olafhartong/sysmon-modular issues and pull requests

#209 - typo event 13 T1562.002 Disable Windows Event Logging

Issue - State: open - Opened by wildebras about 1 month ago

#208 - Suggested addition to ProcessAccess event, for MS Intune

Issue - State: open - Opened by cyb3rxp about 1 month ago

#207 - More ps script policy test exclusion

Pull Request - State: open - Opened by ipfyx 3 months ago

#206 - Fix some typo

Pull Request - State: open - Opened by ipfyx 3 months ago - 1 comment

#205 - fix incorrection logic exclusion for Powershell PipeEvent

Pull Request - State: open - Opened by ipfyx 3 months ago

#204 - Adding .jse extension to include_javascript.xml

Pull Request - State: open - Opened by fornotes 4 months ago

#203 - Update include_possible_dll_injection.xml

Pull Request - State: open - Opened by fornotes 4 months ago

#202 - Update include_microsoft_cmstp.xml

Pull Request - State: open - Opened by fornotes 4 months ago

#201 - Improving Sysmon config parsing

Pull Request - State: open - Opened by MihhailSokolov 6 months ago

#200 - FileDelete Issue, cannot remove C:\Sysmon locked .dlls

Issue - State: open - Opened by deathrig07 8 months ago - 4 comments

#199 - Config causing 35 second delay opening modern MS Office file formats (.docx & .xlsx etc)

Issue - State: open - Opened by smogm 8 months ago - 1 comment

#198 - Error 255 appears, please help me figure it out.

Issue - State: open - Opened by h3nkbleck 9 months ago - 2 comments

#197 - Incorrect rule format?

Issue - State: open - Opened by 3ch035 9 months ago

#196 - User condition in exclusions for RegistryEvents

Issue - State: open - Opened by schwf5 9 months ago

#195 - ImageLoad detections from hijacklibs.net

Pull Request - State: open - Opened by nterl0k 10 months ago

#194 - Exclusion Trend Micro WFBS

Issue - State: open - Opened by s3-schneider 11 months ago

#193 - Duplicates

Issue - State: open - Opened by PiRomant 12 months ago

#192 - included image load of dbghelp.dll or dbgcore.dll

Pull Request - State: open - Opened by swachchhanda000 12 months ago

#190 - KAV exclusion

Issue - State: open - Opened by PiRomant about 1 year ago

#189 - Testing branch bpm master

Pull Request - State: closed - Opened by Cyber74-Brian-McCaleb about 1 year ago

#188 - change 25 include_all to include on match

Pull Request - State: open - Opened by clairmont32 about 1 year ago - 1 comment

#187 - XML Issue with sysmonconfig-excludes-only.xml

Issue - State: open - Opened by jvossler about 1 year ago

#186 - Create include_Havoc_C2.xml

Pull Request - State: open - Opened by giomke about 1 year ago

#185 - Suggested additions to Microsoft Defender ProcessCreation event

Issue - State: open - Opened by cyb3rxp about 1 year ago

#184 - Suggested additions to TrendMicro ProcessCreation event exclusion

Issue - State: open - Opened by cyb3rxp about 1 year ago

#183 - Update for Kaspersky Modules

Pull Request - State: open - Opened by maiconjs over 1 year ago

#182 - Fixed filename typos.

Pull Request - State: open - Opened by fahersom over 1 year ago

#181 - Several Updates

Pull Request - State: closed - Opened by gs3cl over 1 year ago

#180 - disable blocking download of an executable

Pull Request - State: open - Opened by Yaxser over 1 year ago

#179 - #178 - Adds schema update for research configuration file.

