Skip to content

/ sysmon

Sysmon and wazuh integration with Sigma sysmon rules [updated]

GPL-3.0 License
18 stars 6 forks
Star
Watch
master
1 branch 0 tags
Go to file
Code
Clone

Use Git or checkout with SVN using the web URL.

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
LICENSE
 
 
README.md
 
 
sysmon.xml
 
 
sysmon_rules.xml
 
 

README.md

Sysmon - Wazuh Sigma Rules

Sysmon is a command line tool which allows us to monitor and track processes taking place in our computers. With the right configuration, suspicious behaviors can be detected by Sysmon and the detailed information will be stored in the generated log. For instance, the creation of a new process will be detected by Sysmon as “Event number 1”. This event will contain critical information that we could use to configure an active response or adopt other type of security measures.

How to Install?

Client Configuration

First, you should install Sysmon.

Download sysmon : https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon

Setup Sysmon: 

Sysmon64.exe -accepteula -i sysconfig.xml

Then, 

Copy below to your client's ossec.conf file

<localfile>
<location>Microsoft-Windows-Sysmon/Operational</location>
<log_format>eventchannel</log_format>
</localfile>

Save it and restart agent.

## Server Configuration

Copy sysmon_rules.xml to /var/ossec/etc/rules/local_rules.xml

Save it restart manager.

Finished!


Rules are generated from Rules from https://github.com/Neo23x0/sigma/tree/master/rules/windows/sysmon

Thanks.

About

Sysmon and wazuh integration with Sigma sysmon rules [updated]

Topics

wazuh sysmon ossec security-tools security sysmon-config wazuh-manager sigma

Resources

Readme

License

GPL-3.0 License

Releases

No releases published

Packages

No packages published
You can’t perform that action at this time.