none
Sysmon - export installed configuration as XML to be deployed somewhere else RRS feed

  • Question

  • Sysmon supports printing the deployed configurations using "sysmon -c" without providing a config file in a pretty-print looking format,

    however, I couldn't find a way to print them in XML format that enables editing and re-importing somewhere else (you have to have the original xml)

    Previous efforts (https://github.com/mattifestation/PSSysmonTools) are not valid anymore.

    adding this feature, or pointing me towards a tool that does that for latest sysmon version, would be appreciated.


    • Edited by Sherif Eldeeb Thursday, September 12, 2019 5:24 PM typo
    Thursday, September 12, 2019 5:24 PM

All replies

  • Hi Sherif

    thanks for the suggestion. I've added it to the Sysmon backlog for consideration at the next monthly backlog review. But in advance of that could clarify the use case for me. Specifically why you would want to generate a file that you supplied in the first place?


    MarkC(MSFT)

    Monday, September 16, 2019 8:49 AM
  • Greetings Mark,

    use cases:

    1. auditing, comparing, exporting, re-importing-somewhere-else  and reporting on existing configs programmatically (xml is parsable), and
    2. develop a program that enables us to "merge" custom configs with a centrally-pushed one. (e.g. some users have custom Sysmon configurations "like developers excluding logging java.exe netconnects" and we don't want them to lose that customization when we push the new configs).

    Also, it is much easier to know which config has been pushed where (answering your question about why I might want to do that for a deployment I did myself)

    Thanks a lot!


    Monday, September 16, 2019 9:47 AM