Sysmon config recommendations

[Peter Santiago]

Hi everyone,

Currently using sysmon config from

https://github.com/olafhartong/sysmon-modular.

Any tips or recommendations for an effective Windows monitoring configuration?

One of the main issues I have is that I keep hitting the Agent flooding wall.

I have also enabled Vuln detection and SCA...

Thanks,

Peter

[Juan Manuel Utrera Garcia]

Hi,

First of all, For Wazuh´s versions more recent than v3.8, we have a complete guide on How to configure Sysmon and then configure Wazuh to collect Sysmons events https://wazuh.com/blog/how-to-collect-windows-events-with-wazuh/. 

Also in this link, you have available the mean of every Sysmon Event that is used in the guide.

Said this, I would like to ask you for some additional information:

• What Wazuh version are you running?
• After changing the Sysmon Configuration, did you notice a reduction in the flooding?

If you have any questions, do not doubt to ask us.