HOW-TO GUIDE | DETECTION ENGINEERING
Updated 10 min read

How to Configure Sysmon with a Production Config (SwiftOnSecurity/Olaf Hartong)

Event ID 1
Sysmon Process Creation: logs every process start with full command line, parent process, image hash (MD5/SHA256), and logon GUID; the highest-value Sysmon event for threat hunting
Event ID 10
Sysmon Process Access: logs when one process opens another with specific access rights; key for detecting LSASS credential dumping (target = lsass.exe, access mask = 0x1010)
SwiftOnSecurity
The original and most widely deployed community Sysmon config: single XML file tuned to balance coverage vs noise; good starting point for any SOC
Sysmon-Modular
Olaf Hartong's modular Sysmon config: built from composable rule files that can be enabled/disabled per environment; more granular and regularly updated with new MITRE ATT&CK coverage

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

Sysmon out of the box logs only basic configuration events. Without an XML configuration file, you get Event 4 (service state changes) and Event 16 (config changes): nearly nothing for security monitoring. The configuration file is everything: it controls which processes are tracked, which network connections are logged, which registry operations generate events, and how much noise is filtered.

The SwiftOnSecurity and Olaf Hartong configs represent years of tuning against real attack data. Both are designed to capture attacker TTPs while filtering the legitimate high-frequency operations (Windows Update, antivirus processes, common browsers) that would overwhelm a SIEM with noise.

Installing Sysmon and Choosing a Config

Download and install Sysmon:

# Download Sysmon from Microsoft Sysinternals
# https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon

# Install with a config file:
sysmon64.exe -accepteula -i sysmonconfig.xml

# Update config on a running Sysmon installation (no restart needed):
sysmon64.exe -c sysmonconfig.xml

# Verify Sysmon is running:
Get-Service Sysmon64 | Select-Object Status, StartType
# Status: Running

# Check what config is currently loaded:
Get-WinEvent -LogName "Microsoft-Windows-Sysmon/Operational" -MaxEvents 5 | \
  Where-Object { $_.Id -eq 16 } | \
  Select-Object TimeCreated, Message
# Event 16 shows the current config hash and version

SwiftOnSecurity config: best for getting started:

# Clone the repo:
git clone https://github.com/SwiftOnSecurity/sysmon-config
cd sysmon-config

# The main file is sysmonconfig-export.xml
# Review and customize before deploying: read all comments

# Install with the config:
sysmon64.exe -accepteula -i sysmonconfig-export.xml

Olaf Hartong Sysmon-Modular: best for mature SOCs:

# Clone the modular repo:
git clone https://github.com/olafhartong/sysmon-modular
cd sysmon-modular

# Build a merged config from modules:
# Each module is a separate XML file covering a specific technique or event type
# Merge them with the provided script:
.\Merge-SysmonXml.ps1 -Path .\"*\*.xml" -AsString | Out-File sysmon-merged.xml

# Or use the pre-built config:
# sysmonconfig.xml in the repo root is the merged version
sysmon64.exe -accepteula -i sysmonconfig.xml

# Sysmon-Modular organizes configs by MITRE technique:
# 1_process_creation/
# 3_network_connection/
# 6_driver_loaded/
# 7_image_loaded/
# 8_create_remote_thread/
# 10_process_access/
# 11_file_create/
# 12-14_registry/
# 15_file_create_stream_hash/
# 17-18_named_pipe/
# 22_dns_query/
# 25_process_tampering/

Key Event IDs and What to Hunt

Event ID 1: Process Creation:

The most valuable Sysmon event: logs every process with the full command line, parent process, and image hash.

<!-- Sysmon config snippet for process creation -->
<EventFiltering>
  <ProcessCreate onmatch="exclude">
    <!-- Exclude high-volume, known-safe processes -->
    <Image condition="is">C:\Windows\System32\svchost.exe</Image>
    <Image condition="is">C:\Program Files\Windows Defender\MsMpEng.exe</Image>
    <!-- IMPORTANT: Don't exclude too broadly: attackers rename tools -->
  </ProcessCreate>
</EventFiltering>
// Sentinel KQL: detect PowerShell with encoded commands (common obfuscation)
Event
| where Source == "Microsoft-Windows-Sysmon"
| where EventID == 1
| extend EventData = parse_xml(EventData)
| extend
    Image = tostring(EventData.DataItem.EventData.Data[4]["#text"]),
    CommandLine = tostring(EventData.DataItem.EventData.Data[10]["#text"]),
    ParentImage = tostring(EventData.DataItem.EventData.Data[20]["#text"])
| where Image has "powershell"
    and CommandLine has_any ("-enc", "-EncodedCommand", "-ec ", "FromBase64")
| project TimeGenerated, Computer, Image, CommandLine, ParentImage

