This repo will help speed up the process for deploying sysmon v13 (with Olaf Hartong config.xml) and winlogbeats 7.17.1 (with winlogbeat.yml).
https://github.com/olafhartong/sysmon-modular
https://www.elastic.co/downloads/past-releases/winlogbeat-7-16-2
Download both folders and extract all contents.
The folder "seconion" can be placed in "C:\Windows\Temp" and executed with the following light-weight-agent-deployment.ps1 file.
The folder "seconion(With_bat_file)" can also be placed in "C:\Windows\Temp" and executed with start-scripts-sysmon-seconionbeat.ps1 file which will kick off the batch script "seconionbeat-deploy-script.bat" #Note: Ensure to rename folder "seconion(With_bat_file)" to "seconion" before running ps1 file.
The powershell script will install both sysmon and seconionbeat (aka "winlogbeats").
Note: You can name the beat agent and yml file whatever you like. Make sure to edit scripts with proper file location and naming convnetion so that binaries install properly.
Before installing, ensure you change the IP of the SIEM you will be sending windows event logs to in the yml file below.
