Windows Event Log Integration
This guide covers how to install the KYRA EDR agent on Windows endpoints to collect and forward Windows Security, System, and Sysmon event logs to KYRA MDR.
Supported versions: Windows 10/11, Windows Server 2016, 2019, 2022, 2025
Prerequisites
- A KYRA MDR Collector installed and running (Installation Guide)
- Windows administrator access
- Network connectivity to the collector or directly to KYRA platform
Step 1: Install the KYRA EDR Agent
PowerShell (Recommended)
Run PowerShell as Administrator:
# Download and install the KYRA EDR agentInvoke-WebRequest -Uri "https://install.kyra.ai/edr/windows" -OutFile "$env:TEMP\kyra-edr-setup.msi"Start-Process msiexec.exe -ArgumentList "/i $env:TEMP\kyra-edr-setup.msi TENANT_ID=your-tenant-id API_KEY=your-api-key /quiet" -WaitThe agent will:
- Install as a Windows service (
KYRA EDR Agent) - Subscribe to Security, System, and Application event channels
- Begin forwarding events to the KYRA Collector or platform
Group Policy Deployment
For deploying across multiple endpoints via Active Directory GPO:
- Download the MSI from Console > Settings > Downloads
- Create a
transform.mstfile with your Tenant ID and API Key - Deploy via Computer Configuration > Policies > Software Settings > Software installation
Step 2: Configure Windows Audit Policies
Windows does not log many critical events by default. Enable the recommended audit policies to get meaningful security telemetry.
Using Group Policy (GPO)
Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration:
| Category | Subcategory | Setting |
|---|---|---|
| Account Logon | Credential Validation | Success, Failure |
| Account Logon | Kerberos Authentication Service | Success, Failure |
| Account Management | User Account Management | Success, Failure |
| Account Management | Security Group Management | Success, Failure |
| Logon/Logoff | Logon | Success, Failure |
| Logon/Logoff | Special Logon | Success |
| Object Access | File System | Failure |
| Policy Change | Audit Policy Change | Success |
| Privilege Use | Sensitive Privilege Use | Success, Failure |
| Process Creation | Process Creation | Success |
| System | Security State Change | Success |
Using PowerShell
# Enable critical audit policiesauditpol /set /subcategory:"Logon" /success:enable /failure:enableauditpol /set /subcategory:"Credential Validation" /success:enable /failure:enableauditpol /set /subcategory:"User Account Management" /success:enable /failure:enableauditpol /set /subcategory:"Security Group Management" /success:enable /failure:enableauditpol /set /subcategory:"Special Logon" /success:enableauditpol /set /subcategory:"Process Creation" /success:enableauditpol /set /subcategory:"Audit Policy Change" /success:enable
# Enable command-line logging in process creation eventsreg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit" /v ProcessCreationIncludeCmdLine_Enabled /t REG_DWORD /d 1 /fImportant: Enable command-line process auditing — without it, Event ID 4688 only shows the process name, not the full command. This is critical for detecting fileless malware and LOLBins (Living Off the Land Binaries).
Step 3: Install Sysmon (Recommended)
Microsoft Sysmon provides detailed process, network, and file activity logging that goes far beyond native Windows events.
# Download SysmonInvoke-WebRequest -Uri "https://live.sysinternals.com/Sysmon64.exe" -OutFile "$env:TEMP\Sysmon64.exe"
# Download KYRA's recommended Sysmon configInvoke-WebRequest -Uri "https://install.kyra.ai/sysmon/config.xml" -OutFile "$env:TEMP\sysmonconfig.xml"
# Install Sysmon with config& "$env:TEMP\Sysmon64.exe" -accepteula -i "$env:TEMP\sysmonconfig.xml"The KYRA EDR agent automatically collects Sysmon events from the Microsoft-Windows-Sysmon/Operational channel.