Pull Request - State: open - Opened by Korving-F over 1 year ago

#178 - Super verbose config missing from Azure Pipelines

Issue - State: open - Opened by Korving-F over 1 year ago

#177 - Updates - PSExec_PSH - SecureBoot - Office Process Creation - Zoom

Pull Request - State: open - Opened by DCData-OPS over 1 year ago

#176 - Update exclude_svchost.xml

Pull Request - State: open - Opened by giomke over 1 year ago

#175 - Version 15 updates

Pull Request - State: closed - Opened by olafhartong over 1 year ago

#174 - Add WMI-based Sysmon file archive quota generation

Pull Request - State: closed - Opened by zbalkan over 1 year ago - 1 comment

#173 - Event ID 8 - CreateRemoteThread - Appends to bottom of config

Issue - State: open - Opened by Cyber74-Brian-McCaleb over 1 year ago

#172 - In line 1616 could be a typo

Issue - State: closed - Opened by Andeandes over 1 year ago - 1 comment

#171 - (Updated) Workflows, priority sorting for rules, rule improvements

Pull Request - State: closed - Opened by cnnrshd over 1 year ago - 3 comments

#170 - Update to Workflows, Priority Sorting for Rules, and fixes for Rules

Pull Request - State: closed - Opened by cnnrshd over 1 year ago

#169 - Create 23 exclusion for Sophos Endpoint journalling temporary files

Pull Request - State: closed - Opened by jaybirnuw over 1 year ago - 1 comment

#168 - Repo Folder index

Issue - State: open - Opened by afg-jmck over 1 year ago

#167 - Sysmon 14.14 - Anti-Tamper Controls?

Issue - State: open - Opened by bobby-mack over 1 year ago - 3 comments

#166 - Default config - file deletes are being archived

Issue - State: closed - Opened by leepfrog-ger over 1 year ago - 4 comments

#165 - Fixing a Typo in the Event ID 26 Folder Name

Pull Request - State: closed - Opened by benmontour over 1 year ago - 1 comment

#164 - Display file name when XML load fails

Pull Request - State: closed - Opened by thefunch over 1 year ago - 1 comment

#163 - Managing multiple customer config example

Issue - State: open - Opened by oddieHA almost 2 years ago

#162 - TYPO?

Issue - State: closed - Opened by LasseKrache almost 2 years ago - 1 comment

#161 - excluding symantec and wmiadap

Pull Request - State: closed - Opened by alwashali almost 2 years ago

#160 - Ignore blank lines when loading inclusions

Pull Request - State: closed - Opened by defensivedepth almost 2 years ago

#159 - Changed vassadmin.exe to vssadmin.exe

Pull Request - State: closed - Opened by kevinelwell almost 2 years ago

#158 - Update to line 163 in sysmonconfig-mde-augment.xml

Pull Request - State: closed - Opened by kevinelwell almost 2 years ago - 2 comments

#157 - Fix InclusionFolder error

Pull Request - State: closed - Opened by defensivedepth almost 2 years ago - 1 comment

#156 - Include Top Level Groups not working?

Issue - State: closed - Opened by defensivedepth almost 2 years ago - 2 comments

#155 - Does sysmon-modular has the compatibility to be used for the SysmonForLinux?

Issue - State: open - Opened by jayzheng98 almost 2 years ago - 1 comment

#154 - Incorect field User

Pull Request - State: closed - Opened by Suirand1 almost 2 years ago - 1 comment

#153 - Too many Splunk Forwarder Events in base Sysmon Config

Issue - State: open - Opened by tbalz2319 almost 2 years ago - 5 comments

#152 - Merged file include vs exclude ordering

Issue - State: open - Opened by ag-michael almost 2 years ago

#151 - sysmonconfig-research.xml configuration block, delete exe file

Issue - State: open - Opened by webdevbeginner about 2 years ago

#150 - Own Microsoft Sentinel Workbook is planned? Or recommended Microsoft Sentinel Workbook?

Issue - State: open - Opened by michalzobec about 2 years ago

#149 - Intercepting deleted files

Issue - State: open - Opened by harryray33 about 2 years ago - 1 comment

#147 - Update sysmonconfig.xml

Pull Request - State: closed - Opened by pablotr9 about 2 years ago - 1 comment

#146 - Something wrong in latest commit

Issue - State: closed - Opened by herromega about 2 years ago - 4 comments

#145 - Adding interesting_files.xml

Pull Request - State: closed - Opened by mgreen27 over 2 years ago - 1 comment

#144 - contains all with only one value

Issue - State: closed - Opened by frack113 over 2 years ago - 1 comment

#143 - exclude_desktop_central

Pull Request - State: closed - Opened by alwashali over 2 years ago - 1 comment

#142 - Rule Group Relation in Network Connect / include_relaying.xml

Issue - State: closed - Opened by ErichSutter over 2 years ago - 2 comments

#141 - File create events with include_electron_app_injection.xml module

Issue - State: closed - Opened by ErichSutter over 2 years ago - 1 comment

#140 - Issue creating a CONFIG XML

Issue - State: closed - Opened by N3anderth0l over 2 years ago - 1 comment

#139 - Update TIDs to ATT&CK v11

Pull Request - State: closed - Opened by IanDavila over 2 years ago - 1 comment

#137 - Excluding __PSScriptPolicyTest_ files

Issue - State: closed - Opened by m3hdx over 2 years ago - 1 comment

#136 - ExcludeList not working ?

