-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathconfig.xml
51 lines (50 loc) · 2.11 KB
/
config.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
<Sysmon schemaversion="4.81">
<HashAlgorithms>*</HashAlgorithms>
<EventFiltering>
<ProcessCreate onmatch="exclude" />
<FileCreateTime onmatch="exclude" />
<NetworkConnect onmatch="exclude" />
<ProcessTerminate onmatch="exclude" />
<DriverLoad onmatch="exclude" />
<ImageLoad onmatch="exclude" />
<CreateRemoteThread onmatch="exclude" />
<RawAccessRead onmatch="exclude" />
<ProcessAccess onmatch="exclude" />
<FileCreate onmatch="exclude" />
<RegistryEvent onmatch="exclude" />
<FileCreateStreamHash onmatch="exclude" />
<PipeEvent onmatch="exclude" />
<WmiEvent onmatch="exclude" />
<DnsQuery onmatch="exclude" />
<FileDelete onmatch="exclude" />
<ClipboardChange onmatch="exclude" />
<ProcessTampering onmatch="exclude" />
<FileDeleteDetected onmatch="exclude" />
</EventFiltering>
</Sysmon>
<!--
1 ProcessCreate Process Create
2 FileCreateTime File creation time changed
3 NetworkConnect Network connection detected
5 ProcessTerminate Process terminated
6 DriverLoad Driver loaded
7 ImageLoad Image loaded
8 CreateRemoteThread CreateRemoteThread detected
9 RawAccessRead RawAccessRead detected
10 ProcessAccess Process accessed
11 FileCreate File created
12 RegistryEvent Registry object added or deleted
13 RegistryEvent Registry value set
14 RegistryEvent Registry object renamed
15 FileCreateStreamHash File stream created
17 PipeEvent Pipe Created
18 PipeEvent Pipe Connected
19 WmiEvent WmiEventFilter activity detected
20 WmiEvent WmiEventConsumer activity detected
21 WmiEvent WmiEventConsumerToFilter activity detected
22 DnsQuery Dns query
23 FileDelete File Delete archived
24 ClipboardChange Clipboard changed
25 ProcessTampering Process Tampering
26 FileDeleteDetected File Delete logged
-->