# Getting the Windows Data You Need ### References: \ \ We recommend you review [Windows Logging Cheat Sheet ](https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/5c586681f4e1fced3ce1308b/1549297281905/Windows+Logging+Cheat+Sheet_ver_Feb_2019.pdf)and tune logs as needed. ## Sysmon Install through GPO Step 1. Create a Sysmon Folder under your SYSVOL folder in your DC ![](/files/-MCw285lSdy269WL0S8v) Step 2. Download Sysmon from [Microsoft ](https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon#overview-of-sysmon-capabilities)and place both sysmon.exe and sysmon64.exe in newly created Sysmon folder Step 3. Download a sample sysmon config from [SwiftOnSecurity](https://github.com/SwiftOnSecurity/sysmon-config), rename the file to sysmonConfig.xml and place it within the Sysmon folder Step 4. Enter the appropriate values for your DC and FQDN in the [batch ](https://gist.github.com/silentbreaksec/8972f8c9dce151aebbef0a58313f3971)file. Step 5. Create a GPO that will launch this batch file on startup. \ \ Navigate to Group Policy Management ![](/files/-MCwC0a2xi-Zg4sj8YhT) Create GPO ![](/files/-MCwCBNffEE0ozHNbq39) Name the GPO ![](/files/-MCwCRerYnYxaemYf_oy) Edit GPO ![](/files/-MCwCwhuFd7tAbM9PwjE) Navigate to StartUp Script ![](/files/-MCwDBuuk0iz9aPLAEyu) Add Batch Script ![](/files/-MCwDZ2QNCop9VZnmIBb) Enforce newly created GPO ![](/files/-MCwDugH11FEmpVLL5p_) Step 6. Apply the GPO to your specified OUs. \ Step 7. Force GPO Update ![](/files/-MCwMtaXkq8y6iz3mnKf) If you get the following error: ![](/files/-MCwMpt0hUbEN7m2F_O3) Make sure you allow the following firewall rules in your Starter GPOs
![](/files/-MCwNHCnvh3u439irHlN) Another method is running the following commands: ![](/files/-MD-iiRCZGW2purr-OZK) You'll be able to view the group policy update results in the html file
### Second method to install Sysmon through GPO 1. Create and link the GPO as mentioned above, but this time you'll be creating a scheduled task ![](/files/-MD-rlAeh9VGD0JeW529) 2\. Name the task and let it run as System during install ![](/files/-MD-s-whvUXeAwNnNGZt) 3\. Create Trigger ![](/files/-MD-sFoFlK6dI_f_hXzy) 4\. Create Alert ![](/files/-MD-sb_rqyGqjbP8HECN) You can browse and add the batch file but if it crashes when the file is selected, manually type in the path to the file \\\\\\Sysvol\\\\\\\\\\ \ Step 6. Apply the GPO to your specified OUs. \ Step 7. Force GPO Update After a restart, you should see sysmon.exe or sysmon64.exe running as a service. Logs can be found under Applications and Services -> Microsoft -> Windows -> Sysmon ## Setting up Audit Policy Go to the Default Domain Policy and update the Audit Policies. We recommend you review [Windows Logging Cheat Sheet ](https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/5c586681f4e1fced3ce1308b/1549297281905/Windows+Logging+Cheat+Sheet_ver_Feb_2019.pdf)and tune the audit policy based off of what you need/want. ![](/files/-MD01qwPXkji-ZsZvkP4) Dont worry about the log size as we will be forwarding these logs to a SIEM. Monitoring files and registry keys will also be done by sysmon. ## Splunk Forwarder Deployment via GPO 1. Download[ Splunk Windows MSI](https://www.splunk.com/en_us/download/splunk-enterprise.html) and Windows SDK ([Orca](https://docs.microsoft.com/en-us/windows/win32/msi/orca-exe)) 2. Open the MSI file with Orca, select New transform, and add the Splunk Install Info.
![](/files/-MD0kmjkaWYMKmJUa5ci) Change AGREETOLICENSE = Yes\ Add Row -> SPLUNKUSERNAME, SPLUNKPASSWORD, DEPLOYMENT\_SERVER\ \ Additional Rows can be added based off of the flag name in 3\. Generate Transform -> \ \ move MST and MSI to shared folder for the GPO to access. ![](/files/-MD0qMiVdQWhjKL_XeMl) 4\. Create GPO!\ We are creating a Software Install GPO but need to select the Advanced Radio Button under Properties ![](/files/-MD0nyMkD6k9eAsUYGVN) Add new policy, select the MSI file in the shared folder. Then modify the install with the MST file. ![](/files/-MD0rUyQcKD0B4iPyWci) \ Verify the file path is through the network share ![](/files/-MD0rI6a5WmvnEfww2Mj) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://aj-labz.gitbook.io/aj-labz/creating-an-siem/getting-the-windows-data-you-need.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.