Active 2024-11-15

Sysmon-DFIR

Sources, configuration and how to detect evil things utilizing Microsoft Sysmon. A comprehensive collection of Sysmon configurations, documentation, and detection resources.

sysmon detection dfir windows logging monitoring
View on GitHub
Quickstart
Get started instantly
git clone https://github.com/MHaggis/sysmon-dfir.git && sysmon64.exe -accepteula -i sysmon-dfir\sysmonconfig.xml

The Problem

Sysmon is incredibly powerful for endpoint visibility, but getting the configuration right is challenging. Bad configs can either miss critical events or generate so much noise that important signals get lost. Teams need battle-tested configurations that balance coverage and noise.

The Solution

Sysmon-DFIR provides curated, well-documented Sysmon configurations along with extensive documentation on what each rule detects and why. The repository includes multiple configuration profiles for different use cases, from minimal logging to comprehensive coverage.

Impact

One of the most starred Sysmon resources on GitHub. Used by organizations of all sizes to jumpstart their endpoint visibility. The documentation helps teams understand not just how to configure Sysmon, but why specific rules matter for detection.

Overview

Sysmon-DFIR is a comprehensive resource for anyone looking to implement or improve their Sysmon deployment. Whether you’re just getting started or looking to tune an existing configuration, this repository has you covered.

What’s Included

  • Configuration Files: Multiple config profiles for different use cases
  • Documentation: Detailed explanations of each rule and its purpose
  • Detection Examples: Real-world examples of what each rule catches
  • Tuning Guides: How to reduce noise without losing visibility

Configuration Profiles

Balanced Profile

A good starting point that provides solid coverage without excessive noise:

<!-- Example: Detect suspicious process creation -->
<ProcessCreate onmatch="include">
  <Rule groupRelation="or">
    <ParentImage condition="end with">cmd.exe</ParentImage>
    <ParentImage condition="end with">powershell.exe</ParentImage>
  </Rule>
</ProcessCreate>

High-Fidelity Profile

Maximum coverage for environments that can handle the volume.

Minimal Profile

Essential visibility for resource-constrained environments.

Integration

Pairs perfectly with:

  • Splunk Sysmon App for visualization
  • SIGMA rules for detection
  • PowerShell-Hunter for active hunting

Improve your endpoint visibility with Sysmon-DFIR

Get Started Report Issue

Related Modules

Active

ASRGEN

ASR Configurator, Essentials and Atomic Testing. Configure and test Attack Surface Reduction rules.

asr defender windows hardening +2
View Module → GitHub
Active

Atomics on a Friday

Weekly YouTube show exploring atomic tests, detection engineering, and security research. Live demonstrations and deep dives into attack techniques.

youtube atomic-red-team detection education +1
View Module → GitHub