I’m working on my initial deployment of the agent to my windows machines. I see references to a rapid7 “flavor” of sysmon, but I can’t find any real docs on exactly HOW to setup, WHERE to find the installer, or anything else other than “oh yeah this thing exists and you should use it!”.
Has anyone here actually deployed sysmon using the R7 installer? Or is this a vaporware sort of thing?
Hey Scott! We at Rapid7 do use Sysmon to ingest events (currently EIDs 1, 25 and 8). Sorry that the docs are not clear on how to set it up. We will improve that.
But to answer your questions, there is no setup needed. We have a process internally to deploy Sysmon (and configure it) automatically to any orgs with a valid IDR license, and Insight Agent auto updates turned ON. We have been delayed since April in this process because of a couple of issues including the new Sysmon vulnerability in Sysmon 14.13 and upgrading assets to Sysmon 14.16 (which is in progress but not including servers yet, more info here: Insight Agent Release Notes)
I will reach out to you by email to let you know about the status of the Sysmon deployment to your org specifically.
Hey Marco,
Any future plans to provide visibility under agent management if the Sysmon component has been installed on an endpoint and/if the option to opt-out of this feature for all or select group of agents?
Appreciate the feedback!
Hey @marco_botros1 - haven’t heard from you yet but wanted to check and see if you had additional detail. I also pointed the support engineer working my case to this thread as well so not sure if you’ve linked up internally or where things stand.
Hey @ciscoguru can you check for an email yesterday at 11:25am or so? It might be in the junk/spam folder. I will also double check if I have the right email. I will also try to connect via the support ticket too.
Hey @mraeymaekers sadly there are no immediate plans to do this. We hope we can tackle it in the future, but we don’t have any plans at the moment for it.
For the ask about opting out of Sysmon for a set of assets, can we jump on a call, so I can understand the use case better and may be there are some manual steps we can provide in the background that can help alleviate some of the issues there?
Hi Marco,
Good to know that this can be modified manually, as of this moment no specific use cases but we have gotten the questions during prospects.
Thanks for this @marco_botros1. Not sure what happened with the email but my support engineer did pass along what you said along with the additional background on the hold for Sysmon and everything else. Thanks again for the assist!
Got it, no problem!
Great! yah not sure either! Glad I could help!