sysmon-modular
by olafhartong
A modular and customizable repository of Sysmon configuration modules designed to simplify the creation and maintenance of Sysmon configs for endpoint security.
A repository of sysmon configuration modules
Primary Use Case
This tool is used by security professionals and system administrators to deploy and manage tailored Sysmon configurations for endpoint protection and intrusion detection. It enables easy customization and generation of Sysmon configs to fit specific environments, improving security monitoring and automation capabilities.
- Modular Sysmon configuration modules for easy customization
- Pre-generated balanced, verbose, super verbose, and Defender for Endpoint augmentation configs
- Automated config generation via PowerShell script and Azure Pipeline integration
- Support for merging external configurations like LOLdrivers for enhanced detection
- Detailed documentation and wiki for generating custom configurations
- Configurations designed to optimize performance and event volume based on use case
Installation
- Download and install Microsoft Sysinternals Sysmon from the official site
- Clone the sysmon-modular repository from GitHub
- Use the provided PowerShell script to generate a custom Sysmon configuration by merging desired modules
- Deploy the generated sysmonconfig.xml to your endpoints with Sysmon installed
- Tune and customize configurations per environment as strongly recommended
Usage
>_ PowerShell script to generate configRuns the script to merge selected modules and generate a custom sysmonconfig.xml
>_ sysmon -i sysmonconfig.xmlInstalls Sysmon with the generated configuration file
>_ sysmon -c sysmonconfig.xmlUpdates Sysmon with a new configuration without reinstalling
>_ Add LOLdrivers config to 29_file_execute_detected folderEnhances detection capabilities by merging the latest LOLdrivers config into the modular setup
- Leverage modular config generation to tailor Sysmon logging for specific threat scenarios.
- Integrate with SIEM and SOAR platforms for automated alerting and response workflows.
- Use verbose configs in test environments to baseline normal activity and tune detection rules.
- Combine with external detection rules like LOLdrivers to enhance file execution event visibility.
- Automate config deployment via Azure Pipelines to ensure consistent endpoint monitoring across environments.
Docs Take 2 Hours. AI Takes 10 Seconds.
Ask anything about sysmon-modular. Installation? Config? Troubleshooting? Get answers trained on real docs and GitHub issues—not generic ChatGPT fluff.
3 free chats per tool • Instant responses • No credit card
Related Tools
rustdesk
rustdesk/rustdesk
An open-source remote desktop application designed for self-hosting, as an alternative to TeamViewer.
osquery
osquery/osquery
SQL powered operating system instrumentation, monitoring, and analytics.
macOS-Security-and-Privacy-Guide
drduh/macOS-Security-and-Privacy-Guide
Community guide to securing and improving privacy on macOS.
How-To-Secure-A-Linux-Server
imthenachoman/How-To-Secure-A-Linux-Server
An evolving how-to guide for securing a Linux server.
Atlas
Atlas-OS/Atlas
🚀 An open and lightweight modification to Windows, designed to optimize performance, privacy and usability.
fail2ban
fail2ban/fail2ban
Daemon to ban hosts that cause multiple authentication errors