SEKOIA.IO Endpoint Agent
SEKOIA.IO provides its own agent allowing to collect interresting events with a minimal configuration overhead.
The SEKOIA.IO agent is currently in beta and for Windows only.
Intake creation and download of the executable
The first step to use the agent is to create a new intake associated to the SEKOIA.IO Agent. A link to download the latest version of the agent is available in the description of the intake.
The Endpoint Detection Agent is a Windows binary which you can easily install on Windows systems, after having created a dedicated intake on SEKOIA.IO XDR. The following command must be executed as an administrator:
agent.exe -install -intake-key <INTAKE_KEY>
To make sure the agent is successfully installed as a service you can run the following command:
Once installed, the agent collects Windows event logs from ETW (Event Tracing for Windows), normalizes them and sends them to SEKOIA.IO.
If needed, the SEKOIA.IO agent can use a proxy server for its HTTPS requests. If you want to enable this feature, edit
the configuration file at
C:\Windows\System32\config\systemprofile\AppData\Local\SEKOIA.IO\EndpointAgent\config.yaml and add the following line:
If you want to automate the installation of the agent with this configuration option, make sure a
config.yaml file with this line is present in the working directory when launching the install command.
Recommended: Install Sysmon
If you want to improve detection and investigation capabilities, you may want to enable Sysmon. When installed, the SEKOIA.IO Agent will automatically collect logs produced by Sysmon.
Warning: The installation of this tool will generate more logs, so it will consume more CPU ressources. Install it on equipements that are correctly dimensioned, or try it on low risk assets at first.