How to deploy Sysmon and MMA Agent to receive logs in Azure Sentinel?

I often get messages from folks who ask me questions around deploying Sysmon on their endpoints, and how to push those logs to an Azure Sentinel workspace. Since I’ve received these kind of messages a couple of times. I thought it would be a great idea to blog about it.

This would help me to remember the steps as well, but more importantly. It would help others to learn from it, so they can do it by themselves.

One of the common thing I hear is, that people may struggle with deploying Sysmon and the MMA Agent at scale. Yes, it is easy to deploy it manually and configure it on one machine, but what about multiple machines?

In this blog post, we are going to learn how to create an Azure Sentinel workspace. Besides of that, we will cover how to create a Group Policy and roll out Sysmon and the MMA agent to receive logs in Azure Sentinel.

Content

  • How to setup Azure Sentinel?
  • How to deploy Sysmon on multiple endpoints?
  • How to deploy Microsoft Monitoring Agent (MMA) on multiple endpoints?
  • Configure Sysmon Events in Azure Sentinel

Azure Sentinel Workspace

Before we want to use Azure Sentinel, we need to create a Log Analytics workspace first. Azure Sentinel uses Log Analytics as the backend to store logs and other information.

In order to create a Log Analytics workspace:

  • Go to the Azure Portal
  • Search for “Log Analytics workspace” in the search bar and press enter
  • Click on “Create”
  • Fill the rest of information in and finish

Once we have done that, we can setup Azure Sentinel.

In order to setup Azure Sentinel:

  • Go to the Azure Portal
  • Search for “Azure Sentinel” in the search bar and press enter
  • Click on “Create Azure Sentinel”
  • Select the created Log Analytics workspace we previously created
  • Click on “Add”

We have now successfully created an Azure Sentinel workspace.

How to deploy Sysmon?

System Monitor (Sysmon) is a Windows system service and device driver that provides detailed information about process creations, network connections, registry events, and many more. There are different ways to roll out Sysmon, but in this example. We are going to use Group Policy to do so.

  1. First, we need to download Sysmon and a configuration file that has been configured to reduce the noise.
  • Download Sysmon
  • Download the Sysmon configuration file
  • Extract the files
  • Create a folder on a server
  • Right-click on the folder and select “Sharing”
  • Give “Domain Computers” Read access
  • Save all the extracted files that you just download in the shared folder

Once you have done everything right, you should now have a shared folder that contains the following files:

2. Now we have to configure our Group Policy and roll out Sysmon on the OUs that contains the workstations and member servers

  • Create a Group Policy Object and give it a nice name
  • In the Group Policy Management Editor, go to Computer configuration, then Preferences, and then Control panel settings.
  • Right-click Scheduled tasks, point to New, and then click Immediate Task (At least Windows 7).
  • In the Task window that opens, go to the General tab. Under Security options click Change User or Group and type SYSTEM and then click Check Names then OK. NT AUTHORITY\SYSTEM appears as the user account the task will run as.
  • Select Run whether user is logged on or not
  • Go to the Actions tab and click New… Ensure that Start a program is selected in the Action field. Enter the location of the shared Sysmon config.

Example:

Program/script: \\APD-DC1\Sysmon\Sysmon.exe

Add arguments(optional): -accepteula -i \APD-DC1\Sysmon\sysmonconfig.xml

3. We are now going to link this GPO to an OU that contains the workstations for example.

It can take a while before a GPO has been processed, but once it is finished. We can verify that Sysmon has been installed on our endpoints. Usually, it takes between 90 and 120 minutes for a new GPO to be applied. If we don’t to want to wait, we can just run gpupdate /force on a machine to prove that it really has been installed.

Command

Get-WinEvent -LogName "Microsoft-Windows-Sysmon/Operational" | Select-Object -First 10

Result

At the sample result, we have returned the first 10 sysmon events.

How to deploy the MMA Agent?

Microsoft Monitoring Agent collects and reports a variety of data including performance metrics, event logs and trace information. This allows us to receive logs from a machine and push it to Log Analytics.

