Sysmon

The JSA Sysmon Content Extension detects advanced threats on Windows endpoints by using Sysmon logs.

The Sysinternals Sysmon service adds several Event IDs to Windows systems. These new Event IDs are used by system administrators to monitor system processes, network activity, and files. Sysmon provides a more detailed view than the Windows security logs. For more information about Sysmon, see Secure Your Endpoints With QRadar Content for Sysmon.

This content extension provides multiple use cases to detect advanced threats, such as PowerShell abuse, hidden Windows processes, fileless memory attacks, code obfuscation, and many more. This content extension includes new offenses rules, building blocks, reference sets, and custom functions that can help you detect these threats.

Note

Update the Microsoft Windows DSM to the latest version before you install JSA Sysmon Content Extension.

For more information about the use cases that are covered by this content extension, see the following videos:

Video Title	Video Link
Sysmon PowerShell Use Case 1	https://youtu.be/PWiw-RpLIbw
Sysmon PowerShell Use Case 2	https://youtu.be/_eaMMo8sPtA
Sysmon PowerShell Use Case 3	https://youtu.be/sZUAuYpSe7Q
Sysmon Use Case 4 Bogus Windows Processes	https://youtu.be/gAS-B9gb3RY
Sysmon Use Case 5 Detecting other Libraries	https://youtu.be/omWnyACNEcM
Sysmon Use Case 6 Nasty Injection & Encoded Attacks	https://youtu.be/kC2hIJxqF8Q
JSA Privilege Escalation Detection Use Case 7	https://www.youtube.com/watch?v=yitGRL-WJCM
JSA Privilege Escalation Continued Use Case 8	https://www.youtube.com/watch?v=8u6G6SEw3kE
Sysmon Use Case 9 - More Privilege Escalation Detection	https://www.youtube.com/watch?v=0Wy59Otr_Ag
Sysmon Use Case 10 - Creating an Admin Account	https://www.youtube.com/watch?v=bJgaFSjuMSs
Sysmon Detecting Name Pipe Impersonation	https://www.youtube.com/watch?v=pSBQ7NabDUY
Sysmon Detecting Mimikatz	https://www.youtube.com/watch?v=gKa_CZAz3Jc
JSA Lateral Movement Detection, Example One	https://www.youtube.com/watch?v=IBEIN9sl4lk
JSA Lateral Movement Detection Example Two	https://www.youtube.com/watch?v=whjpScDYaY4
JSA Lateral Movement Detection Example Three (Plain Windows Features)	https://www.youtube.com/watch?v=7PXzi3pbmFo

JSA Sysmon Content Extension V1.1.2

The following table shows the custom properties in JSA Sysmon Content Extension V1.1.2.

Table 1: Custom Properties in JSA Sysmon Content Extension V1.1.2

Name	Regex
Image	Image:\s(.*?)\s(FileVersion\|CommandLine):
ImageName	Image:\s(?:.\\)?(.?)\s(?:FileVersion\|CommandLine):\s
LoadedImage	ImageLoaded:\s(.*?)\s(FileVersion\|Hashes)\:
LoadedImageName	ImageLoaded\:\s(?:.\\)(.?)\s*(FileVersion\|Hashes)\:

The following table shows the rules and building blocks in JSA Sysmon Content Extension V1.1.2.

Table 2: Rules in JSA Sysmon Content Extension V1.1.2

Name	Description
Process Baselining: Process Name to Hash	Added a rule response to populate the ProcessNametoHashRefMapOfSetKeys reference set.
Process Baselining: Process Name to Parent Process	Added a rule response to populate the ProcesstoParentProcessPathRefMapKeys reference set.
Detected A Known Process Started With A New Unseen Hash	Detects when a known process starts with a new unseen hash.
Detected Abnormal Parent for a Process	Detects an abnormal parent for a process.
Process Baselining: Process Hash	Provides a baseline for process hashes.
Process Baselining: Process Name	Provides a baseline for process names, with standard Windows logs or Sysmon logs.
Detected An Unknown / Unseen Process (Based On The Process Hash)	Detects any unusual or unknown process hashes.
Detected An Unknown / Unseen Process (Based On The Process Name)	Detects any unusual or unknown process names.
Process Launched From a Shared Folder and Created Thread into Another Process	Updated one of the rule tests.

The following table shows the reference data in JSA Sysmon Content Extension V1.1.2.

