sysmon-config
Sysmon configuration file template with default high-quality event tracing (by SwiftOnSecurity)
sigma
Main Sigma Rule Repository (by Neo23x0)
Our great sponsors
sysmon-config | sigma | |
---|---|---|
34 | 41 | |
4,565 | 7,598 | |
- | 3.1% | |
0.0 | 9.8 | |
3 months ago | about 21 hours ago | |
Python | ||
- | GNU General Public License v3.0 or later |
The number of mentions indicates the total number of mentions that we've tracked plus the number of user suggested alternatives.
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
sysmon-config
Posts with mentions or reviews of sysmon-config.
We have used some of these posts to build our list of alternatives
and similar projects. The last one was on 2023-05-30.
-
Troubleshooting Intermittent Slowness on Network Share
https://learn.microsoft.com/en-us/troubleshoot/windows-client/networking/networking-overview plenty of windows troubleshooting tips here too, and this is pretty good symon script saves to event viewer even after a reboot! , also care with wireshark as it may give you a false sense of there's a fault, try tcpIPview from sysinternals and yeah procmon for sure. https://github.com/SwiftOnSecurity/sysmon-config use psping to ping the server directly and see the latency goes up and down, you can ping it more often every 1 second so you get a better more detailed resul.
-
Sysmon not reading our config.xml-file
Rebooted and downloaded sysmon 14.16 and sysmonconfig-export.xml
-
Cheap, Fast, Good and Simple Remote Monitoring for Small Environments
There's all sorts of things you can do for various types of monitoring including Zabbix, Graylog, roll-your-own with Sysmon (see https://github.com/SwiftOnSecurity/sysmon-config), etc. The question becomes one of time - don't get so focused on DIY or free that you spend hours (or pay someone to spend hours) a month babysitting.
-
How do you actually threat hunt?
If you don't catch it what changes can you do to your logging to enable it? Can you push it out to the environment? While sysmon is awesome, you can do your hunts with built in logging most of the time... Just might not have all the data around it you want to have. I would throw sysmon on a test box (make sure you have a config file that filters out the noise: https://github.com/SwiftOnSecurity/sysmon-config)
-
How do I exclude specific event IDs in Sysmon?
I played around with https://github.com/SwiftOnSecurity/sysmon-config Maybe there xml can point you in the right direction
-
Finding the Process initiating a ping
and here's an off the shelf config file: https://github.com/SwiftOnSecurity/sysmon-config
- How to filter SysMon Logs for suspicious events
- SysMon Deployment Help
-
MISP integration issues
- Make sure you have sysmon installed on the agent host and it is logging event to the Sysmon folder as ID 22. Can use this xml file
-
Network Share - Word and excel files take 35 seconds to open/save, all other file types open immediately.
Out of our 286 Windows Servers, this single server did not like our sysmon config file from SwitfOnSecurity - https://github.com/SwiftOnSecurity/sysmon-config/blob/master/sysmonconfig-export.xml
sigma
Posts with mentions or reviews of sigma.
We have used some of these posts to build our list of alternatives
and similar projects. The last one was on 2023-07-05.
-
Sigma rules in real life
Sigma rules https://github.com/SigmaHQ/sigma its value, I get it. Here’s a post https://www.linkedin.com/posts/nasreddinebencherchali_detection-blueteam-sigma-activity-7104868070069817344-mn91?utm_source=share&utm_medium=member_desktop detailing that 31 Sigma rules from the Sigma repository are triggering on different stages of the attack as described here https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/
-
Looking for feedback on a security-related project idea
Idea: A free and open-source web repository of Sigma detections where users can find, contribute, and suggest edits to detections. All user contributions will go through a StackExchange-style moderation queue. Built-in conversion from Sigma to the query language of your choice.
-
SOC SIEM Use Cases for First Internship
If you want more ideas/inspiration, or even just a starting point for baseline rule logic check out https://github.com/SigmaHQ/sigma https://github.com/SigmaHQ/sigma and look into the different rules folders there.
-
How do you actually threat hunt?
Agreed in general. But with stuff like SIGMA, I'd lean towards stuff should going into git. Better version control, your docs can be markdown and live right next to your threat library, you can strap on CI/CD (so you can deploy/run stuff as part of a pipeline). Confluence is a great start, but it doesn't scale well.
- Open Source SIEM Tools
-
Detection Engineering Source Websites
Have a look a sigma rules: https://github.com/SigmaHQ/sigma
- Scheduling query to look for whenever net group is ran.
- Scheduling querying that looks for anytime net group is ran.
-
3CX Customers suffering intrusions
Sigma: https://github.com/SigmaHQ/sigma/pull/4151/files Yara: https://github.com/Neo23x0/signature-base/blob/master/yara/gen\_mal\_3cx\_compromise\_mar23.yar source: https://twitter.com/cyb3rops/status/1641130326830333984?s=20
-
Any Suggestions On Creating A Detection Rule In Defender For CVE-2023-23397
I created a Defender Advanced Hunting query based of the Sigma rule https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rundll32_webdav_client_susp_execution.yml
What are some alternatives?
When comparing sysmon-config and sigma you can also consider the following projects:
sysmon-modular - A repository of sysmon configuration modules
Wazuh - Wazuh - The Open Source Security Platform. Unified XDR and SIEM protection for endpoints and cloud workloads.
ThreatHunting - Tools for hunting for threats.
atomic-red-team - Small and highly portable detection tests based on MITRE's ATT&CK.
ansible-role-elasticsearch - Ansible Role - Elasticsearch
wazuh-ruleset - Wazuh - Ruleset
SysmonTools - Utilities for Sysmon
velociraptor - Digging Deeper....
vscode-sysmon - Visual Studio Code Microsoft Sysinternal Sysmon configuration file extension.
OpenSIEM-Logstash-Parsing - SIEM Logstash parsing for more than hundred technologies
SysmonForLinux
detection-rules - Rules for Elastic Security's detection engine
sysmon-config vs sysmon-modular
sigma vs Wazuh
sysmon-config vs ThreatHunting
sigma vs atomic-red-team
sysmon-config vs ansible-role-elasticsearch
sigma vs wazuh-ruleset
sysmon-config vs SysmonTools
sigma vs velociraptor
sysmon-config vs vscode-sysmon
sigma vs OpenSIEM-Logstash-Parsing
sysmon-config vs SysmonForLinux
sigma vs detection-rules