  1. The first thing we have to do is download the MMA Agent.
  • Go to the Azure Portal
  • Click on “Log Analytics workspace”
  • Click on your created Log Analytics workspace
  • Go to “Agents management”

As we can see, there are 0 machines connected.

2. Now we have to create a shared folder, so machines can access it.

  • Download the MMA Agent
  • Create a folder on a server
  • Right-click on the folder and click on “Sharing”
  • Grant “Domain Computers” Read access
  • Save the MMA Agent package in the created shared folder.

Now we need to open notepad and copy and paste the following command:

NOTE: Replace the WORKSPACE_ID and WORKSPACE_KEY with yours. C:\MMA-Agent\MMASetup-AMD64.exe is our shared folder that contains the MMA Agent.

"c:\MMA-Agent\MMASetup-AMD64.exe" /C:"setup.exe /qn ADD_OPINSIGHTS_WORKSPACE=1 OPINSIGHTS_WORKSPACE_ID=44059d47-2bc9-45ea-a5ea-fab50d502a6c OPINSIGHTS_WORKSPACE_KEY=TuOq3w1Ag8Y+8uQl+L9a5mHE1u4/5XAAzhHbUTmA4m34l5sLuimLeVWd+3+33UKKKI+686qsl/gM5XIczuoILQ== AcceptEndUserLicenseAgreement=1"

Save it as a .cmd file and put the file in the created shared folder that contains the MMA Agent as well, which is in our case C:\MMA-Agent

3. At this part, we have to create a Group Policy and push the MMA Agent.

  • Create a Group Policy Object and give it a friendly name
  • In the Group Policy Management Editor, go to Computer configuration, then Preferences, and then Windows settings.
  • Right-click Folders, point to New, and select the path where you want the MMA Agent is going to be stored on the endpoints. In this example, we are going to choose the following Path: C:\Program Files
  • Right-click Files, point to New, and click on File
  • Action: Update
  • Source: \\APD-DC1\MMA-Agent\MMASetup-AMD64.exe
  • Path: C:\Program Files\MMASetup-AMD64.exe
  • Right click again on Files, point to New, and click one more time on File
  • Action: Replace
  • Source: \APD-DC1\MMA-Agent\MMASetup.cmd
  • Target: C:\Program Files\MMASetup.cmd
  • Click on Common, mark the Apply once and do not reapply checkbox.

If you have done everything correctly, you should have something like this:

  • Go back at the beginning of Group Policy Management Editor
  • In the Group Policy Management Editor, go to Computer configuration, then Policies, and then Windows settings.
  • Click on Scripts (Startup/Shutdown)
  • Click on Startup
  • Click on Add
  • Script Name: C:\Program Files\MMASetup.cmd

This will ensure that the machines are going to run the .cmd file, that contains the command to deploy the MMA agent on a machine.

4. Link the GPO to the OUs that contains the workstations and member servers

5. Here we can see that there are now two machines connected. As discussed before, it can take a while before a GPO has been processed.

Configure Sysmon Events

The last part will be configuring the Sysmon events, so we can query it centrally in Azure Sentinel.

  • Go the Azure Portal
  • Click on “Log Analytics workspace”
  • Click on the created Log Analytics workspace
  • Click on “Advanced settings”
  • Click on “Data”
  • Click on “Go to Agents configuration”
  • Click on “Add windows event log”
  • Sysmon is not in the list by default, but just type “Microsoft-Windows-Sysmon/Operational” in the field and add it
  • Click on “Apply”

Query Sysmon Events

Last, but not least. We will now show that you can query the Sysmon events.

  • Go to the Azure Portal
  • Click on “Azure Sentinel”
  • Select your Log Analytics workspace
  • Go to “Logs”

Now run the following query:

Event
| where Source == "Microsoft-Windows-Sysmon"
| project TimeGenerated, Source, Computer, EventID, RenderedDescription
| limit 10

Result

At the sample result, we can see our Sysmon events.

Reference

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s