Table 3: Reference Data in JSA Sysmon Content Extension V1.1.2

Type	Name	Description
Reference Set	Profiled Process Names	Stores the baseline list of process names.
Reference Set	Profiled Process Hashes	Stores the baseline list of process hashes.
Reference Set	ProcessNametoHash RefMapOfSetKeys	Stores the keys used in the map of sets that maps a process name to its hash.
Reference Set	ProcesstoParentProcess PathRefMapKeys	Stores the keys used in the map of sets that maps a process name to its parent process.
Reference Map of Sets	ProcessMap toProcessParentPath	Changed the element type to alpha-numeric ignore case.
Reference Map of Sets	ProcessNametoHash	Changed the element type to alpha-numeric ignore case.

The following table shows the saved searches in JSA Sysmon Content Extension V1.1.2.

Table 4: Saved Searches in JSA Sysmon Content Extension V1.1.2

Name	Description
Unknown Process Hash Has Been Started	Updated the search criteria.
Abnormal Parent for a Process	Updated the search criteria.
Unknown Process Name Has Been Started	This search shows unknown processes based on the proces name.

JSA Sysmon Content Extension V1.1.1

In V1.1.1, two rules and two AQL functions were removed due to possible performance issues:

Rule: Detected a Known Process Started With Unseen Hash
Rule: Detected Abnormal Parent for a Process
Custom function: checkWithMapOfSets
Custom function: IsItWhiteListedProcess

JSA Sysmon Content Extension V1.1.0

JSA Sysmon Content Extension v1.1.0 includes new rules to establish baseline processes, and to detect the following activities:

Privilege escalation
Fileless user account control (UAC) bypasses
Credential dumping
Lateral movement techniques
The Metasploit PSExec implementation
Malicious PowerShell usage

This version also includes new custom properties, saved searches, and AQL custom function. A new icon is added to the JSA admin settings to configure an authorization token for Sysmon custom functions.

The following table describes the changes that are included in JSA Sysmon Content Extension v1.1.0

