Deploy Threat Stack Windows Agent 2.x Series

Overview

This document describes the installation and configuration steps for the Threat Stack host-based Windows Agent 2.x series.

Pre-Installation for the Threat Stack Agent

Before you install the Threat Stack host-based Agent, please ensure your environment supports one of the following Windows Server Operating System versions:

  • Windows Server 2012 R2
  • Windows Server 2016
  • Windows Server 2019
Installing the Threat Stack Agent

Prerequisites

  • Access to the Threat Stack Cloud Security PlatformⓇ (CSP).
  • Ensure you have administrator privileges on the host to perform the installation.

Begin Agent Download

Click the Latest Windows Installer button to download the Agent software.

Once you have downloaded the installer, select one of the installation methods below.

Windows Setup Installation
  1. Navigate to the location of the Threat Stack Cloud Security Agent.msi file.
  2. Double click the file to run it.
  3. A setup wizard window will appear. Click Next to continue with the installation.

    WindowsAgent-InstallWizard.png

  4. The next screen will display a configuration page, where you can update the following settings:

    • The default installation location
      • By default, it is "C:\Program Files\Threat Stack\". Click Change to browse to a location of your choice.
    • The Threat Stack URL
    • The Ruleset Name
      • By default, it is set to Windows Rule Set. You can include multiple rule sets by separating them with a comma.
        • For example, to include a Windows and a PCI ruleset, enter the following (Do not include the period at the end):
          Windows Rule Set, PCI Rule Set.
    • The Deployment Key
      • A deployment key is required to complete the installation. It is available by logging into your Threat Stack CSP. Navigate to the Settings page and click the Application Keys tab. The key will be displayed under the Deployment Key section.
    • By default, the option for Start the services after setup is complete is checked.
      • You can uncheck this option. The services will be installed but won’t start until the host is rebooted.

    WindowsAgent2-Install-Config.png

  5. After entering your organization’s deployment key click Next.

    WindowsAgent2-Install-DeployKey.png

  6. Once you have reviewed your selections and are ready to proceed, click Install.

    WindowsAgent2-Install-Confirm.png

Note

If you have administrator privileges but are not logged into your administrator account, the Install button will show a User Account Control (UAC) shield.

  1. Once the installation is complete, a confirmation message will appear on the screen. Click Finish to close the window.
    • To confirm the Agent is running on the host, open a command prompt. Enter the following command from the install directory and press ENTER:
      tsagent status

    WindowsAgent-Install-Finish.png

  2. Your newly installed server will appear in the Threat Stack CSP on the Servers page.
Command Line Installation

The Agent can be installed from the command line by either using Windows PowerShell or a Command Prompt. The example below shows the installation process using the Command Prompt.

  1. Open the Command Prompt Window as an administrator.
  2. Enter the following command and press ENTER:
    msiexec /qn /i "c:\path\to\threatstack.msi" TSDEPLOYKEY="<DEPLOY_KEY>"
    The command line parameters are as follows:
    • “C:\path\to\threatstack.msi” - Indicates the location of the msi installer.
      • For example, if the installer was saved in the Downloads folder on your server, you will enter “C:\Users\Administrator\Downloads\threatstack.msi”.
    • TSDEPLOYKEY - It indicates the deployment key used to register with the platform. Replace <DEPLOY_KEY> with your deployment key.
      • A deployment key is required to complete the installation. It is available by logging into your Threat Stack CSP. Navigate to the Settings page and click the Application Keys tab. The key will be displayed under the Deployment Key section.
    • TSEVENTLOGLIST (optional) - You can choose to capture System Monitoring (Sysmon) events by adding TSEVENTLOGLIST=“Security,Microsoft-Windows-Sysmon/Operational” to the command line.
    • TSCLOUDURL (optional) - It indicates the URL of the Threat Stack CSP.
    • TSRULESETNAMES (optional) - It indicates the rule set(s) being used.
      • It defaults to the Windows Rule Set. You can include multiple rule sets by separating them with a comma.
        • For example, to include a Windows and a PCI rule set, enter the following (Do not include the period at the end):
          TSRULESETNAMES=“Windows Rule Set, PCI Rule Set”.
    • TSSTARTSERVICES (optional) - You can set the Threat Stack Agent (tsagent) service to not start after the installation by adding TSSTARTSERVICES=”No” to the command line.
      • The services will start once the host has been rebooted.
    • INSTALLDIR (optional) - It indicates the installation location.
      • By default, it is "C:\Program Files\Threat Stack\".
  3. The installation will quietly run in the background. Once complete, it will return a new command line.
    • To confirm the Agent is running on the host, enter the following command from the install directory and press ENTER:
      tsagent status
  4. Your newly installed server will appear in the Threat Stack CSP on the Servers page.
System Monitoring (Sysmon) Installation and Configuration

The Threat Stack Windows Agent leverages Sysmon’s functionality to focus on security related events. The majority of rules within the Windows Ruleset rely on Sysmon logs. Hence, we recommend installing System Monitoring for optimal performamce of the Windows Agent and its associated rules. For customers who choose not to install Sysmon, the functionality of the Windows Agent becomes very limited. The Agent will still be able to monitor the system (host) via File Integrity Monitoring (FIM) and a subset of events from the Security event log.

Given the volume of information logged by Sysmon, it is best to apply a configuration file that filters out normal operating system processes and common applications that generate vast amounts of data. We recommend using this Sysmon configuration file.

Download Sysmon

Review this Microsoft article for a description of functionality and configuration of Sysmon.

Click the Sysmon Download button to download the Sysmon files.

The downloaded Sysmon.zip file contains 3 files:

  • Eula.txt - An end user license agreement file.
  • Sysmon.exe - A 32-bit Sysmon binary used for installing on 32-bit operating systems.
  • Sysmon64.exe - A 64-bit Sysmon binary used for installing on 64-bit operating systems.

The configuration of Sysmon can be a challenging task due to some of the complexity and logic available to end users. Threat Stack recommends starting with a popular and well commented Sysmon configuration file.

Install Sysmon

  1. Open the Command Line window.
  2. Enter the following command and press ENTER:
    Sysmon64.exe –accepteula –i sysmonconfig-export.xml

    Note

    The command in this example assumes you downloaded the Sysmon configuration file to the same folder where you extracted your Sysmon.zip file.

  3. Once installed, Sysmon will start writing logs to a newly created Event Log. You can view the log within Event Viewer by navigating to Applications and Services Logs > Microsoft > Windows > Sysmon > Operational.
    • This log file defaults to a maximum size of approximately 65 megabytes (MB). It will rewrite the oldest logs once this limit is reached.
    • This default size should be sufficient for most customers.

Configure the Threat Stack Agent

  1. Open the Command Line window.
  2. Enter the following command to enable monitoring of both the Security and Sysmon Event Logs. Then, press ENTER:
    tsagent config --set EventLogs Security,Microsoft-Windows-Sysmon/Operational
  3. Enter the following command to restart the Agent. Then, press ENTER.
    tsagent restart
Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request