Updated File Event Monitor (markdown)

File-Event-Monitor.md

@@ -37,9 +37,39 @@ Once all implementations and configurations are complete, you should see the fol
 2024-09-10 오후 2:22:14: onNetworkConnected recevied. technique_id=T1571,technique_name=Non-Standard Port, 33248, C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe, udp://fe80:0:0:0:faa7:67af:298e:fb1d:5353
 ```
 
-
-
 ### For System Administrators or Security Analysts
 
 #### MITRE ATT&CK (MITRE attack)
 
+WelsonJS can be utilized in conjunction with MITRE ATT&CK. Please follow the steps below:
+
+1. Download [Sysinternals Sysmon (microsoft.com)](https://learn.microsoft.com/ko-kr/sysinternals/downloads/sysmon).
+2. Download and apply [the sysmon configuration](https://github.com/olafhartong/sysmon-modular) (The configuration installation will be performed along with the sysmon installation using the command below.)
+
+    ```
+    sysmon.exe -accepteula -i sysmonconfig.xml
+    ```
+
+3. In the WelsonJS configuration file (`settings.ini`), set the `DISABLE_FILE_MONITOR` (in the `Service` section) value to false.
+
+    ```ini
+    [Service]
+    DISABLE_FILE_MONITOR=false
+    ```
+
+4. Install the WelsonJS service
+
+   ```
+   installService.bat
+   ```
+
+   If you want to debug it, start the interactive service.
+
+   ```
+   startInteractiveService.bat
+   ```
+
+5. Check the log in the `WelsonJS.Service.Log.txt` file. Typically, the log file can be found in one of the following directories:
+
+    * C:\Windows\SystemTemp
+    * C:\User\<USERNAME>\AppData\Local\Temp