Type	Name	Change description
Rule	Unusual Process (ex: word, iexplore, AcroRd..) launched a Command Shell	Detects if an unusual process, such as MS Word, Internet Explorer, Acrobat Reader, starts a command shell or PowerShell.
Rule	Detected a Remotely Executed Process over Multiple Hosts	Detects any remotely run process that uses PowerShell, wmi, or PSExec as well-known lateral movement techniques.
Rule	Detected a Scheduled Task over Multiple Hosts	Detects a scheduled task over multiple hosts.
Rule	Metasploit PSExec Module Has Been Detected	Detects the Metasploit implementation of the PSExec tool.
Rule	PSExec Has Been Launched From a Compromised Host	Detects if PSExec is going to be launched from a host that is marked as a compromised host.
Rule	PSExec Has Been Detected	Detects if any host launches PSExec.
Rule	Detected PSExec with a Different Process Name	Detects if PSExec is uploaded with a different name.
Rule	Command Shell Started With a System Privileges	Detects if a command shell is started with escalated privileges. For example, if a regular user starts the command shell as a Windows System user.
Rule	Process Baselining: Process Started with a System User Privileges	Provides a baseline for which processes usually start with a system privilege. This baseline is used by other rules to detect if a new process starts with a system privilege. This baseline can indicate whether someone tries to do a privilege escalation.
Rule	Detected a New Unseen Process Started with a System User Privileges	Detects if a new or unusual process starts with a system privilege. By default this rule is disabled. As part of your maintenance routine, run the process baseline rules for one week before you enable this rule.
Rule	Process Baselining: Process Name to Parent Process	Provides a baseline to identify the parent processes for each process. This baseline can help to detect unusual processes.
Rule	Process Baselining: Process Name to Hash	Provides a baseline for process names and their corresponding hashes. This baseline can help to detect if an unknown process starts, or if a process starts with a new hash. This information can also be used to integrate Sysmon logs with other logs.
Rule	Detected Excessive Usage of System Tools From a Single Machine	Detects excess usage from a single machine of several system tools such as: `lcacl.exe` `procdump.exe` `vssadmin.exe` `accesschk.exe` `netsh.exe` `arp.exe` `systeminfo.exe` `whoami.exe`
Rule	Detected a Service Configured to Use PowerShell	Detects if any service is configured to use PowerShell.
Rule	Detected a Long Value in Windows Registry	Detects if an attacker tried to add or set a registry key by using a long value, such as a PowerShell encoded command.
Rule	Detected a Service with an Executable Binary Located in a Shared Folder	Detects if any service is configured to start an executable binary from a shared folder.
Rule	Detected a Service Configured to Use a Pipe	Detects if any service is configured to connect to a pipe.
Rule	A Pipe Has Been Created Followed by Updating Service Binary Path to Connect to The Created Pipe	Detects a named pipe impersonation, which is a technique for privilege escalation.
Rule	Detected a Service Binary Path Changed followed by a User or Group Added	Detects if a user or group is added after a service binary path changed.
Rule	Service Binary Path Has Been Updated Followed by a Network Connection From the Same Process	Detects if a process attempts to configure or add a service and detects if the same process creates an outbound connection.
Rule	Detected Excessive Execution of SC Command	Detects if the service controller command is used excessively.
Rule	Detected an Unquoted Service Binary Path with Spaces	Detects if an unquoted service binary path contains spaces. A file path that is not enclosed within quotation marks and contains spaces in the path can be leveraged. For example, `C:\Program Files (x86)\`.
Rule	Possible UAC Bypass - A Scheduled Task Has Been Configured to Run With Highest Privileges	Detects if a scheduled task is created to run by using the highest privileges.
Rule	Service Binary Path Has Been Updated Followed by a CreateRemoteThread Detected From the Same Process	Detects if a process attempts to configure or add a service, and detects if the same process creates a thread into other processes.
Rule	Process Launched From a Shared Folder	Detects if any process starts from a shared folder.
Rule	Process Launched From a Shared Folder and Created Thread into Another Process	Detect if a process starts from a shared folder and creates a thread in another process.
Rule	A Remoting Service Created a PowerShell Script File	Detects if any remoting service, such as `wsmprovhost`, `psexesvc`, or `wmiprvse`, creates a PowerShell script file.
Rule	LSASS Process Connected to a Pipe	Detects if any pipe connects to an activity that is initiated from the Local Security Authority Subsystem Service (LSASS) process, which can lead to dumping credentials.
Rule	Detected a Remoting Service Connected to LSASS Pipe	Detects if any remoting service, such as `wsmprovhost`, `psexesvc`, or `wmiprvse`, attempts to connect to a pipe called LSASS.
Rule	Detected a Fileless UAC Bypass using sdclt	Detects a user account control (UAC) bypass attempt that uses `sdclt.exe`, the Windows process that allows users to run backup and restore operations. By default, `sdclt.exe` runs with a high integrity level. After the process starts, it looks for specific keys in the registry. If the keys exist, it runs them.
Rule	Detected a Fileless UAC Bypass using Fodhelper	Detects if the Fodhelper process is used to bypass UAC in Windows 10 by hijacking a special key in the registry.
Rule	Detected a Fileless UAC Bypass using Windows Event Viewer	Detects if the Windows event viewer is used to bypass UAC.
Rule	Unsigned Driver Has Been Loaded Into Windows Kernel	Detects any attempt to load an unsigned driver into the Windows kernel.
Rule	A Service Has Been Installed in a Compromised Host	Detects any service installation on a host that is marked as a compromised host.
Rule	A Scheduled Task Has Been Created in a Compromised Host	Detects any attempt to create a scheduled task on a host that is marked as a compromised host.
Rule	Excessive Denied SMB Traffic From a Compromised Host	Detects excessive SMB traffic that is denied from a compromised host.
Rule	Excessive Failed Attempts to Access an Administrative Share From a Single source	Detects excessive failed attempts to access administrative shares from a single source host.
Rule	Excessive Failed Attempts to Access a Network Shared Resource From a Compromised Host	Detects excessive failed attempts to access shared folders over multiple hosts in the network from a compromised host.