Issue - State: open - Opened by mtl0n over 2 years ago - 1 comment

#135 - Additional Elastic-related exclusions

Pull Request - State: closed - Opened by jvalente-salemstate over 2 years ago - 1 comment

#134 - Creating process access exclusions for metricbeat, file creation excl…

Pull Request - State: closed - Opened by jvalente-salemstate over 2 years ago

#133 - Double quotes possibly mess up the filtering

Issue - State: open - Opened by bchris21 over 2 years ago

#132 - HKCU - Additional Files

Issue - State: closed - Opened by kevinelwell over 2 years ago - 3 comments

#131 - Schema Version Upgrade to 4.81

Issue - State: open - Opened by clairmont32 over 2 years ago - 1 comment

#130 - HKCU Registry

Issue - State: closed - Opened by kevinelwell over 2 years ago - 2 comments

#129 - Hotfix/typos

Pull Request - State: closed - Opened by conitrade-as over 2 years ago - 1 comment

#128 - XDR-2399: Add sysmon-config to the pipeline

Pull Request - State: closed - Opened by hensonto over 2 years ago

#127 - Clean up rules

Pull Request - State: closed - Opened by stavhaygn over 2 years ago

#126 - Added access mask used by Metasploit's migrate

Pull Request - State: closed - Opened by d4rk-d4nph3 over 2 years ago - 1 comment

#125 - Add include_office_dde

Pull Request - State: closed - Opened by frack113 over 2 years ago

#124 - Adding connection monitoring support to rdp terminal services pipe, c…

Pull Request - State: closed - Opened by redsand over 2 years ago - 1 comment

#123 - PowerShell Transcript Deletion Event ID 26 Rule.

Pull Request - State: closed - Opened by mon0pixel almost 3 years ago - 1 comment

#122 - Potential typo (Line 1508 in sysmonconfig.xml)

Issue - State: closed - Opened by thamyekh almost 3 years ago

#121 - More filegen options

Pull Request - State: closed - Opened by hkelley almost 3 years ago - 1 comment

#120 - Include file format: merge full directories

Issue - State: closed - Opened by hkelley almost 3 years ago - 1 comment

#119 - Removed redundant WER\Temp rules

Pull Request - State: closed - Opened by nicpenning almost 3 years ago

#118 - Add rdp registry settings

Pull Request - State: closed - Opened by elhoim almost 3 years ago

#117 - FileDelete vs. FileDeleteDetected inconsistent

Issue - State: closed - Opened by maederm about 3 years ago - 2 comments

#116 - Updated ATT&CK Navigator link

Pull Request - State: closed - Opened by sethmisenar about 3 years ago

#114 - Adding exclusion for ID 10 for PowerToys

Pull Request - State: closed - Opened by drewchurch over 3 years ago - 3 comments

#113 - Update exclude_citrix.xml

Pull Request - State: closed - Opened by lslng over 3 years ago

#112 - "Trusted Script Proxy Exectuion" or "Trusted Script Proxy Execution"

Issue - State: closed - Opened by Yuvraj-Takey over 3 years ago - 2 comments

#108 - add include_printernightmare.xml

Pull Request - State: closed - Opened by frack113 over 3 years ago

#107 - create include_office_security_features.xml

Pull Request - State: closed - Opened by frack113 over 3 years ago

#106 - error with merging script line 137/char13

Issue - State: closed - Opened by janlinhart-BC over 3 years ago - 1 comment

#100 - Incompatible configuration with Sysmon 13.21

Issue - State: closed - Opened by sebastiendamaye over 3 years ago - 3 comments

#99 - overlaping rule causing alot of 12/13 events

Issue - State: closed - Opened by PurpleV0id over 3 years ago - 1 comment

#98 - Event 10 version 1320

Issue - State: closed - Opened by bonusland over 3 years ago - 2 comments

GitHub / olafhartong/sysmon-modular issues and pull requests