A Sysmon configuration repository for everybody to customise. This is a Microsoft Sysinternals Sysmon configuration repository, set up modular for easier maintenance and generation of specific configs. Please keep in mind that any of these configurations should be considered a starting point, tuning per environment is strongly recommended. Note: to get even more value out of the FileExecutable event, consider getting the most up to date version of the LOLdrivers config merged into the config as well. You can easily do that by grabbing the file and adding it in the 29_file_execute_detected folder and generate a new config. The sysmonconfig.xml within the repo is automatically generated after a successful merge by the PowerShell script and a successful load by Sysmon in an Azure Pipeline run. More info on how to generate a custom config, incorporating your own modules here. Pre-Generated configurations: Type: Config: Description: default: sysmonconfig.xml: This is the balanced configuration, most used, more information here. default+: sysmonconfig-with-filedelete.xml: This is the balanced configuration, most used, more information including FileDelete file saves.
FEATURES
EXPLORE BY TAGS
SIMILAR TOOLS
JIMI is a flow-based orchestration automation platform that combines low-code and no-code capabilities for multi-team collaboration across IT, security, and development operations.
An open-source, drag-and-drop security workflow builder with integrated case management for automating security workflows and tackling alert fatigue.
IRIS-SOAR is a Python-based modular SOAR platform that automates security incident response workflows and integrates with DFIR-IRIS for enhanced digital forensics operations.
StackStorm is an open-source automation platform that connects and automates DevOps workflows and integrates with existing infrastructure.
Fabric Platform is a cybersecurity reporting solution that automates and standardizes report generation, offering a private-cloud platform, open-source tools, and community-supported templates.
Automated Digital Forensics and Incident Response (DFIR) software for rapid incident response and intrusion investigations.
Open-source security automation platform for automating security alerts and building AI-assisted workflows.
SOARCA is an open-source SOAR platform that automates security incident response workflows using standardized CACAOv2 playbooks and multiple integration interfaces.
Request Tracker for Incident Response (RTIR) is a tool for incident response teams to manage incident reports, correlate data, and facilitate communication.