Rule	A Network Share Has Been Accessed From a Compromised Host	Detects if a compromised host successfully accessed a shared folder.
Rule	A Network Share Has Been Added In a Compromised Host	Detects if a compromised host adds a shared folder or file.
Rule	Detected SMB Traffic From a Compromised Host Into Other Hosts	Detects outbound SMB traffic from a compromised host to other hosts.
Rule	Detected a Successful Login From a Compromised Host Into Other Hosts	Detects successful logins from a compromised host to other hosts.
Rule	An Administrative share Has Been Accessed	Detects if an administrative share is accessed.
Rule	A Hidden Network Share Has Been Added	Detects the creation of a hidden shared file.
Rule	PowerShell Has Been Launched	Detects if a host starts PowerShell.
Rule	PowerShell Has Been Launched in a Compromised Host	Detects if a compromised host starts PowerShell.
Rule	A Malicious Service Has Been Installed in a System	Detects if a known malicious service is installed in the system.
Rule	Childless Process Launched/Spawned a Process	Detects if a process that is intended to be childless launches a child process.
Rule	Shadow Copies Delete Detected	Detects if shadow copies are deleted.
Rule	Detected a Suspicious Svchost Process	Detects a malicious svchost process.
Rule	Detected Mimikatz Based on IMP Hash	Detects the Mimikatz post-exploitation tool based on whether the Invoke Mimikatz PowerShell (IMP) Hash is used.
Rule	A Command Shell or Powershell Has been Launched From a Remote System	Detects if any remoting service, such as `wsmprovhost`, `psexesvc`, or `wmiprvse`, starts a command shell or PowerShell on a remote system.
Rule	Whoami /groups Has Been Executed	Detects if the `whoami` or group command is used by before any privilege escalation technique.
Rule	SAM Registry key - Enumerate sub-keys (users)	Detects any attempt to enumerate the SAM registry key.
Rule	Detected a Registry Dump For SAM or System Key	Detects any attempt to dump the SAM registry.
Rule	SAM Registry key Has Been Accessed - using regedit	Detects any attempt to access the SAM registry key
Rule	Process Created a Thread into LSASS Process	Detects any attempt to create a thread into the LSASS process.
Rule	Unsigned Executable Loaded Into LSASS.exe	Detects any attempt to load an unsigned executable file into the LSASS process.
Rule	Detected a Malicious Access to LSASS Process	Detects any malicious access to the LSASS process.
Rule	Detected a Malicious Access to LSASS Process from Unknown Call Trace	Detects any fileless attempts to access the LSASS process.
Rule	Process Started from Unusual Directories (Recycle.bin, ..)	Detects if a process starts from an unusual directory, such as the recycle bin.
Rule	Detected a Possible Credential Dumping Tool	Used as an extra mark if any of the following rules match: Detected a Malicious Access to LSASS Process Detected a Malicious Access to LSASS Process from Unknown Call Trace Detected a Registry Dump For SAM or System Key Process Created a Thread into LSASS Process SAM Registry key - Enumerate sub-keys (users) SAM Registry key Has Been Accessed - using regedit Detected Mimikatz Based on IMP Hash Detected a Remoting Service Connected to LSASS Pipe LSASS Process Connected to a Pipe
Rule	Detected a Possible Keylogger	Detects if a machine is infected with a keylogger.
Rule	Possible Locky Ransomware detected based on rundll32 with qwerty argument	Detect a known signature for Locky ransomware.
Rule	PowerShell Malicious Usage Detected with Encoded Command	Updated to detect more malicious uses of PowerShell.
Rule	PowerShell Malicious Usage Detected	Updated to detect more malicious uses of PowerShell.
Building Block	BB: PSExec Has Been Detected	Used in the PSExec rules.
Building Block	BB: Process created a Network Connection	Used in rules that correlate network connections with other activities.
Building Block	BB: An Administrative share Has Been Accessed	Used in rules that detect any malicious activities with shared folders.
Building Block	BB: CreateRemoteThread Detected	Used in rules that detect the creation of remote threads.
Building Block	BB: Normal Windows Processes Accessed LSASS.exe	Used in rules that detect the LSASS process.
Building Block	BB: Detected a PowerShell Process	Used in rules that detect PowerShell processes.
Building Block	BB: A Scheduled Task Has Been Created	Used in rules that detect scheduled tasks.
Building Block	BB: Detected a Scheduled Task based on Process Creation Event Part 1	Used in rules that detect scheduled tasks based on process event creation.
Building Block	BB: Pipe Has Been Created	Used in rules that detect pipe creation.
Building Block	BB: Detected a Scheduled Task based on Process Creation Event Part 2	Used in rules that detect scheduled tasks based on process event creation.
Building Block	BB: Service Binary Path Has Been Set or Updated	Used in rules that detect if a service path binary is set or updated.
Building Block	BB: CreateRemoteThread excluded cases	Used in rules that detect the creation of remote threads.
Saved Search	Abnormal Parent for a Process	This search shows any process with an unusual parent, based on the baselined data
Saved Search	Network Connection Detected by Windows Sensitive Processes	This search shows any connection that is initiated from a Windows sensitive process.
Saved Search	Process Access to LSASS	This search shows any process that accessed LSASS.
Saved Search	Remotely Launched Executables via WMI or PowerShell	This search shows processes that were run remotely.
Saved Search	Service Binary Path Has Been Set or Updated	This search shows any new service or if the location of the service binary changes.
Saved Search	Unknown Process Hash Has Been Started	This search shows any unseen process hashes.
Saved Search	Unsigned Executable Loaded Into Sensitive System Process	This search shows any attempt to load an unsigned executable file into sensitive system processes.
Saved Search	Very Long Command Line Detected	This search shows long command line text.
Reference Set	Whitelisted Hashes	Contains a list of whitelisted hashes.
Reference Set	Systools	Contains a list of tools that are used by system administrators.
Reference Set	Processes Hashes Started as System User	Contains a list of process hashes that can start with a system level privileges.
Reference Set	Compromised Hosts	Contains a list that is populated with any compromised hosts.
Reference Set	Process Name to Hash	Contains a list of process names that are mapped to their hashes.
Reference Set	IOCs - Malicious Service Names	Contains a list of well-known malicious service names.

