Sysmon is a free driver-based utility that supplements Windows's built-in audit capabilities. Combining Sysmon with EventSentry's monitoring capabilities enables users to detect a number of potential threats on their monitored servers and workstations. The required Sysmon configuration file is attached below.
This article includes a pre-made Event Log Filter package with the required filters for detecting suspicious activity on Windows Print Spooler to alert of a possible Remote Code Execution Vulnerability (known as PrintNightmare, CVE-2021-1675).
To start using PrintNightmare filter rules, follow the steps below:
Event Log Package for PrintNightmare
Sysmon configuration file