The sysmon.bat script will copy the sysmon configuration file (sysmon.xml) to the local location on remote devices as defined in your bat script. If sysmon isn’t running, it will install it using the configuration file sysmon.xml. Create or use a folder on your domain that will be replicated with other domain controllers such as the NETLOGON share, and add the below files to it. REFERENCE
Add sysmon.bat as a start up script to other devices in your domain by using Group Policy. The location to add Startup Scripts is at Computer configuration > Policies > Windows Settings > Scripts > Startup. Then add the network share location to the "Script Name" value and leave the "Script Parameters" section blank REFERENCE
Once successfully pushed out you should be able to see the sysmon.xml file in the location the sysmon.bat file saved it too on the machines in your domain you have the group policy object applied too. Sysmon logs can be viewed inside "Event Viewer" at "Applications and Services Logs > Microsoft > Sysmon > Operational"
Create a scheduled task to push out through Group Policy that executes the PowerShell Script MaliciousIPChecker.ps1 once an hour. This will look at the IP Addresses that a device has had connections with over the last hour and then perform a Blacklist check as well as verify the domain is more than 2 years old. If these conditions are not met they will be logged to the Event Viewer in a custom log called MaliciousIPs.
Finally we will want to add a Scheduled Task to our Group Policy. This task will be used to execute the script "MacliciousIPChecker.ps1" that lookups up information on the collected IP addresses from the Sysmon logs. Any IP addresses that are viewed as malicious will have an event created and than forwarded to the WEF Application. This policy can be set at "Computer Configuration > Preferences > Control Panel Settings > Scheduled Tasks". The WEF Application will alert you of any of these events that are recorded.