Sitemap
Open in app

Sign in

Medium Logo
Write

Sign in

Centralized Sysmon Configuration Management with Copilot and Wazuh

SOCFortress
3 min readMay 31, 2025

--

In modern Windows endpoint monitoring, Sysmon (System Monitor) stands as a vital tool for gathering telemetry. However, managing its configuration files — especially across multiple customer environments — can be a daunting task. Today, I’ll walk you through how we can streamline Sysmon configuration management using CoPilot and Wazuh, while leveraging custom scripts for dynamic updates.

Why Sysmon and Why Centralized Management?

Sysmon provides detailed event data about process creations, network connections, registry modifications, and more. However, its configuration files can quickly become complex, especially when different clients run different security software like Carbon Black, CrowdStrike, or Adobe.

Traditionally, updating Sysmon configurations requires manual edits and service restarts. But with Copilot, we can:

  • Manage Sysmon configurations centrally for multiple tenants.
  • Dynamically update configurations and apply changes live.
  • Exclude noisy events from known software to reduce log volume.

The Solution: Copilot + Wazuh + Custom Scripts

1. Setting Up Wazuh Utils

First, clone the public Wazuh-Utils repository, which contains scripts to reload Sysmon configurations on endpoints:

⚠️ GitHub Repo: https://github.com/socfortress/WAZUH-UTILS

  • run_sysmon_config_reload.cmd
  • sysmon_config_reload.ps1

These scripts trigger a live reload of Sysmon’s configuration without restarting the service or rebooting the system.

2. Deploying Scripts to Endpoints

  • Copy the scripts to the bin/active-response directory of the Wazuh agent on each endpoint.
  • Update the script’s Sysmon path to match the location of sysmon64.exe on the endpoint.
  • Optionally deploy the scripts across many systems using an RMM tool or Group Policy Object (GPO).

3. Integrating Wazuh Manager with Copilot

  • Connect your Wazuh Manager to Copilot.
  • Deploy the Wazuh Utils application on the manager. This app dynamically writes sysmon_config.xml files to each customer’s directory under /var/ossec/etc/shared/Windows_<customer_code>.
  • The app listens for Copilot updates and applies changes to the correct customer groups.

4. Updating Sysmon Configurations in Copilot

  • In Copilot, modify the Sysmon configuration (e.g., exclude CrowdStrike events to avoid excessive noise).
  • Upload and deploy the new configuration.
  • Copilot sends the updated config to Wazuh Utils App, which writes it to the appropriate shared directory.

5. Reloading Configurations on Endpoints

  • Configure a wodle command in the Wazuh agent to run the reload script automatically on startup or at defined intervals.
  • To apply changes immediately, manually trigger the wodle (e.g., by tweaking the agent’s configuration to force an immediate reload).
<wodle name="command">
  <disabled>no</disabled>
  <tag>sysmon-reload</tag>
  <command>"C:\Program Files (x86)\ossec-agent\active-response\bin\run_sysmon_config_reload.cmd"</command>
  <interval>1d</interval>
  <ignore_output>yes</ignore_output>
  <run_on_start>yes</run_on_start>
  <timeout>0</timeout>
 </wodle>

6. Verification

  • Check the /var/ossec/etc/shared/Windows_<customer_code>/sysmon_config.xml to confirm the update.
  • On the endpoint, verify that the new config is in place and timestamped correctly.
  • Search for specific exclusions (e.g., “CrowdStrike”) to confirm the changes.

Benefits of This Approach

Dynamic Updates: No need to restart services or reboot systems.

Centralized Control: Manage configurations for multiple customers from a single pane of glass in Copilot.

Reduced Noise: Exclude known software events (like Adobe, Carbon Black) to streamline log collection.

Custom Scripting: Tailor the solution to your environment with customizable scripts.

Conclusion

This approach revolutionizes how you manage Sysmon configurations, shifting from fragmented manual processes to a centralized, dynamic, and scalable solution. Whether you manage a handful of clients or a large enterprise, integrating Copilot and Wazuh with custom scripts empowers you to keep your security telemetry clean and your monitoring efficient.

If you’re interested in professional support for implementing this solution, don’t hesitate to reach out via the contact link below.

Need Help?

The functionality discussed in this post, and so much more, are available via the SOCFortress platform. Let SOCFortress help you and your team keep your infrastructure secure.

Website: https://www.socfortress.co/

Contact Us: https://www.socfortress.co/contact_form.html

Cybersecurity
Information Security
Open Source
Socfortress
Security

--

--

SOCFortress
SOCFortress

Written by SOCFortress

4.2K followers
1 following

SOCFortress is a SaaS company that unifies Observability, Security Monitoring, Threat Intelligence and Security Orchestration, Automation, and Response (SOAR).

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Rules

Terms

Text to speech