This role installs Sysmon64.exe on Windows or sysmonforlinux from the Microsoft Linux package repositories, and starts the service.
Currently, this role ships two configurations:
- A modified
main.xmladding new rules to the original. - v74 of SwiftOnSecurity/sysmon-config
You can include your own, or use a template (see the links below) to build your own. The MSTIC (Microsoft Threat Intelligence Center) repo has a means of building a config file similar to how Olaf Hartong's sysmon-modular works, combining rules into a single config file based on MITRE ATT&CK detections.
- MSTIC Sysmon Configuration Files (Linux)
- Azure Sentinel + Sysmon for Linux Environment
- olafhartong: Sysmon for Linux
Follow (tail) logs with:
sudo tail -F -n0 /var/log/syslog | sudo /opt/sysmon/sysmonLogView
sudo journalctl -f | sudo /opt/sysmon/sysmonLogViewOr using the Tail-EventLogs PowerShell cmdlet.
Either Windows or a supported Linux distribution. Most Debian and RedHat family OS's are supported.
IMPORTANT: On recent versions of Fedora, sysmonforlinux and powershell are not available through Microsoft's feed for Fedora. However, both of these packages can be installed from Microsoft's feed for RHEL. USE THIS AT YOUR OWN RISK. Both packages were tested in a lab environment on Fedora 40, from RHEL 9's package feed.
If you plan to build your rules using the MSTIC-Sysmon repo, you will need PowerShell installed on the machine where you plan to build the config file. This can be Ubuntu or any supported Linux distro.
Default is set to true. To install your own, replace files/config-[system].xml in this role.
config_file_present: "true"
This role depends on the configure_microsoft_repos role executing when the target system is Linux.
Playbook file:
- name: "Default Playbook"
hosts:
all
roles:
- role: configure_microsoft_repos
- role: install_sysmonRun with:
ansible-playbook -i <inventory> --ask-become-pass -v ./playbook.yml- MIT (straysheep-dev)
- MIT (Microsoft Corporation)
- Creative Commons Attribution 4.0 (SwiftOnSecurity)