Event ID 3: Network Connection:

// Detect processes making outbound connections that should not have network access
Event
| where Source == "Microsoft-Windows-Sysmon"
| where EventID == 3
| extend EventData = parse_xml(EventData)
| extend
    Image = tostring(EventData.DataItem.EventData.Data[4]["#text"]),
    DestIP = tostring(EventData.DataItem.EventData.Data[14]["#text"]),
    DestPort = tostring(EventData.DataItem.EventData.Data[16]["#text"])
| where Image has_any ("notepad", "wordpad", "calc", "mspaint", "write")
    and DestIP !startswith "10." and DestIP !startswith "192.168."
// Notepad making external connections = process injection indicator

Event ID 8: Create Remote Thread (process injection):

// Detect remote thread injection into sensitive processes
Event
| where Source == "Microsoft-Windows-Sysmon"
| where EventID == 8
| extend EventData = parse_xml(EventData)
| extend
    SourceImage = tostring(EventData.DataItem.EventData.Data[4]["#text"]),
    TargetImage = tostring(EventData.DataItem.EventData.Data[6]["#text"])
| where TargetImage has_any ("lsass", "winlogon", "explorer", "svchost", "csrss")
    and not (SourceImage has_any ("MsMpEng", "msiexec", "Defender"))
| project TimeGenerated, Computer, SourceImage, TargetImage

Event ID 10: Process Access (LSASS dumping):

// Detect LSASS access with credential-stealing access masks
Event
| where Source == "Microsoft-Windows-Sysmon"
| where EventID == 10
| extend EventData = parse_xml(EventData)
| extend
    SourceImage = tostring(EventData.DataItem.EventData.Data[4]["#text"]),
    TargetImage = tostring(EventData.DataItem.EventData.Data[6]["#text"]),
    GrantedAccess = tostring(EventData.DataItem.EventData.Data[8]["#text"])
| where TargetImage has "lsass.exe"
    and GrantedAccess in ("0x1010", "0x1038", "0x143a", "0x40", "0x1410", "0x1fffff")
    and SourceImage !has "MsMpEng"
| project TimeGenerated, Computer, SourceImage, TargetImage, GrantedAccess

Event ID 22: DNS Query:

// Detect DNS queries to newly registered or suspicious domains
Event
| where Source == "Microsoft-Windows-Sysmon"
| where EventID == 22
| extend EventData = parse_xml(EventData)
| extend
    Image = tostring(EventData.DataItem.EventData.Data[4]["#text"]),
    QueryName = tostring(EventData.DataItem.EventData.Data[5]["#text"])
// Match against threat intel domain list:
| where QueryName has_any ("pastebin.com", "ngrok.io", "requestbin")  // Known attacker-used services
Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Deploying Sysmon at Scale via GPO or Intune

GPO deployment for domain environments:

# Step 1: Place Sysmon64.exe and config in a SYSVOL share
# \\corp.local\SYSVOL\corp.local\scripts\sysmon\
# - Sysmon64.exe
# - sysmonconfig.xml

# Step 2: Create a GPO startup script
# Computer Configuration > Windows Settings > Scripts (Startup) >
# Startup > Add PowerShell script:

$sysmonShare = "\\\\corp.local\\SYSVOL\\corp.local\\scripts\\sysmon"
$sysmonExe = "$env:SystemRoot\\Sysmon64.exe"
$configPath = "$env:SystemRoot\\sysmonconfig.xml"

# Install Sysmon if not present
if (-not (Test-Path $sysmonExe)) {
    Copy-Item "$sysmonShare\Sysmon64.exe" $sysmonExe
}

# Copy config
Copy-Item "$sysmonShare\sysmonconfig.xml" $configPath -Force

# Install or update
$service = Get-Service -Name Sysmon64 -ErrorAction SilentlyContinue
if ($service -eq $null) {
    & $sysmonExe -accepteula -i $configPath
} else {
    & $sysmonExe -c $configPath  # Update config only, no restart needed
}

Intune deployment (Win32 app):

# Package as Win32 app:
# IntuneWinAppUtil.exe -c .\SysmonPackage -s install.ps1 -o .\output

# install.ps1:
$configFile = Join-Path $PSScriptRoot "sysmonconfig.xml"
sysmon64.exe -accepteula -i $configFile

# detection.ps1 (Intune detection rule):
$svc = Get-Service -Name Sysmon64 -ErrorAction SilentlyContinue
if ($svc -and $svc.Status -eq "Running") { exit 0 } else { exit 1 }

