I find the sysmon config files confusing and not enough clear info on creating them. So having issues finding out if this is possible or not.
I'd like to ignore most logs sysmon can do and just use it to monitor one specific folder and one specific AD user that accesses said folder.
Is this possible and what would the config file look like if so?
I'd recommend reviewing the sysmon community guide to orient yourself on what sysmon can log and how to administer it.
Sysmon does not log folder accesses where a user simply reads files in a folder. It does have logging capabilities for file create and file delete operations.
I happen to do a lot of testing of sysmon and use this script to create sysmon configuration templates which collect nothing by default.
Once you have a configuration file with output of script from above then you would want to edit it and add include oriented rules among FileDeleteDetected and FileCreate event type rule groups.
<RuleGroup name="FileDeleteDetected_RG_001" groupRelation="or">
<FileDeleteDetected onmatch="include">
<Rule groupRelation="and" name="">
<User condition="contains any">steviefaux;dstaulcu</User>
<TargetFilename condition="contains any">c:\sensitive_dir_1;c:\sensitive_dir_2</TargetFilename>
</Rule>
</FileDeleteDetected>
</RuleGroup>
<RuleGroup name="FileCreate_RG_001" groupRelation="or">
<FileCreate onmatch="include">
<Rule groupRelation="and" name="">
<User condition="contains any">steviefaux;dstaulcu</User>
<TargetFilename condition="contains any">c:\sensitive_dir_1;c:\sensitive_dir_2</TargetFilename>
</Rule>
</FileCreate>
</RuleGroup>
I tried to attach a full xml file but the file upload failed for some reason. Here is the resultant config:
Thanks. I'll give it a look on Monday.
Thanks. Appears to work and give me an idea to what to use. Although it doesn't appear to be picking up the file deletes when I do it in my testing but that could be me doing something wrong. At least got an idea of how to craft the config file for it.
Thanks.
2 people are following this question.
