GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → SwiftOnSecurity → Sysmon Config

SwiftOnSecurity / Sysmon Config

Sysmon configuration file template with default high-quality event tracing

Labels

windowsmonitoringloggingthreat-huntingthreatintelnetsecsysmonsysinternals

Projects that are alternatives of or similar to Sysmon Config

Sysmontools
Utilities for Sysmon
Stars: ✭ 903 (-72.53%)
Mutual labels:  monitoring, logging, threat-hunting, threatintel, netsec, sysmon
Sentinel Attack
Tools to rapidly deploy a threat hunting capability on Azure Sentinel that leverages Sysmon and MITRE ATT&CK
Stars: ✭ 676 (-79.43%)
Mutual labels:  logging, threat-hunting, sysmon
Sigma
Generic Signature Format for SIEM Systems
Stars: ✭ 4,418 (+34.41%)
Mutual labels:  monitoring, logging, sysmon
csirtg-smrt-v1
the fastest way to consume threat intelligence.
Stars: ✭ 27 (-99.18%)
Mutual labels:  threat-hunting, threatintel
Stalkphish
StalkPhish - The Phishing kits stalker, harvesting phishing kits for investigations.
Stars: ✭ 256 (-92.21%)
Mutual labels:  threat-hunting, threatintel
TA-Sysmon-deploy
Deploy and maintain Symon through the Splunk Deployment Sever
Stars: ✭ 31 (-99.06%)
Mutual labels:  sysmon, threat-hunting
Applicationinsights Home
Application Insights main repository for documentation of overall SDK offerings for all platforms.
Stars: ✭ 221 (-93.28%)
Mutual labels:  monitoring, logging
SysmonConfigPusher
Pushes Sysmon Configs
Stars: ✭ 59 (-98.21%)
Mutual labels:  sysmon, threat-hunting
ThreatIntelligence
Tracking APT IOCs
Stars: ✭ 23 (-99.3%)
Mutual labels:  threat-hunting, threatintel
sqhunter
A simple threat hunting tool based on osquery, Salt Open and Cymon API
Stars: ✭ 64 (-98.05%)
Mutual labels:  threat-hunting, threatintel
YAFRA
YAFRA is a semi-automated framework for analyzing and representing reports about IT Security incidents.
Stars: ✭ 22 (-99.33%)
Mutual labels:  threat-hunting, threatintel
mail to misp
Connect your mail client/infrastructure to MISP in order to create events based on the information contained within mails.
Stars: ✭ 61 (-98.14%)
Mutual labels:  threat-hunting, threatintel
evtx-hunter
evtx-hunter helps to quickly spot interesting security-related activity in Windows Event Viewer (EVTX) files.
Stars: ✭ 122 (-96.29%)
Mutual labels:  threat-hunting, netsec
SysmonResources
Consolidation of various resources related to Microsoft Sysmon & sample data/log
Stars: ✭ 64 (-98.05%)
Mutual labels:  sysmon, threat-hunting
Applicationinsights Node.js
Microsoft Application Insights SDK for Node.js
Stars: ✭ 229 (-93.03%)
Mutual labels:  monitoring, logging
censys-recon-ng
recon-ng modules for Censys
Stars: ✭ 29 (-99.12%)
Mutual labels:  threat-hunting, threatintel
ir scripts
incident response scripts
Stars: ✭ 17 (-99.48%)
Mutual labels:  sysmon, threat-hunting
IronNetTR
Threat research and reporting from IronNet's Threat Research Teams
Stars: ✭ 36 (-98.9%)
Mutual labels:  threat-hunting, threatintel
Threatpinchlookup
Documentation and Sharing Repository for ThreatPinch Lookup Chrome & Firefox Extension
Stars: ✭ 257 (-92.18%)
Mutual labels:  threat-hunting, threatintel
Sematext Agent Docker
Sematext Docker Agent - host + container metrics, logs & event collector
Stars: ✭ 194 (-94.1%)
Mutual labels:  monitoring, logging
View All Similar Projects ➔

sysmon-config | A Sysmon configuration file for everybody to fork

This is a Microsoft Sysinternals Sysmon configuration file template with default high-quality event tracing.

The file should function as a great starting point for system change monitoring in a self-contained and accessible package. This configuration and results should give you a good idea of what's possible for Sysmon. Note that this does not track things like authentication and other Windows events that are also vital for incident investigation.

      sysmonconfig-export.xml

Because virtually every line is commented and sections are marked with explanations, it should also function as a tutorial for Sysmon and a guide to critical monitoring areas in Windows systems.

Note: Exact syntax and filtering choices in the configuration are highly deliberate in what they target, and to have as little performance impact as possible. Sysmon's filtering abilities are different than the built-in Windows auditing features, so often a different approach is taken than the normal static listing of paths.

      See other forks of this configuration

Use

Install

Run with administrator rights

sysmon.exe -accepteula -i sysmonconfig-export.xml

Update existing configuration

Run with administrator rights

sysmon.exe -c sysmonconfig-export.xml

Uninstall

Run with administrator rights

sysmon.exe -u

Required actions

Prerequisites

Highly recommend using Notepad++ to edit this configuration. It understands UNIX newline format and does XML syntax highlighting, which makes this very understandable. I do not recommend using the built-in Notepad.exe.

Customization

You will need to install and observe the results of the configuration in your own environment before deploying it widely. For example, you will need to exclude actions of your antivirus, which will otherwise likely fill up your logs with useless information.

The configuration is highly commented and designed to be self-explanatory to assist you in this customization to your environment.

Design notes

This configuration expects software to be installed system-wide and NOT in the C:\Users folder. Various pieces of software install themselves in User directories, which are subject to extra monitoring. Where possible, you should install the system-wide version of these pieces of software, like Chrome. See the configuration file for more instructions.

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].