Summary

Install Sysmon

• Download Sysmon from the Sysinternals site
• Download the SwiftOnSecurity sysmonconfig
• Unzip the Sysmon file and run this command.
  • Sysmon.exe -i (config file.xml) -accepteula

Install Splunk Universal Forwarder

• Download the universal Forwarder
• Run the installer
• Set the deployer and the receiving indexer to 10.0.5.10
  • Use the default ports
• Select the custom options
• Select Local Account
• Select all the check boxes for Windows Event Logs, Windows Performance, and Active Directory
• Set it to monitor the downloads folder
• Edit the file at C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf
• Add these lines

[WinEventLog://Microsoft-Windows-Sysmon/Operational]
disabled = false
renderXml = true
source = XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

• Restart splunk