sysmon-config icon indicating copy to clipboard operation
sysmon-config copied to clipboard

Published 20 hours ago verified publisher icon SwiftOnSecurity

Metadata

Sysmon configuration file template with default high-quality event tracing

Results 82 sysmon-config issues
Sort by recently updated
recently updated
newest added

Add overview documentation for Sysmon configuration

While reviewing the Sysmon configuration, I have created documentation to provide an overview of what the configuration monitors.

jsypower avatar jsypower

Patch FileCreate include - Capture .xsl instead of .xls

There is a typo on line `519`, instead of monitoring for `.xsl` file creations, the configuration is monitoring for `.xls`. There is a duplicate entry on line 537 to capture...

jsypower avatar jsypower

Sysmon v15.0 & 29 Events

2 comment

This update to Sysmon, an advanced host security monitoring tool, sets the service to run as a protected process, hardening it against tampering, adds a new event, FileExecutableDetected, for when...

Achi79 avatar Achi79

Exclude _PSSCRIPTPOLICYTEST_xxxxx.ps1 in fullfilepath in AppLocker events from forwarding to WEC

is it possible to exclude the AppLocker test events, that Windows generates loads of, from being forwarded to our Windows event collector? Our sysmonconf file is the Swift sysmon.xml the...

divadiow avatar divadiow

Incorrect XML Configuration - Sysmon 14.16

Receiving an error with sysmon 14.16 and this config file: Error: Incorrect XML configuration: sysmonconfig-export.xml Reason: Element 'RuleGroup' is unexpected according to content model of parent element 'EventFiltering'. Expecting: ProcessCreate,...

eastcoastnjdc avatar eastcoastnjdc

Accept EULA cannot combine with loading a config

1 comment

Accepting the Sysmon EULA and installing a config nowadays need to be on separate lines.

HenkPoley avatar HenkPoley

28 Event ID...

1 comment

Hi @all As you know, there are currently 28 event id. Is an update of the config planned or possible? btw the project is helpful. THX

Achi79 avatar Achi79

Add pwsh.exe to list of suspicious Windows tools

PowerShell versions 6 and above use the executable `pwsh.exe` instead of `powershell.exe`: - [First introduced in PowerShell 6](https://learn.microsoft.com/en-us/previous-versions/powershell/scripting/whats-new/breaking-changes-ps6?view=powershell-6#rename-powershellexe-to-pwshexe-5101) - [Also used in PowerShell 7](https://learn.microsoft.com/en-us/powershell/scripting/whats-new/differences-from-windows-powershell?view=powershell-7.3#powershell-executable-changes) `pwsh.exe` doesn't come installed by default...

connorcarnes avatar connorcarnes

Added Installscript

Added a simple install/update script for easy deployment on windows systems along with a description in the README. Most of the changes in the config file are in pull-requests from...

bytew0lf avatar bytew0lf

config causing 35 second delay opening modern MS Office file formats (.docx & .xlsx etc)

I applied the sysmon-config successfully to approx. 285 windows servers in out estate without issue. However, one file server (Server 2012 R2) out of our 4 identical file servers developed...

Guyver1wales avatar Guyver1wales

Metadata

4.6k
Stars
1.7k
Forks
Watchers

Owner

verified publisher icon SwiftOnSecurity

Metadata

Sysmon configuration file template with default high-quality event tracing

Back