Update

z-AlphaVersion.xml

@@ -10,37 +10,43 @@
   Fork project:	<N/A>
   Fork license:	<N/A>
 
-  REQUIRED: Sysmon version 9.02 or higher (due to changes in syntax and bug-fixes)
+  REQUIRED: Sysmon version 9.10 or higher (due to changes in syntax and bug-fixes)
 	https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
-	Note that 6.03 and 7.01 have critical fixes for filtering, it's recommended you stay updated.
+	Note that 6.03 and 7.01 have critical fixes for filtering, it's VERY recommended you stay updated.
 
   NOTE: To collect Sysmon logs centrally for free, see https://aka.ms/WEF | Command to allow log access to the Network Service:
 	wevtutil.exe sl Microsoft-Windows-Sysmon/Operational /ca:O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;;NS)
 
   NOTE: Do not let the size and complexity of this configuration discourage you from customizing it or building your own.
-	This configuration is based around known, high-signal event tracing, and thus appears complicated, but it's only very
+	This configuration is based around known, high-signal event tracing, and thus appears complicated, but it is only very
 	detailed. Significant effort over years has been invested in front-loading as much filtering as possible onto the
 	client. This is to make analysis of intrusions possible by hand, and to try to surface anomalous activity as quickly
-	as possible to any technician armed only with Event Viewer. Its purpose is to democratize system monitoring for all organizations.
+	as possible to technicians armed only with Event Viewer. Its purpose is to democratize system monitoring for all organizations.
 
   NOTE: Sysmon is NOT a whitelist solution or HIDS correlation engine, it is a computer change logging tool.
 	Do NOT ignore everything possible. Sysmon's purpose is providing context during a threat or problem investigation. Legitimate
 	processes are routinely used by threats - do not blindly exclude them. Additionally, be mindful of process-hollowing / imitation.
 
-  NOTE: By default this monitors DNS, which is extremely noisy. If you are starting out on your monitoring journey, you may remove the section.
-	You can remove DNS from the Event Viewer screen by applying a 'Filter Current View' for event IDs of: -22
+  NOTE: By default this monitors DNS, which is extremely noisy. If you are starting out on your monitoring journey, just remove that section.
+	You can remove DNS events from Event Viewer screen by applying a 'Filter Current View' for event IDs of: -22
 	Additionally, if you want to monitor DNS, you should deploy client-side adblocking to reduce lookups. See the DNS section for info.
 
-  NOTE: Sysmon is not hardened against an attacker with admin rights. Additionally, this configuration offers an attacker, willing
-	to study it, many ways to evade some of the logging. If you are in a very high-threat environment, you should consider a much broader
-	log-most approach. However, in the vast majority of cases, an attacker will bumble along through multiple behavioral traps which
-	this configuration monitors, especially in the first minutes. Even APT do not send their A-team unless they know you're hardened.
-	10% of the effort gets 95% of the results. They rely on nobody watching because almost nobody does. Your effort makes the difference.
-
   NOTE: This configuration is designed for PER-MACHINE installs of Chrome and OneDrive. That moves their binaries out of user-controlled folders.
 	Otherwise, attackers could imitate these common applications, and bypass your logging. Below are silent upgrades you can do, no user impact:
 	https://docs.microsoft.com/en-us/onedrive/per-machine-installation
 	https://cloud.google.com/chrome-enterprise/browser/download/
+	
+  NOTE: Sysmon is not hardened against an attacker with admin rights. Additionally, this configuration offers an attacker, willing
+	to study it, limited ways to evade some of the logging. If you are in a very high-threat environment, you should consider a broader,
+	log-most approach. However, in the vast majority of cases, an attacker will bumble through multiple behavioral traps which
+	this configuration monitors, especially in the first minutes. Even APT do not send their A-team unless they know you're hardened.
+	10% of the effort gets 95% of the results. APT rely on nobody watching because almost nobody does. Your effort makes the difference.
+	
+	What matters is you. Start acting like it. Start demanding it. I spent 10 years not doing that. I regret every moment I didn't.
+	YOU make the difference. I went from a department with nothing, to a deparment with everything. And yet, PEOPLE are what matter.
+	If you are reading this, you are already far along the path to changing the world for the better. Advocate for yourself.
+	Find somewhere new if you are selfless, yet unvalued. These words are what I would have told an earlier me. I wish I did.
+	You are already the candidate of the future. A mirror will never tell truth. Tools can only show what you already beleive.
 
   NOTE: If you encounter unexplanable event inclusion/exclusion, you may have a second Sysmon instance installed under a different exe filename.
 	To clear this, try downloading the latest version and uninstalling with -u force. If it hangs, kill the processes and run it again to cleanup.