The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning. Learn more →
Top 15 Sysmon Open-Source Projects
-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
-
DetectionLab
Automate the creation of a lab environment complete with security tooling and logging best practices
-
ThreatHunter-Playbook
A community-driven, open-source project to share detection logic, adversary tradecraft and resources to make detection development more efficient.
-
WorkOS
The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.
-
sysmon-config
Advanced Sysmon ATT&CK configuration focusing on Detecting the Most Techniques per Data source in MITRE ATT&CK, Provide Visibility into Forensic Artifact Events for UEBA, Detect Exploitation events with wide CVE Coverage, and Risk Scoring of CVE, UEBA, Forensic, and MITRE ATT&CK Events. (by ion-storm)
-
SaaSHub
SaaSHub - Software Alternatives and Reviews. SaaSHub helps you find the best software and product alternatives
Sigma rules https://github.com/SigmaHQ/sigma its value, I get it. Here’s a post https://www.linkedin.com/posts/nasreddinebencherchali_detection-blueteam-sigma-activity-7104868070069817344-mn91?utm_source=share&utm_medium=member_desktop detailing that 31 Sigma rules from the Sigma repository are triggering on different stages of the attack as described here https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/
https://learn.microsoft.com/en-us/troubleshoot/windows-client/networking/networking-overview plenty of windows troubleshooting tips here too, and this is pretty good symon script saves to event viewer even after a reboot! , also care with wireshark as it may give you a false sense of there's a fault, try tcpIPview from sysinternals and yeah procmon for sure. https://github.com/SwiftOnSecurity/sysmon-config use psping to ping the server directly and see the latency goes up and down, you can ping it more often every 1 second so you get a better more detailed resul.
I was specifically using the https://github.com/olafhartong/sysmon-modular config, but once we started seeing systems crash I tried building extremely minimal configs and still found them causing hangs.
Project mention: EnableWindowsLogSettings: Documentation and scripts to properly enable Windows event logs. | /r/blueteamsec | 2023-06-04
Project mention: SysmonConfigPusher: Pushes Sysmon Configs - 2 years old, but wasn't included at the time | /r/blueteamsec | 2023-06-11
Sysmon related posts
- Troubleshooting Intermittent Slowness on Network Share
- Sysmon 15.0 is out now with advanced features
- Sysmon not reading our config.xml-file
- SysmonConfigPusher: Pushes Sysmon Configs - 2 years old, but wasn't included at the time
- Cheap, Fast, Good and Simple Remote Monitoring for Small Environments
- How do you actually threat hunt?
- How do I exclude specific event IDs in Sysmon?
-
A note from our sponsor - WorkOS
workos.com | 19 Apr 2024
Index
What are some of the best open-source Sysmon projects? This list will help you:
Project | Stars | |
---|---|---|
1 | sigma | 7,563 |
2 | sysmon-config | 4,538 |
3 | DetectionLab | 4,476 |
4 | WindowsSpyBlocker | 4,437 |
5 | ThreatHunter-Playbook | 3,859 |
6 | sysmon-modular | 2,478 |
7 | SysmonTools | 1,442 |
8 | whids | 1,025 |
9 | sysmon-config | 747 |
10 | Zircolite | 593 |
11 | EnableWindowsLogSettings | 441 |
12 | iMonitorSDK | 320 |
13 | Shhmon | 216 |
14 | SysmonConfigPusher | 91 |
15 | sysmon | 55 |