Sysmon Rule Configuration Version RRS feed

  • Question

  • When you execute a sysmon -c, you get your configuration.  I am curious if it is possible to update/modify the value displayed.  This would be very useful when inventorying the system.  I think it has been there for a while but never documented if it is possible to use it.  
    Wednesday, June 19, 2019 12:54 PM

All replies

  • well, the help report this for the -c parameter:

     -c   Update configuration of an installed Sysmon driver or dump the
           current configuration if no other argument is provided. Optionally
           take a configuration file.

    So I would say that it will be supported forever..


    Wednesday, June 19, 2019 2:01 PM
  • Correct: sysmon -c config.xml can be used to update the configuration. Sysmon -c just dumps the current config.

    MarkC (MSFT)

    Wednesday, June 26, 2019 8:27 AM
  • Sorry, I think I was not clear.  I was not referring to the Sysmon version.  I was referring to the "Rule Configuration."


    This is the what I was wanting to modify.

    Friday, July 5, 2019 2:31 PM
  • Well, that seems a bug.. it should be 4.21 right now..

    It will be fixed probably..


    Friday, July 5, 2019 5:41 PM
  • Thanks for reporting. I'll be taking a look at some Sysmon bugs in the next week or so and will add this one to the list.

    MarkC (MSFT)

    Thursday, July 11, 2019 1:26 PM
  • Well, hopefully it is exposed and not mislabeled.  A colleague found a machine:

    I am hoping it is something that a user can modify.  But it appears it might be related to the schema version.  We would like to utilize this to identify what rules we are applying.  We currently are running a mix of 6.01 and 6.03.

    Friday, July 19, 2019 4:34 PM