sysmon-config
Sysmon configuration file template with default high-quality event tracing (by SwiftOnSecurity)
Event-Forwarding-Guidance
Configuration guidance for implementing collection of security relevant Windows Event Log events by using Windows Event Forwarding. #nsacyber (by nsacyber)
Our great sponsors
| sysmon-config | Event-Forwarding-Guidance | |
|---|---|---|
| 34 | 4 | |
| 4,565 | 787 | |
| - | - | |
| 0.0 | 0.0 | |
| 3 months ago | over 3 years ago | |
| PowerShell | ||
| - | GNU General Public License v3.0 or later |
The number of mentions indicates the total number of mentions that we've tracked plus the number of user suggested alternatives.
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
sysmon-config
Posts with mentions or reviews of sysmon-config.
We have used some of these posts to build our list of alternatives
and similar projects. The last one was on 2023-05-30.
-
Troubleshooting Intermittent Slowness on Network Share
https://learn.microsoft.com/en-us/troubleshoot/windows-client/networking/networking-overview plenty of windows troubleshooting tips here too, and this is pretty good symon script saves to event viewer even after a reboot! , also care with wireshark as it may give you a false sense of there's a fault, try tcpIPview from sysinternals and yeah procmon for sure. https://github.com/SwiftOnSecurity/sysmon-config use psping to ping the server directly and see the latency goes up and down, you can ping it more often every 1 second so you get a better more detailed resul.
-
Sysmon not reading our config.xml-file
Rebooted and downloaded sysmon 14.16 and sysmonconfig-export.xml
-
Cheap, Fast, Good and Simple Remote Monitoring for Small Environments
There's all sorts of things you can do for various types of monitoring including Zabbix, Graylog, roll-your-own with Sysmon (see https://github.com/SwiftOnSecurity/sysmon-config), etc. The question becomes one of time - don't get so focused on DIY or free that you spend hours (or pay someone to spend hours) a month babysitting.
-
How do you actually threat hunt?
If you don't catch it what changes can you do to your logging to enable it? Can you push it out to the environment? While sysmon is awesome, you can do your hunts with built in logging most of the time... Just might not have all the data around it you want to have. I would throw sysmon on a test box (make sure you have a config file that filters out the noise: https://github.com/SwiftOnSecurity/sysmon-config)
-
How do I exclude specific event IDs in Sysmon?
I played around with https://github.com/SwiftOnSecurity/sysmon-config Maybe there xml can point you in the right direction
-
Finding the Process initiating a ping
and here's an off the shelf config file: https://github.com/SwiftOnSecurity/sysmon-config
- How to filter SysMon Logs for suspicious events
- SysMon Deployment Help
-
MISP integration issues
- Make sure you have sysmon installed on the agent host and it is logging event to the Sysmon folder as ID 22. Can use this xml file
-
Network Share - Word and excel files take 35 seconds to open/save, all other file types open immediately.
Out of our 286 Windows Servers, this single server did not like our sysmon config file from SwitfOnSecurity - https://github.com/SwiftOnSecurity/sysmon-config/blob/master/sysmonconfig-export.xml
Event-Forwarding-Guidance
Posts with mentions or reviews of Event-Forwarding-Guidance.
We have used some of these posts to build our list of alternatives
and similar projects. The last one was on 2020-12-31.
-
Which event id's are generated from advanced auditing policies?
See https://github.com/nsacyber/Event-Forwarding-Guidance/tree/master/Events.
-
DC's are drowning in Event 521 security events
NSA has some good guidance of which ones are of value here
-
Suspect user of clearing security log on server, what are my next steps?
Your next step is to implement Event Forwarding using NSA's handy scripts to a centralized logging server or repository.
-
For those that use windows log forwarding, what are you forwarding?
Good guide here - https://github.com/nsacyber/Event-Forwarding-Guidance
What are some alternatives?
When comparing sysmon-config and Event-Forwarding-Guidance you can also consider the following projects:
sysmon-modular - A repository of sysmon configuration modules
Windows-10-Sophia-Script - :zap: A powerful PowerShell module for fine-tuning and tweaking Windows 10 & Windows 11 [Moved to: https://github.com/farag2/Sophia-Script-for-Windows]
sigma - Main Sigma Rule Repository
commando-vm - Complete Mandiant Offensive VM (Commando VM), a fully customizable Windows-based pentesting virtual machine distribution. [email protected]
ThreatHunting - Tools for hunting for threats.
Scoop - A command-line installer for Windows.
ansible-role-elasticsearch - Ansible Role - Elasticsearch
Sophia-Script-for-Windows - :zap: The most powerful PowerShell module on GitHub for fine-tuning Windows 10 & Windows 11
SysmonTools - Utilities for Sysmon
SpotX-Win - Blocking ads and updates for the desktop version of Spotify, disabling podcasts and more. [Moved to: https://github.com/amd64fox/SpotX]
vscode-sysmon - Visual Studio Code Microsoft Sysinternal Sysmon configuration file extension.
SysmonForLinux
sysmon-config vs sysmon-modular
Event-Forwarding-Guidance vs Windows-10-Sophia-Script
sysmon-config vs sigma
Event-Forwarding-Guidance vs commando-vm
sysmon-config vs ThreatHunting
Event-Forwarding-Guidance vs Scoop
sysmon-config vs ansible-role-elasticsearch
Event-Forwarding-Guidance vs Sophia-Script-for-Windows
sysmon-config vs SysmonTools
Event-Forwarding-Guidance vs SpotX-Win
sysmon-config vs vscode-sysmon
sysmon-config vs SysmonForLinux