The script validates the sysmon.xml configuration file with the schema provided by the sysmon.exe -s command.
An audit is being conducted on:
python3 sysmonvalidate.py <path_config> <path_schema>
- The xml config version does not exceed the schema version
- Correctness of the names of the configuration file options
<option switch="a" name="ArchiveDirectory" argument="required" />
<option name="CaptureClipboard" argument="none" />
<option switch="d" name="DriverName" argument="required" />
<option switch="dns" name="DnsQuery" argument="optional" rule="true" />
<option switch="g" name="PipeMonitoring" argument="required" rule="true" forceconfig="true" />
<option switch="h" name="HashAlgorithms" argument="required" />
<option name="DnsLookup" argument="required" />
<option switch="k" name="ProcessAccess" argument="required" rule="true" forceconfig="true" />
<option switch="l" name="ImageLoad" argument="optional" rule="true" />
<option switch="n" name="NetworkConnect" argument="optional" rule="true" />
<option switch="r" name="CheckRevocation" argument="optional" rule="true" />
<option name="FieldSizes" argument="required" />
- Values of the groupRelation attribute of the RuleGroup element
- Names of filtering events, e.g.
ProcessCreate - Values of the onmatch attribute of the filtering events
ProcessCreate onmatch="exclude" - Sub-element data of the event element, e.g.
FileCreateTime
<data name="RuleName" inType="win:UnicodeString" outType="xs:string" />
<data name="UtcTime" inType="win:UnicodeString" outType="xs:string" />
<data name="ProcessGuid" inType="win:GUID" />
<data name="ProcessId" inType="win:UInt32" outType="win:PID" />
- Used filters of the data element
is,is not,contains,contains any,is any,contains all,excludes,excludes any, excludes all,begin with,not begin with,end with,not end with,less than,more than,image
TODO:
- Check the type data in the rules
- Check characters outside the xml block
- Get schema from sysmon
sysmon.exe -s