More Sysmon Data

antmar904 · March 3, 2025, 8:35pm

How can we collect more Sysmon EID other than the defaults the Insight agent collects?

Example:
We want to start monitoring Named Pipes (Sysmon EID: 17 and 18).

https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-17-pipeevent-pipe-created

How can we configure the agents to send those EID?

david_smith1 · March 3, 2025, 10:46pm

The only way to collect additional sysmon events would be to switch to Self-managed sysmon as outlined here Sysmon Installer and Events Monitor - how the Insight Agent implements these components for use with InsightIDR and MDR | Insight Agent Documentation

And then you would regain control of the Sysmon configuration, at which point you can configure whichever additional events you like.

However, Events monitor is the log shipper for Sysmon (to Rapid7) and Events monitor is hardcoded to only collect these events

Event ID 1: Process creation (referred to as Process Starts in Log Search)
Event ID 3: Network connection
Event ID 8: CreateRemoteThread
Event ID 10: ProcessAccess
Event ID 13: RegistryEvent (Value Set)
Event ID 25: ProcessTampering (Process image change)

Anything outside of this list is not going to be collected, even if they are being logged using a self managed sysmon configuration.

In order to collect events 17 and 18 you would need to do so yourself, out of band of the Insight Agent, which would typically mean using Nxlog or some powershell script to collect and transmit those events.

David