Configure Windows endpoints

Configure your Windows endpoints for use with the IBM® QRadar® Endpoint Content Extension.

Procedure

Install and configure Sysmon on your Windows endpoints.
1. Download Sysmon from https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon.
2. Extract the .zip file.
3. Download the Sysmon configuration from SwiftonSecurity (https://github.com/SwiftOnSecurity/sysmon-config) to the same directory to which you downloaded Sysmon.
4. Tune Sysmon Event ID 1 in the configuration to exclude any processes you don't want to monitor.
5. Tune Sysmon Event ID 7 in the configuration to include images (.dll) to monitor.
  Monitoring images can cause a high system load.
6. Tune Sysmon Event ID 12, 13 and 14 in the configuration to include common UAC bypass registry keys by adding the following rules for registry events.
```

<RegistryEvent onmatch="include">
	<TargetObject condition="contains">\Environment\</TargetObject> 	
	<TargetObject condition="contains">\CurVer</TargetObject> 		
	<TargetObject condition="contains">\URL Protocol</TargetObject> 	
	<TargetObject condition="contains">\ICM\Calibration</TargetObject> 	
</RegistryEvent>
```
7. Install Sysmon with the configuration.
  - For a 32-bit system, navigate to the directory that you downloaded Sysmon to and type the following command:
```
sysmon.exe -accepteula -i sysmonconfig-export.xml
```
  - For a 64-bit system, navigate to the directory that you downloaded Sysmon to and type the following command:
```
sysmon64.exe -accepteula -i sysmonconfig-export.xml
```
Enable audit process tracking in Local Security Policy.
Enable Powershell auditing with Script Block Logging.

What to do next

If your Syslog logs are getting cut off, increase the maximum payload size.