forked from olafhartong/sysmon-modular
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathbaseconfig.xml
35 lines (35 loc) · 1.56 KB
/
baseconfig.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
<Sysmon schemaversion="4.1">
<!-- Capture all hashes -->
<HashAlgorithms>*</HashAlgorithms>
<CheckRevocation/>
<EventFiltering>
<!-- Event ID 1 == Process Creation. -->
<ProcessCreate onmatch="include"/>
<!-- Event ID 2 == File Creation Time. -->
<FileCreateTime onmatch="include"/>
<!-- Event ID 3 == Network Connection. -->
<NetworkConnect onmatch="include"/>
<!-- Event ID 5 == Process Terminated. -->
<ProcessTerminate onmatch="include"/>
<!-- Event ID 6 == Driver Loaded. -->
<DriverLoad onmatch="include"/>
<!-- Event ID 7 == Image Loaded. -->
<ImageLoad onmatch="include"/>
<!-- Event ID 8 == CreateRemoteThread. -->
<CreateRemoteThread onmatch="include"/>
<!-- Event ID 9 == RawAccessRead. -->
<RawAccessRead onmatch="include"/>
<!-- Event ID 10 == ProcessAccess. -->
<ProcessAccess onmatch="include"/>
<!-- Event ID 11 == FileCreate. -->
<FileCreate onmatch="include"/>
<!-- Event ID 12,13,14 == RegObject added/deleted, RegValue Set, RegObject Renamed. -->
<RegistryEvent onmatch="include"/>
<!-- Event ID 15 == FileStream Created. -->
<FileCreateStreamHash onmatch="include"/>
<!-- Event ID 17,18 == PipeEvent. Log Named pipe created & Named pipe connected -->
<PipeEvent onmatch="exclude"/>
<!-- Event ID 19,20,21, == WmiEvent. Log all WmiEventFilter, WmiEventConsumer, WmiEventConsumerToFilter activity-->
<WmiEvent onmatch="include"/>
</EventFiltering>
</Sysmon>