Install Microsoft Sysmon

Some Tenable Identity Exposure’s Indicators of Attack (IoAs) require the Microsoft System Monitor (Sysmon) service to activate.

Sysmon monitors and logs system activity to the Windows event log to provide more security-oriented information in the Event Tracing for Windows (ETW) infrastructure.

Because installing an additional Windows service and driver can affect performances of the domain controllers hosting the Active Directory infrastructure. Tenable does not deploy automatically Microsoft Sysmon. You must install it manually or use a dedicated GPO.

The following IoAs require Microsoft Sysmon.



OS Credential Dumping: LSASS Memory

Detects Process Injection

Note: If you choose to install Sysmon, then you must install it on all domain controllers and not just the PDC to collect all necessary events.
Note: Test your Sysmon installation for compatibility issues before a full deployment of Tenable Identity Exposure.
Tip: Make sure to update Sysmon regularly after installation to take advantage of any patches that address possible vulnerabilities. The oldest version compatible with Tenable Identity Exposure is Sysmon 12.0.