updates and restructure

olafhartong · Jun 21, 2023 · fed8170 · fed8170
1 parent 1663769
commit fed8170
Showing 1 changed file with 57 additions and 36 deletions.
diff --git a/README.md b/README.md
@@ -33,12 +33,11 @@ The sysmonconfig.xml within the repo is automatically generated after a successf
   * [Use](#use)
     + [Install](#install)
     + [Update existing configuration](#update-existing-configuration)
+  * [Python generator tool](#python-generator-tool)
   * [Sysmon Community](#sysmon-community)
-  * [Contributing](#contributing)
-  * [More information](#more-information)
-  * [Mitre ATT&CK](#mitre-attack)
-  * [NOTICE Sysmon below 13 will not completely be compatible with this configuration](#notice-sysmon-below-13-will-not-completely-be-compatible-with-this-configuration)    
-
+  * [Contributing](#contributing) 
+  * [More Information](#more-information)
+
 ---
 
 Next to the documentation below, there is also [a video](https://youtu.be/Cx_zrM8Hu7Y) on how to use this project.
@@ -61,37 +60,6 @@ To understand added features in the latest version, have a look at my [small blo
 **Note:**
 I do recommend using a minimal number of configurations within your environment for multiple obvious reasons, like; maintenance, output equality, manageability and so on. But do make tailored configurations for Domain Controllers, Servers and workstations.
 
-## Sysmon Community
-
-There are three major Sysmon configurations:
-
-- [@SwiftOnSecurity](https://twitter/com/SwiftOnSecurity):  great introductory walkthrough of many of the settings. Get started with 1 command **[https://github.com/SwiftOnSecurity/sysmon-config/](https://github.com/SwiftOnSecurity/sysmon-config/blob/master/sysmonconfig-export.xml)**.
-
-- [@cyb3rops](https://twitter.com/cyb3rops):  A fork of SwiftOnSecurity, bleeding-edge and proactive. **[https://github.com/Neo23x0/sysmon-config](https://github.com/Neo23x0/sysmon-config)
-
-- [@olafhartong](https://twitter.com/olafhartong): This repo, which focuses on being very maintainable with detailed rule notes for guided response and SIEM.
-
-- An excellent community guide by [@Carlos_Perez](https:twitter.com/Carlos_Perez):
- [https://github.com/trustedsec/SysmonCommunityGuide](https://github.com/trustedsec/SysmonCommunityGuide)
-
-## Contributing
-
-Pull requests / issue tickets and new additions will be greatly appreciated!
-
-## More information
-
-I started a series of blog posts covering this repo;
-- [Endpoint detection Superpowers on the cheap - part1 - MITRE ATT&CK, Sysmon and my modular configuration](https://medium.com/@olafhartong/endpoint-detection-superpowers-on-the-cheap-part-1-e9c28201ac47)
-- [Endpoint detection Superpowers on the cheap — part 2 — Deploy and Maintain](https://medium.com/@olafhartong/endpoint-detection-superpowers-on-the-cheap-part-2-deploy-and-maintain-d06580329fe8)
-- [Endpoint detection Superpowers on the cheap — part 3 — Sysmon Tampering](https://medium.com/@olafhartong/endpoint-detection-superpowers-on-the-cheap-part-3-sysmon-tampering-49c2dc9bf6d9)
-
-- [A comparison between Sysmon and Microsoft Defender for Endpoint](https://medium.com/falconforce/sysmon-vs-microsoft-defender-for-endpoint-mde-internals-0x01-1e5663b10347) 
-
-## MITRE ATTACK
-
-I strive to map all configurations to the ATT&CK framework whenever Sysmon is able to detect it.
-Please note this is a possible log entry that might lead to a detection, not in all cases is this the only telemetry for that technique. Additionally there might be more techniques releated to that rule, the one mapped is the one I deemed most likely.
-
 ---
 
 ## Required actions
@@ -219,3 +187,56 @@ Run with administrator rights
 Run with administrator rights
 
     sysmon.exe -c sysmonconfig.xml
+
+
+## Python generator tool
+This is a new feature, created by [cnnrshd](https://github.com/cnnrshd)
+
+### Priority-based Rules Sorting
+
+1. Simple Python script that can merge based on a similar format to preexisting Include Lists - the only difference is it takes a CSV with two columns, filepath and priority
+2. A config formatted using a csv file
+3. A simple template
+5. Schemaversion is dynamic and based on the highest schema version of provided rules.
+
+Configs generated using this script maintain comments and proper XML indentation is enforced, increasing readability and allowing easier cross-referencing of rule files
+
+example prompt
+```bash
+python merge_sysmon_configs.py config_lists/default_list/default_list.csv -f csv -b templates/sysmon_template.xml  -o test.xml
+```
+
+** This way of generating content is still new and experimental. There is no support for the custom versions like the MDE augment and exclude-only versions yet.
+
+---
+
+## Sysmon Community
+
+There are three major Sysmon configurations:
+
+- [@SwiftOnSecurity](https://twitter/com/SwiftOnSecurity):  great introductory walkthrough of many of the settings. Get started with 1 command **[https://github.com/SwiftOnSecurity/sysmon-config/](https://github.com/SwiftOnSecurity/sysmon-config/blob/master/sysmonconfig-export.xml)**.
+
+- [@cyb3rops](https://twitter.com/cyb3rops):  A fork of SwiftOnSecurity, bleeding-edge and proactive. **[https://github.com/Neo23x0/sysmon-config](https://github.com/Neo23x0/sysmon-config)
+
+- [@olafhartong](https://twitter.com/olafhartong): This repo, which focuses on being very maintainable with detailed rule notes for guided response and SIEM.
+
+- An excellent community guide by [@Carlos_Perez](https:twitter.com/Carlos_Perez):
+ [https://github.com/trustedsec/SysmonCommunityGuide](https://github.com/trustedsec/SysmonCommunityGuide)
+
+## Contributing
+
+Pull requests / issue tickets and new additions will be greatly appreciated!
+
+## More information
+
+I started a series of blog posts covering this repo;
+- [Endpoint detection Superpowers on the cheap - part1 - MITRE ATT&CK, Sysmon and my modular configuration](https://medium.com/@olafhartong/endpoint-detection-superpowers-on-the-cheap-part-1-e9c28201ac47)
+- [Endpoint detection Superpowers on the cheap — part 2 — Deploy and Maintain](https://medium.com/@olafhartong/endpoint-detection-superpowers-on-the-cheap-part-2-deploy-and-maintain-d06580329fe8)
+- [Endpoint detection Superpowers on the cheap — part 3 — Sysmon Tampering](https://medium.com/@olafhartong/endpoint-detection-superpowers-on-the-cheap-part-3-sysmon-tampering-49c2dc9bf6d9)
+
+- [A comparison between Sysmon and Microsoft Defender for Endpoint](https://medium.com/falconforce/sysmon-vs-microsoft-defender-for-endpoint-mde-internals-0x01-1e5663b10347) 
+
+## MITRE ATTACK
+
+I strive to map all configurations to the ATT&CK framework whenever Sysmon is able to detect it.
+Please note this is a *possible log entry* that might lead to a detection, not in all cases is this the only telemetry for that technique. Additionally there might be more techniques releated to that rule, the one mapped is the one I deemed most likely.