valitydev/atomic-threat-coverage
14
0
Fork 0
mirror of https://github.com/valitydev/atomic-threat-coverage.git synced 2024-11-06 09:35:21 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
b693f38157
atomic-threat-coverage/logging_policies/LP_0005_windows_sysmon_network_connection.yml
yugoslavskiy f79f50bec3 changed directories names
2019-02-12 04:55:11 +01:00

17 lines
821 B
YAML
Raw Blame History

title: LP_0005_windows_sysmon_network_connection
default: Not configured
volume: High
description: >
The network connection event logs TCP/UDP connections on the machine.
It is disabled by default. Each connection is linked to a process
through the ProcessId and ProcessGUID fields. The event also contains
the source and destination host names IP addresses, port numbers and IPv6 status.
eventID:
- 3
references:
- https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
configuration: |
Sysmon event id 3 is disabled by default.
It can be enabled by specyfying -n option
However due to high level of produced logs it should be filtred with configuration file
Sample configuration might be found here: https://github.com/SwiftOnSecurity/sysmon-config/blob/master/sysmonconfig-export.xml
Reference in New Issue View Git Blame Copy Permalink