Skip to content

Instantly share code, notes, and snippets.

@oz9un
Created October 18, 2021 10:18
Show Gist options
  • Save oz9un/95bda6a6c8be54df1a976a93eb6b8308 to your computer and use it in GitHub Desktop.
Save oz9un/95bda6a6c8be54df1a976a93eb6b8308 to your computer and use it in GitHub Desktop.
SysmonForLinux - Disable all logs [Main Template]
<Sysmon schemaversion="4.70">
<EventFiltering>
<!-- BELOW PART DISABLES ALL OTHER LOGS FOR FIXING THE MESS!-->
<!-- Event ID 1 == ProcessCreate. Log only ping process. -->
<RuleGroup name="" groupRelation="or">
<ProcessCreate onmatch="include"/>
</RuleGroup>
<!-- Event ID 3 == NetworkConnect Detected. Do not log anything!-->
<RuleGroup name="" groupRelation="or">
<NetworkConnect onmatch="include"/>
</RuleGroup>
<!-- Event ID 5 == ProcessTerminate. Do not log anything! -->
<RuleGroup name="" groupRelation="or">
<ProcessTerminate onmatch="include"/>
</RuleGroup>
<!-- Event ID 9 == RawAccessRead. Do not log anything! -->
<RuleGroup name="" groupRelation="or">
<RawAccessRead onmatch="include"/>
</RuleGroup>
<!-- Event ID 10 == ProcessAccess. Do not log anything! -->
<RuleGroup name="" groupRelation="or">
<ProcessAccess onmatch="include"/>
</RuleGroup>
<!-- Event ID 11 == FileCreate. Do not log anything! -->
<RuleGroup name="" groupRelation="or">
<FileCreate onmatch="include"/>
</RuleGroup>
<!--Event ID 23 == FileDelete. Do not log anything! -->
<RuleGroup name="" groupRelation="or">
<FileDelete onmatch="include"/>
</RuleGroup>
</EventFiltering>
</Sysmon>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment