-
Notifications
You must be signed in to change notification settings - Fork 1
/
fileCreate.xml
41 lines (41 loc) · 1.62 KB
/
fileCreate.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
<Sysmon schemaversion="4.70">
<EventFiltering>
<!-- BELOW PART DISABLES ALL OTHER LOGS FOR FIXING THE MESS!-->
<!-- Event ID 1 == ProcessCreate. Log only ping process. -->
<RuleGroup name="" groupRelation="or">
<ProcessCreate onmatch="include"/>
</RuleGroup>
<!-- Event ID 3 == NetworkConnect Detected. Do not log anything!-->
<RuleGroup name="" groupRelation="or">
<NetworkConnect onmatch="include"/>
</RuleGroup>
<!-- Event ID 5 == ProcessTerminate. Do not log anything! -->
<RuleGroup name="" groupRelation="or">
<ProcessTerminate onmatch="include"/>
</RuleGroup>
<!-- Event ID 9 == RawAccessRead. Do not log anything! -->
<RuleGroup name="" groupRelation="or">
<RawAccessRead onmatch="include"/>
</RuleGroup>
<!-- Event ID 10 == ProcessAccess. Do not log anything! -->
<RuleGroup name="" groupRelation="or">
<ProcessAccess onmatch="include"/>
</RuleGroup>
<!-- Event ID 11 == FileCreate. Do not log anything! -->
<RuleGroup name="" groupRelation="or">
<FileCreate onmatch="include">
<RuleName condition="is"></RuleName>
<UtcTime condition="is"></UtcTime>
<ProcessGuid condition="is"></ProcessGuid>
<ProcessId condition="is"></ProcessId>
<Image condition="is"></Image>
<TargetFilename condition="is"></TargetFilename>
<CreationUtcTime condition="is"></CreationUtcTime>
</FileCreate>
</RuleGroup>
<!--Event ID 23 == FileDelete. Do not log anything! -->
<RuleGroup name="" groupRelation="or">
<FileDelete onmatch="include"/>
</RuleGroup>
</EventFiltering>
</Sysmon>