Edit Your Sysmon Config in Style

Does this look familiar ?

Until very recently, I was there too.

Notepad++ is a fantastic tool that I use for hours every day, but it's not ideal for editing large Sysmon config files, I recently looked at other options and found a setup that I was happy with - let's take a look at how you can replicate this.

To begin, grab a copy of Visual Studio Code ( https://code.visualstudio.com/download )

Navigate to the Extensions menu and search for and install the Sysmon extension:

We'll also be installing the "Bookmarks" extension:

Next up, install and setup git for Windows ( https://git-scm.com/download/win )

During the setup, you'll have the option to use VS Code as the default edit for git, I chose this option:

Now restart VS Code and start a new Sysmon config, the Sysmon extension will help you here:

In my case, I had a private GitHub repo set up for my Sysmon config, so I want to set that repo up and then save my new blank Sysmon config file to it:

Now save your config file and give it a name, make sure to save it to the folder where you initialized your Git repo, in my case C:\Repos\sysmon-config

You should see a "1" icon next to the source control menu option in VS Code after saving your config file. Navigate to that menu, add your commit message, stage the changes and then commit them to your GitHub repo:

When you are done committing your changes, push them via the terminal or GUI, you should now see your changes in GitHub:

Now your Sysmon config is source controlled and resides in a feature-rich text editor with auto-complete unique to Sysmon's config syntax, nice!

As a final step, use the Bookmarks add-on to configure bookmarks within your Sysmon config so you can follow along with the various sections in a large config file.

If you've installed the bookmarks extension, navigate to the line where you want to set your bookmark and hit CTRL+ALT+K (Or right click --> toggle bookmark), in my case I'm going to bookmark my ProcessCreate exclusions section:

You can also rename this bookmark to your liking, I've found this kind of bookmark layout time saving:

And that's it -- a nice upgrade from Notepad++

Notes:

• Thank you https://twitter.com/Carlos_Perez for the awesome VSCode Sysmon extension

• For great Sysmon configs, check out:

  https://github.com/SwiftOnSecurity/sysmon-config

  https://github.com/olafhartong/sysmon-modular