Skip to content

Update sysmonconfig-export.xml #108

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Update sysmonconfig-export.xml #108

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 5 additions & 5 deletions sysmonconfig-export.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -63,7 +63,7 @@

<Sysmon schemaversion="4.22">
<!--SYSMON META CONFIG-->
<HashAlgorithms>md5,sha256,IMPHASH</HashAlgorithms> <!-- Both MD5 and SHA256 are the industry-standard algorithms for identifying files -->
<HashAlgorithms>*</HashAlgorithms> <!-- Both MD5 and SHA256 are the industry-standard algorithms for identifying files -->
<CheckRevocation/> <!-- Check loaded drivers, log if their code-signing certificate has been revoked, in case malware stole one to sign a kernel driver -->

<!-- <ImageLoad/> --> <!-- Would manually force-on ImageLoad monitoring, even without configuration below. Included only documentation. -->
Expand Down Expand Up @@ -399,7 +399,7 @@

<!--DATA: UtcTime, ProcessGuid, ProcessId, Image, ImageLoaded, Hashes, Signed, Signature, SignatureStatus-->
<RuleGroup name="" groupRelation="or">
<ImageLoad onmatch="include">
<ImageLoad onmatch="exclude">
<!--NOTE: Using "include" with no rules means nothing in this section will be logged-->
</ImageLoad>
</RuleGroup>
Expand Down Expand Up @@ -434,7 +434,7 @@

<!--DATA: UtcTime, ProcessGuid, ProcessId, Image, Device-->
<RuleGroup name="" groupRelation="or">
<RawAccessRead onmatch="include">
<RawAccessRead onmatch="exclude">
<!--NOTE: Using "include" with no rules means nothing in this section will be logged-->
</RawAccessRead>
</RuleGroup>
Expand All @@ -446,7 +446,7 @@

<!--DATA: UtcTime, SourceProcessGuid, SourceProcessId, SourceThreadId, SourceImage, TargetProcessGuid, TargetProcessId, TargetImage, GrantedAccess, CallTrace-->
<RuleGroup name="" groupRelation="or">
<ProcessAccess onmatch="include">
<ProcessAccess onmatch="exclude">
<!--NOTE: Using "include" with no rules means nothing in this section will be logged-->
</ProcessAccess>
</RuleGroup>
Expand Down Expand Up @@ -812,7 +812,7 @@

<!--DATA: UtcTime, ProcessGuid, ProcessId, PipeName, Image-->
<RuleGroup name="" groupRelation="or">
<PipeEvent onmatch="include">
<PipeEvent onmatch="exclude">
<!--NOTE: Using incide with no rules means nothing in this section will be logged-->
</PipeEvent>
</RuleGroup>
Expand Down