event Log (WEL) events.

3. Go to the Artifact Collection section and add a new collection rule with the following path to bring in all Sysmon events:

wel://Microsoft-Windows-Sysmon/Operational:*

Note: You can filter the events by ID to only import select events by using the following Patterns:

wel://Microsoft-Windows-Sysmon/Operational:16

wel://Microsoft-Windows-Sysmon/Operational:25

wel://Microsoft-Windows-Sysmon/Operational:7034

wel://Microsoft-Windows-Sysmon/Operational:7036

Verifying Successful Setup

4. Allow up to 10 minutes for data to come into LimaCharlie after setting up a new Artifact Collection rule. Data will flow in real-time after that point.

5. Go to the Timeline view of an endpoint that has Sysmon and the LimaCharlie agent installed.

Set the *Event Type* to WEL and use the *Search* criteria: `Microsoft-Windows-Sysmon`

Tips:

  • Paths for Windows Event Log data can be verified on the endpoint by using Windows Event Viewer.

  • File paths must be escaped. Do you find escaping file paths to be challenging? Please let us know.

  • You can see a list of event IDs and whether they're noisy in the MalwareArchaeology Sysmon Cheat Sheet.

Did this answer your question?