Key Event IDs Monitored
Windows Security Events
| Event ID | Category | Description | Detection Use |
|---|---|---|---|
| 4624 | Logon | Successful logon | Lateral movement, anomalous access |
| 4625 | Logon | Failed logon | Brute force, password spraying |
| 4648 | Logon | Explicit credential logon | Pass-the-hash, credential theft |
| 4672 | Logon | Special privileges assigned | Privilege escalation |
| 4688 | Process | New process created | Malware execution, LOLBins |
| 4697 | System | Service installed | Persistence, backdoor installation |
| 4720 | Account | User account created | Unauthorized account creation |
| 4722 | Account | User account enabled | Dormant account activation |
| 4728 | Account | Member added to security group | Privilege escalation |
| 4732 | Account | Member added to local group | Local admin escalation |
| 4768 | Kerberos | Kerberos TGT requested | Pass-the-ticket, Golden ticket |
| 4769 | Kerberos | Kerberos service ticket requested | Kerberoasting |
| 4776 | Credential | Credential validation | NTLM authentication monitoring |
| 5156 | Firewall | Windows Firewall allowed connection | Network activity baseline |
| 7045 | System | New service installed | Persistence mechanism |
Sysmon Events
| Event ID | Description | Detection Use |
|---|---|---|
| 1 | Process creation (with hash) | Malware detection, LOLBin abuse |
| 3 | Network connection | C2 communication, data exfil |
| 7 | Image loaded (DLL) | DLL injection, side-loading |
| 8 | CreateRemoteThread | Process injection |
| 10 | Process access | Credential dumping (LSASS) |
| 11 | File created | Dropper detection, staging |
| 13 | Registry value set | Persistence, config changes |
| 22 | DNS query | C2 domain lookup, DNS tunneling |
Step 4: Verify Events Are Flowing
On the Windows Endpoint
# Check the KYRA EDR agent is runningGet-Service "KYRA EDR Agent"
# View recent agent logsGet-Content "C:\ProgramData\KYRA\EDR\logs\agent.log" -Tail 20
# Verify event subscription is activewevtutil qe "KYRA-EDR/Operational" /c:5 /rd:true /f:textIn the KYRA Console
- Go to Log Search
- Filter by
source_type:windowsor search for your hostname - You should see Windows Security events (4624, 4625, etc.)
- If Sysmon is installed, search for
source_type:sysmon
Generate Test Events
# Generate a failed logon event (Event ID 4625)net use \\localhost\IPC$ /user:TESTUSER wrongpassword 2>$null
# Generate a process creation event (Event ID 4688/Sysmon 1)cmd.exe /c whoami
# Generate an account management event (Event ID 4720)# WARNING: This creates an actual user — only use on test systemsnet user KYRATest P@ssw0rd123 /addnet user KYRATest /deleteDetection Rules
KYRA MDR includes built-in detection rules for Windows events:
| Detection | Event IDs | MITRE ATT&CK | Description |
|---|---|---|---|
| Brute Force | 4625 | T1110 | Multiple failed logons in short period |
| Pass-the-Hash | 4624 (Type 3) | T1550.002 | NTLM logon with unusual source |
| Kerberoasting | 4769 | T1558.003 | RC4 encryption service ticket requests |
| LSASS Access | Sysmon 10 | T1003.001 | Process accessing LSASS memory |
| Suspicious Process | 4688/Sysmon 1 | T1059 | Known attack tools (mimikatz, psexec, etc.) |
| New Service | 7045 | T1543.003 | Service installed from unusual path |
| Admin Group Change | 4728/4732 | T1098 | User added to privileged group |
| Scheduled Task | 4698 | T1053.005 | New scheduled task created |
Troubleshooting
No Events in Console
- Agent running? Check
Get-Service "KYRA EDR Agent" - Audit policies enabled? Run
auditpol /get /category:*to verify - Firewall? Ensure the agent can reach the collector or
ingest.seekerslab.com:443 - Event log permissions? The agent runs as
LOCAL SYSTEMand should have access
Missing Process Events
- Verify Process Creation auditing is enabled:
auditpol /get /subcategory:"Process Creation" - Enable command-line logging via the registry key shown in Step 2
- Install Sysmon for richer process telemetry
High CPU or Memory Usage
The KYRA EDR agent typically uses less than 1% CPU and 50 MB RAM. If usage is high:
- Check the log file at
C:\ProgramData\KYRA\EDR\logs\agent.logfor errors - Verify the Sysmon config is not overly broad (e.g., logging all network connections)
- Restart the agent:
Restart-Service "KYRA EDR Agent"