¶ This Article is Under Construction
Please DO NOT Follow
¶ Installing WinCollect Agents
¶ Required
Before attempting these steps, you must have already been provided your WinCollect Install Package by your SOC Onboarding Manager. This package will be shared with you via your Shared Documentation Folder on Sharefile and will contain the five (5) files below.
- Sysmon.exe
- Sysmon64.exe
- sysmon-conf-cust.xml
- wincollect-7.3.1-28.x86.exe
- WinCollectInstall_CUST.bat
Note: The ‘cust’ and ‘CUST’ phrase in the above filenames will actually be the 3 or 4 letter acronym that Secure ISS is using to identify your organisation.
If you have not yet received this package, STOP this process now and reach out to your Onboarding Manager to provide these files.
¶ Prepare for the Deployment
Before proceeding to WinCollect Deployment on mass, you should have already deployed onto 2 or 3 Test Servers. Your Onboarding Manager should have also confirmed with you that the Windows Servers are now sending logs as expected.
If you have not deployed your Test Group yet or your Onboarding Manager has NOT confirmed the Test Group Success, please Stop this process and return to Phase Five - Windows Log Sources section of the SOC Onboarding Guide HERE
¶ Network Share
As part of the Test Group deployment, you should have placed the five (5) essential files onto a Network Share to which the Servers have Read-Execute access to.
If you did not complete this step during the Test Group, please do this now.
¶ Deploy The Installation Script
While there are many ways to deploy software on-mass across a network, this article will detail only the Group Policy method commonly used in Active Directory deployments.
Note: For instructions using any 3rd Party software deployment technologies, please contact us for further guidance.
¶ Creating Group Policy
Now that the Network Share and Batch File are completed, it is time to create the Group Policy.
Note: The Policy will be used to target settings in “Computer Configuration\Policies\Windows Settings\Scripts (Startup/Shutdown)
- Using a domain administrator account, you will need to log into a Domain Controller and navigate to Group Policy Management.
- Create the Policy by right-clicking on Group Policy Objects and selecting New. Name the New Policy WinCollect
- Right click on the new GPO created and select Edit.
- Group Policy Management Editor will open allowing us to edit the GPO WinCollect. Go to User Configuration > Preferences > Control Panel Settings > Scheduled Tasks. On the right-panel, right-click and select New for New Scheduled Task.
- Action should be set to Create. Give the New Task a Name like WinCollect-Restart. For Run, browse to the Script from earlier. For Run As, slect appropriate credentails.
-
Set your timing on the Schedule tab and click Apply and OK.
-
Finally, Link your Policy to the correct OU and Apply a GPO Update.
The Sheduled Task should now be set for all assets in the OU.