|
1 | 1 | <!-- |
2 | 2 | sysmon-config | A Sysmon configuration focused on default high-quality event tracing and easy customization by the community |
3 | | - Master version: 70 | Date: 2019-04-05 |
| 3 | + Master version: 70alpha | Date: 2019-05-10 |
4 | 4 | Master author: @SwiftOnSecurity, other contributors also credited in-line or on Git |
5 | 5 | Master project: https://github.com/SwiftOnSecurity/sysmon-config |
6 | 6 | Master license: Creative Commons Attribution 4.0 | You may privatize, fork, edit, teach, publish, or deploy for commercial use - with attribution in the text. |
|
10 | 10 | Fork project: <N/A> |
11 | 11 | Fork license: <N/A> |
12 | 12 |
|
13 | | - REQUIRED: Sysmon version 9.01 or higher (due to changes in registry syntax and bug-fixes) |
| 13 | + REQUIRED: Sysmon version 9.02 or higher (due to changes in syntax and bug-fixes) |
14 | 14 | https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon |
15 | 15 | Note that 6.03 and 7.01 have critical fixes for filtering, it's recommended you stay updated. |
16 | 16 |
|
|
23 | 23 | client. This is to make analysis of intrusions possible by hand, and to try to surface anomalous activity as quickly |
24 | 24 | as possible to any technician armed only with Event Viewer. Its purpose is to democratize system monitoring for all organizations. |
25 | 25 |
|
26 | | - NOTE: Sysmon is NOT a whitelist solution or HIDS correlation engine, it is a computer change and event logging tool. |
| 26 | + NOTE: Sysmon is NOT a whitelist solution or HIDS correlation engine, it is a computer change event logging tool. |
27 | 27 | Do NOT ignore everything possible. Sysmon's purpose is providing context during a threat or problem investigation. Legitimate |
28 | 28 | processes are routinely used by threats - do not blindly exclude them. Additionally, be mindful of process-hollowing / imitation. |
29 | 29 |
|
|
861 | 861 | <!--EVENT 22: "Dns query"--> |
862 | 862 |
|
863 | 863 | <!--NOTE: Due to the volume of events that DNS queries generate, some orgs may want to remove this section from their configuration to reduce Sysmon log turnover. |
864 | | - If you do not collect events centrally yet, definately remove this section to preserve other events that are much more important. It's okay to come back later. --> |
| 864 | + If you do not collect events centrally yet, definitely remove this section to preserve other events that are much more important. It's okay to come back later. --> |
865 | 865 |
|
866 | 866 | <!--COMMENT: DNS logging is a very nuanced challenge in monitoring due to event volume. Legitimate domains can be used to host malware/C2, but lookup itself is not very informative. |
867 | 867 | It's fine to exclude monitoring these bulk low-value lookups, but at same time, you would not have a full log of how malware communicated, potentially missing C2. |
|
0 commit comments