Install sysmon event manifests

elastic · Jan 13, 2025 · 97ed84f · 97ed84f
1 parent 585ff5d
commit 97ed84f
Show file tree

Hide file tree

Showing 2 changed files with 48 additions and 0 deletions.
diff --git a/.buildkite/scripts/install_sysmon.ps1 b/.buildkite/scripts/install_sysmon.ps1
@@ -0,0 +1,36 @@
+$downloadUrl = "https://download.sysinternals.com/files/Sysmon.zip"
+$tempFolder = "$env:TEMP\SysmonDownload"
+
+if (!(Test-Path $tempFolder)) {
+    New-Item -ItemType Directory -Path $tempFolder
+}
+
+$ProgressPreference = 'SilentlyContinue'
+try {
+    Invoke-WebRequest -Uri $downloadUrl -OutFile "$tempFolder\Sysmon.zip" -UseBasicParsing
+} catch {
+    $result = $_.Exception.Response.GetResponseStream()
+    $reader = New-Object System.IO.StreamReader($result)
+    $reader.BaseStream.Position = 0
+    $reader.DiscardBufferedData()
+    $reader.ReadToEnd()
+    exit 1
+}
+
+Write-Host "Sysmon.zip downloaded successfully."
+
+Expand-Archive -Path "$tempFolder\Sysmon.zip" -DestinationPath $tempFolder
+
+$sysmonPath = Get-ChildItem -Path "$tempFolder" -Filter "Sysmon64.exe" | Select-Object -ExpandProperty FullName
+
+if ($sysmonPath) {
+    Start-Process -FilePath $sysmonPath -ArgumentList "-m" -Wait
+
+    Write-Host "Sysmon event manifest installation completed."
+} else {
+    Write-Host "Sysmon executable not found in the downloaded archive."
+}
+
+# Clean up the downloaded file
+Remove-Item -Path "$tempFolder\Sysmon.zip"
+Remove-Item -Path $tempFolder -Force -Recurse
diff --git a/.buildkite/x-pack/pipeline.xpack.winlogbeat.yml b/.buildkite/x-pack/pipeline.xpack.winlogbeat.yml
@@ -65,6 +65,8 @@ steps:
       - label: ":windows: x-pack/winlogbeat Win 2019 Unit Tests"
         key: "mandatory-win-2019-unit-tests"
         command: |
+          Set-Location -Path .buildkite/scripts
+          ./install_sysmon.ps1
           Set-Location -Path x-pack/winlogbeat
           mage build unitTest
         retry:
@@ -91,6 +93,8 @@ steps:
 
       - label: ":windows: x-pack/winlogbeat: Win 2016 Unit Tests"
         command: |
+          Set-Location -Path .buildkite/scripts
+          ./install_sysmon.ps1
           Set-Location -Path x-pack/winlogbeat
           mage build unitTest
         key: "mandatory-win-2016-unit-tests"
@@ -118,6 +122,8 @@ steps:
 
       - label: ":windows: x-pack/winlogbeat: Win 2022 Unit Tests"
         command: |
+          Set-Location -Path .buildkite/scripts
+          ./install_sysmon.ps1
           Set-Location -Path x-pack/winlogbeat
           mage build unitTest
         key: "mandatory-win-2022-unit-tests"
@@ -150,6 +156,8 @@ steps:
     steps:
       - label: ":windows: x-pack/winlogbeat: Win 10 Unit Tests"
         command: |
+          Set-Location -Path .buildkite/scripts
+          ./install_sysmon.ps1
           Set-Location -Path x-pack/winlogbeat
           mage build unitTest
         key: "extended-win-10-unit-tests"
@@ -177,6 +185,8 @@ steps:
 
       - label: ":windows: x-pack/winlogbeat: Win 11 Unit Tests"
         command: |
+          Set-Location -Path .buildkite/scripts
+          ./install_sysmon.ps1
           Set-Location -Path x-pack/winlogbeat
           mage build unitTest
         key: "extended-win-11-unit-tests"
@@ -204,6 +214,8 @@ steps:
 
       - label: ":windows: x-pack/winlogbeat: Win 2019 Unit Tests"
         command: |
+          Set-Location -Path .buildkite/scripts
+          ./install_sysmon.ps1
           Set-Location -Path x-pack/winlogbeat
           mage build unitTest
         key: "extended-win-2019-unit-tests"