MyITGuy
4/19/2017 - 3:35 PM

Sysmon v6.01 Configuration

Sysmon v6.01 Configuration

sysmon_v6.01_config.xml
content_copyfile_download
<!-- 
   Base configuration file with all options enabled
   Sysmon v6.01
--> 
<Sysmon schemaversion="3.30">
	<!-- Capture all hashes -->
	<HashAlgorithms>*</HashAlgorithms>
	<EventFiltering>
		<!-- Log all process creations -->
		<ProcessCreate onmatch="exclude" />
		<!-- Log all file time creation changes -->
		<FileCreateTime onmatch="exclude" />
		<!-- Log all network connections -->
		<NetworkConnect onmatch="exclude" />
		<!-- Log all process terminations -->
		<ProcessTerminate onmatch="exclude" />
		<!-- Log all loaded drivers -->
		<DriverLoad onmatch="exclude" />
		<!-- Log all loaded images -->
		<ImageLoad onmatch="exclude" />
		<!-- Log all remote threat creations -->
		<CreateRemoteThread onmatch="exclude" />
		<!-- Log all RAW access reads -->
		<RawAccessRead onmatch="exclude" />
		<!-- Log all process accesses -->
		<ProcessAccess onmatch="exclude" />
		<!-- Log all file creations -->
		<FileCreate onmatch="exclude" />
		<!-- Log all registry activity (object add, object rename, object delete, value set) -->
		<RegistryEvent onmatch="exclude" />
		<!-- Log all file stream creations -->
		<FileCreateStreamHash onmatch="exclude" />
		<!-- Log all pipe activity (creation, and connected) -->
		<PipeEvent onmatch="exclude" />
	</EventFiltering>
</Sysmon>
sysmon_v5.2_config.xml
content_copyfile_download
<!-- 
   Base configuration file with all options enabled
   Sysmon v5.2
--> 
<Sysmon schemaversion="3.20">
	<!-- Capture all hashes -->
	<HashAlgorithms>*</HashAlgorithms>
	<EventFiltering>
		<!-- Log all process creations -->
		<ProcessCreate onmatch="exclude" />
		<!-- Log all file time creation changes -->
		<FileCreateTime onmatch="exclude" />
		<!-- Log all network connections -->
		<NetworkConnect onmatch="exclude" />
		<!-- Log all process terminations -->
		<ProcessTerminate onmatch="exclude" />
		<!-- Log all loaded drivers -->
		<DriverLoad onmatch="exclude" />
		<!-- Log all loaded images -->
		<ImageLoad onmatch="exclude" />
		<!-- Log all remote threat creations -->
		<CreateRemoteThread onmatch="exclude" />
		<!-- Log all RAW access reads -->
		<RawAccessRead onmatch="exclude" />
		<!-- Log all process accesses -->
		<ProcessAccess onmatch="exclude" />
		<!-- Log all file creations -->
		<FileCreate onmatch="exclude" />
		<!-- Log all registry activity (object add, object rename, object delete, value set) -->
		<RegistryEvent onmatch="exclude" />
		<!-- Log all file stream creations -->
		<FileCreateStreamHash onmatch="exclude" />
	</EventFiltering>
</Sysmon>