How to use Sysmon-modular

Рет қаралды 6,036

Күн бұрын

Пікірлер: 13

@rogereales Жыл бұрын

Very grateful for your dedication, research, knowledge sharing and contributions to Cyber - Not only on this video but I've seen a lot of your research ---> Great work!

@АнтонКопейкин-у6р 2 жыл бұрын

Молодец! Очень ценный конфиг для Sysmon. Спасибо тебе Олаф!!!

@olafhartong Жыл бұрын

Thank you!

@BenjaminConnelly Жыл бұрын

Thank you!

@monnombre6547 8 ай бұрын

thanks olaf!!!!!

@Badcitizenlgn Жыл бұрын

Thanks for the content!

@aliabdullah-tg1vp Жыл бұрын

Thanks... I Face this error StartService failed for SysmonDrv: An instance already exists at this altitude on the volume specified. Failed to start the driver: An instance already exists at this altitude on the volume specified. Stopping the service failed: The service has not been started. SysmonDrv removed. Stopping the service failed: The service has not been started. Sysmon removed. kindly please can you help.

@Badcitizenlgn Жыл бұрын

If you didnt solved it yet you could try to use the -u flag with sysmon.exe and perform a clean installation. Since the error message is telling you that you already have an instance running it might be due to a bad installation or a bad configuration

@kkhyyyz6535 2 жыл бұрын

Thanks...if running the MDE augmentation script...where / how can you ship the logs -- centrally speaking - for visibility and analysis?

@olafhartong Жыл бұрын

That depends on your SIEM solution. Most have an agent that allow you to do this, another option is the WEC/WEF servers that can send it to the SIEM. In any case you need to take care of the plumbing, there is no MDE feature that is able to do this today.

@rogereales Жыл бұрын

Wazuh is another option which is open source.

@vikashdubey3776 Жыл бұрын

Why did you create both include and exclude filter for same event ids?

@olafhartong Жыл бұрын

For multiple reasons, a you can decide to only go for either one of them. Resulting in a very chatty or very silent log source. Additionally when you do both, it will be very balanced. Having some obvious blind spots but also limited noise. This tends to be preferred in some enterprise cases where volumes of log sources get expensive fast.