JSA Sysmon Content Extension V1.0.0

The following table describes the changes that are included in JSA Sysmon Content Extension v1.0.0

Type	Name	Change description
Rule	Unsigned Executable or DLL Loaded from Temp Directory	Detects when unassigned executable or DLL is loaded from a temporary directory.
Rule	Process Launched From Temp Directory	Detects when a process is launched from a temporary directory.
Rule	Unsigned Executable or DLL Loaded Into Sensitive System Process	Detects when an unassigned executable or DLL is loaded into another sensitive system processes.
Rule	Process Created a Thread into System Process	Detects when a process creates a thread in a system process.
Rule	Process Created a Thread From a Process That was Launched From a Temp Director	Detects when a process creates a thread from a process that was launched from a temporary directory.
Rule	Process Created a Thread Into Another Process	Detects when a process creates a thread in another process.
Rule	PowerShell Malicious Usage Detected	Detects malicious PowerShell usage.
Rule	PowerShell Malicious Usage Detected with Encoded Command	Detects malicious PowerShell usage with an encoded command.
Rule	PowerShell script has been downloaded	Detects when a PowerShell script is downloaded.
Rule	System Process Started from Unusual Directory	Detects when a system process starts from an unusual directory.
Rule	Abnormal Parent for a System Process	Detects when an abnormal parent for a system process is present.
Rule	Suspicious svchost Process Detected	Detects suspicious svchost processes.
Rule	Shadow Copies Delete Detected	Detects when a shadow copy file is deleted.
Building Block	BB: Unsigned Executable or DLL Loaded Into Sensitive System Process Part 1	Used by the Unsigned Executable or DLL Loaded Into Sensitive System Process rule.
Building Block	BB: Detected a downloaded PowerShell Script	Used by the PowerShell script has been downloaded rule.
Building Block	BB: Detected a downloaded PowerShell Script with EncodedCommand	Used by the PowerShell Malicious Usage Detected with Encoded Command rule.
Custom Property	Image	`Image:\s(.*)\sImageLoaded`
Custom Property	ImageName	`Image:\s(?:.\\)(.)\sImageLoaded`
Custom Property	Signed	`Signed:\s(true\|false)`
Custom Property	Signature	`Signature:\s(.*)\sSignatureStatus`
Custom Property	SignatureStatus	`SignatureStatus:\s(Valid)`
Custom Property	LoadedImage	`ImageLoaded:\s(.*)\sHashes`
Custom Property	Image	`Image:\s(.*)\sCommandLine`
Custom Property	ImageName	`Image:\s(?:.\\)(.)\sCommandLine`
Custom Property	ParentImage	`ParentImage:\s(.*)\sParentCommandLine`
Custom Property	ParentImageName	`ParentImage:\s(?:.\\)(.)\sParentCommandLine`
Custom Property	Target Image Name	`TargetImage:\s(?:.\\)(.)\sNewThreadId`
Custom Property	SourceImage	`SourceImage:\s(.*)\sTargetProcessGuid`
Custom Property	TargetImage	`TargetImage:\s(.*)\sNewThreadId`
Custom Property	PS Encoded Command	`[\-^]{1,2}[Ee^]{1,2}[NnCcOoDdEeMmAa^]*[\s^]+(\S+)`
Custom Property	Process CommandLine	`CommandLine:\s(.*)\sCurrentDirectory`
Custom Property	SourceImageTempPath	`SourceImage:\s+.((?:Windows\\Temp)\|(?:AppData\\Local\\Temp))\\.`
Custom Property	ImageTempPath	`Image:\s+.((?:Windows\\Temp)\|(?:AppData\\Local\\Temp))\\.`
Custom Property	ImageLoadedTempPath	`ImageLoaded:\s+.((?:Windows\\Temp)\|(?:AppData\\Local\\Temp))\\.`
Custom Property	Process CommandLine	`Process Command Line:\s(.)\s*Token Elevation Type`
Custom Property	PS Encoded Command	`Process Command Line:\spowershell.[\-^]{1,2}[Ee^]{1,2}[NnCcOoDdEeMmAa^][\s^]+(\S+)\sToken Elevation Type`
Custom Property	ImageName	`New Process Name:\s(?:.\\)(\S)\sToken\sElevation\sType\:`
Custom Property	SHA1 Hash	`SHA1=(\w+)`
Custom Property	MD5 Hash	`MD5=(\w*)`
Custom Property	SHA256 Hash	`SHA256=(\w*)`
Custom Property	IMP Hash	`IMPHASH=(\w*)`
Custom Property	Image	`New Process Name:\s(\S)\s*Token\sElevation\sType\:`
Custom Function	base64Decode	Decodes the base64 text from the PowerShell encoded command into a normal readable string.
Custom Function	PScmdFilter	Filters the process command line from the Sysmon events.
Saved Search	Very Long Command Line Detected	This is an event search to match on long process command lines from Sysmon events.
Reference Set	TempFilePath	Contains a list of file paths of the temporary directory.
Reference Set	Windows Sensitive Processes	Contains a list of all Windows-sensitive processes.
Reference Set	ProcessMaptoProcessPath	Contains a list of process names and the paths to those processes.
Reference Set	ProcessMaptoProcessParentPath	Contains a list of process names and the paths to the parent processes.

