SEKOIA.IO Endpoint Agent
SEKOIA.IO provides its own agent allowing to collect interresting events with a minimal configuration overhead.
Note
The SEKOIA.IO agent is currently in beta and for Windows only.
Installation
Intake creation and download of the executable
The first step to use the agent is to create a new intake associated to the SEKOIA.IO Agent. A link to download the latest version of the agent is available in the description of the intake.
Installation
The Endpoint Detection Agent is a Windows binary which you can easily install on Windows systems, after having created a dedicated intake on SEKOIA.IO XDR. The following command must be executed as an administrator:
agent.exe -install -intake-key <INTAKE_KEY>
To make sure the agent is successfully installed as a service you can run the following command:
Get-Service SEKOIAEndpointAgent
Once installed, the agent collects Windows event logs from ETW (Event Tracing for Windows), normalizes them and sends them to SEKOIA.IO.
Proxy Support
If needed, the SEKOIA.IO agent can use a proxy server for its HTTPS requests. If you want to enable this feature, edit
the configuration file at C:\Windows\System32\config\systemprofile\AppData\Local\SEKOIA.IO\EndpointAgent\config.yaml
and add the following line:
HTTPProxyURL: "<PROXY_URL>"
If you want to automate the installation of the agent with this configuration option, make sure a config.yaml
file with this line is present in the working directory when launching the install command.
Recommended: Install Sysmon
If you want to improve detection and investigation capabilities, you may want to enable Sysmon. When installed, the SEKOIA.IO Agent will automatically collect logs produced by Sysmon.
Warning: The installation of this tool will generate more logs, so it will consume more CPU ressources. Install it on equipements that are correctly dimensioned, or try it on low risk assets at first.
Sysmon is a Microsoft tool you can download on their website. A common installation instruction and configuration file is available on SwiftOnSecurity's Github.