[Rule Tuning] Review Registry-based EQL Rules for Sysmon Compatibility

[w0rk3r]

Description

Some rules that monitor registry changes are not compatible with sysmon. Some examples of tunings were:

• [Rule Tuning] Modification of AmsiEnable Registry Key - Sysmon #1760
• [Rule Tuning] Volume Shadow Copy Deleted or Resized via VssAdmin - Sysmon #1757

We need to review our ruleset to ensure that we have compatible rules where intended.