|
2 | 2 |
|
3 | 3 | This is a Microsoft Sysinternals Sysmon configuration file template with default high-quality event tracing. |
4 | 4 |
|
5 | | -The file provided should function as a great starting point for system change monitoring in a self-contained package. This configuration and results should give you a good idea of what's possible for Sysmon. Note that this does not track things like authentication and other Windows events that are also vital for incident investigation. |
| 5 | +The file should function as a great starting point for system change monitoring in a self-contained package. This configuration and results should give you a good idea of what's possible for Sysmon. Note that this does not track things like authentication and other Windows events that are also vital for incident investigation. |
6 | 6 |
|
7 | 7 | **[sysmonconfig-export.xml](https://github.com/SwiftOnSecurity/sysmon-config/blob/master/sysmonconfig-export.xml)** |
8 | 8 |
|
9 | 9 | Because virtually every line is commented and sections are marked with explanations, it should also function as a tutorial for Sysmon and a guide to critical monitoring areas in Windows systems. |
10 | 10 |
|
11 | | -For mature organizations needing a more scalable approach after initial proof-of-concept, see **[sysmon-modular](https://github.com/olafhartong/sysmon-modular)** by [https://github.com/olafhartong](@olafhartong). |
| 11 | +For mature organizations needing a more scalable approach after initial proof-of-concept, see **[sysmon-modular](https://github.com/olafhartong/sysmon-modular)** by [@olafhartong](https://github.com/olafhartong). |
12 | 12 |
|
13 | 13 | Pull requests and issue tickets are welcome, and new additions will be credited in-line or on Git. |
14 | 14 |
|
15 | | -Note: Exact syntax and filtering choices are deliberate to catch appropriate entries and to have as little performance impact as possible. Sysmon's filtering abilities are different than the built-in Windows auditing features, so often a different approach is taken than the normal static listing of every possible important area. |
| 15 | +Note: Exact syntax and filtering choices are deliberate and to have as little performance impact as possible. Sysmon's filtering abilities are different than the built-in Windows auditing features, so often a different approach is taken than the normal static listing of every possible important area. |
16 | 16 |
|
17 | 17 | **[See other forks of this configuration](https://github.com/SwiftOnSecurity/sysmon-config/network)** |
18 | 18 |
|
@@ -48,4 +48,4 @@ The configuration is highly commented and designed to be self-explanatory to ass |
48 | 48 | ### Design notes ### |
49 | 49 | This configuration expects software to be installed system-wide and NOT in the C:\Users folder. |
50 | 50 |
|
51 | | -If your users install Chrome themselves, you should deploy the [Chrome MSI](https://enterprise.google.com/chrome/chrome-browser/), which will automatically change the shortcuts to the machine-level installation. Your users will not even notice anything different. |
| 51 | +Various pieces of software install themselves in User directories, which are subject to extra monitoring. Where possible, you should install the system-wide version of these pieces of software, like Chrome. See the configuration file for more instructions. |
0 commit comments