SwiftOnSecurity
commented
5 years ago Thanks for your recommendation, I'm sorry it took so long to get to it. Due to the risk of this allowing attackers to evade, I can't include it. Every network has to make these decisions though, there's nothing wrong with that.
During testing I noticed a little bit of Network noise generated by OneDriveStandaloneUpdater.exe
It might be worth adding an exclusion for it like this https://github.com/vector-sec/sysmon-config/blob/vector-changes/sysmonconfig-export.xml#L85
(I also noticed noise for slack.exe, but it'll depend on if you use Slack in your org as to whether or not you would bother excluding it.)