search

SwiftOnSecurity / sysmon-config

Sysmon configuration file template with default high-quality event tracing
4.73k stars 1.69k forks source link

Added logging for Outbound SMB Traffic. #120

Closed d4rk-d4nph3 closed 3 years ago

d4rk-d4nph3 commented 4 years ago

Outbound SMB traffic shows the usage of port scanners, exploits, etc. This PR will log only the outbound SMB traffic filtering the local traffic noise.

SwiftOnSecurity commented 3 years ago

Hi @d4rk-d4nph3 I'm sorry for not getting back to you. Your changes are great, but right now my philosophy is to reduce events numbers as much as possible, for companies that do not have central event collection or IT employees able to spend the time to tune the configuration well. I don't know how to include just the LDAP filter you added, so out of caution I'm closing this. I apologize.

I'm sorry. I've taken this to my ideas file with your name, to maybe add it in but disabled by default? Thank you for your work.