Setting Up Sysmon

To use the JSA Sysmon Content Extension, install Sysmon on your Windows endpoints and then forward the Sysmon events to JSA by using a Windows server.

Install Sysmon

Install Sysmon on your Windows endpoints.

Download Sysmon from https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon.
Extract the .zip file.
Right-click the .exe file for your system and select Run as administrator.
- For a 32-bit system, choose Sysmon.exe.
- For a 64-bit system, choose Sysmon64.exe.
Configure Sysmon. You might want to use one of the collaborative efforts as a basis for your Sysmon configuration, such as this one from SwiftonSecurity (https://github.com/SwiftOnSecurity/sysmon-config).

Create a Log Source

Use the following XPath query when you set up your log sources:

<QueryList> <Query Id="0" Path="Microsoft-Windows-Sysmon/Operational"> <Select Path="Microsoft-Windows-Sysmon/Operational">*</Select> </Query> </QueryList>

Deploy Sysmon

The following examples provide ways that you can deploy Sysmon on your systems and feed the information that is collected into JSA.

Install and configure Sysmon on each of your Windows endpoints.
Set up a subscription for forwarded events in Windows Event Collector Service for Sysmon on a Windows server where WinCollect is installed.
Feed the information in the forwarded events from the server into your JSA system where the Sysmon content extension is installed.

You now have a log source for each Windows endpoint in JSA.

For more information about setting up WinCollect agents, see the Juniper Secure Analytics Wincollect Guide.

Install and configure Sysmon and WinCollect agents on your Windows endpoints.
Configure the destination of the WinCollect agents to a server that you're running as a syslog relay. You can use NXLog, Rsyslog, or another tool for your syslog relay.
Relay the data from the Windows server to a JSA appliance where the Sysmon content extension is installed.

Depending on the configuration that you use at the syslog relay, events come in as separate log sources or as 1 log source. If all the events come in as 1 log source, you can distinguish the endpoints by using a custom event property for the event name that can be found in the log.