Ship Sysmon events to SIEM (Winlogbeat):

# winlogbeat.yml
winlogbeat.event_logs:
  - name: Microsoft-Windows-Sysmon/Operational
    ignore_older: 72h
    # Include all Sysmon event IDs (1-29)

output.elasticsearch:
  hosts: ["https://elasticsearch:9200"]
  index: "sysmon-%{+yyyy.MM.dd}"

# For Splunk: use the Splunk Universal Forwarder
# inputs.conf:
# [WinEventLog://Microsoft-Windows-Sysmon/Operational]
# index = sysmon
# disabled = false

The bottom line

Install Sysmon with a production config: SwiftOnSecurity's sysmon-config.xml for rapid deployment, Olaf Hartong's Sysmon-Modular for maximum coverage tuned per environment. The highest-value events: Event 1 (process creation with full command line and hash), Event 10 (LSASS access for credential dump detection), Event 8 (remote thread injection), Event 3 (network connections per process), and Event 22 (DNS queries). Deploy via GPO startup script or Intune Win32 app; forward the Microsoft-Windows-Sysmon/Operational event log to your SIEM via Winlogbeat or Splunk Universal Forwarder.

Frequently asked questions

What is the best Sysmon configuration for a production environment?

SwiftOnSecurity's sysmon-config (github.com/SwiftOnSecurity/sysmon-config) is the standard starting point: a single XML file with well-documented exclusions for common noise. Olaf Hartong's Sysmon-Modular (github.com/olafhartong/sysmon-modular) provides more granular, technique-mapped coverage and is updated more frequently with new MITRE ATT&CK coverage. Both are significantly better than no config or a minimal config: install one before you need it.

What are the most important Sysmon event IDs?

Event ID 1 (Process Creation): full command line and hash for every process; Event ID 3 (Network Connection): outbound connections per process; Event ID 8 (Create Remote Thread): process injection detection; Event ID 10 (Process Access): LSASS credential dump detection via access mask; Event ID 22 (DNS Query): C2 domain detection per process; Event ID 11 (File Create): malware dropper file creation. These seven events cover the majority of attacker activity visible at the endpoint.

How do I tune a Sysmon configuration to reduce log volume without losing coverage?

Sysmon with a default or minimal config generates high volume that taxes SIEM ingest costs. Tuning strategy: use include/exclude filters in the Sysmon config XML to exclude high-volume, low-value events. For Event ID 3 (network connections), exclude connections from known system processes (svchost.exe, chrome.exe) to known CDN and update destination IPs — focus on unexpected processes making network connections. For Event ID 1 (process creation), exclude conhost.exe, MsMpEng.exe (Defender), and other Microsoft-signed OS processes that run frequently. Use the olafhartong/sysmon-modular config as your starting baseline: it is maintained for production use and balances coverage with log volume through modular filtering.

How do I deploy Sysmon across a Windows domain via Group Policy?

GPO software distribution method: copy Sysmon64.exe and your sysmon-config.xml to a network share accessible by all domain computers; create a Computer Configuration GPO startup script that checks for the Sysmon service and installs/updates if not present or if the config hash has changed. Alternatively, use Intune (Microsoft Endpoint Manager) for cloud-managed devices: upload Sysmon as a Win32 app with a detection rule checking for the Sysmon service. For immediate verification after GPO deployment: check the Applications and Services Logs > Microsoft > Windows > Sysmon > Operational event log on a target machine and run 'sc query sysmon64'.

Can Sysmon detect ransomware encryption activity?

Sysmon has partial but not comprehensive ransomware detection capability. Event ID 11 (FileCreate) logs new file creation but not modifications: ransomware that overwrites files in place may not generate FileCreate events for each victim file. Event ID 1 (ProcessCreate) captures the ransomware process with its command line if it was launched from another process. Event ID 8 (CreateRemoteThread) may fire if ransomware injects into legitimate processes. More effective ransomware detection uses EDR behavioral analytics (process file rename patterns) or filesystem honeypot files: create a 'canary file' (a Word document in a commonly-encrypted path) and alert on any rename, modification, or deletion of that specific file — any ransomware touching it will trigger the alert before most encryption is complete.

How do you manage Sysmon config versioning and ensure endpoints always run the latest config without a full reinstall?

Store your sysmon-config.xml in source control (Git) and tag each release with a version number embedded in the config's 'schemaversion' comment or a custom XML comment field. Deploy config updates via a GPO startup script or Intune Win32 app remediation script that computes the SHA256 of the local config file and compares it against the expected hash of the current version stored in a shared location or registry key. If the hashes differ, the script runs 'sysmon64.exe -c updated-config.xml' to apply the new config without a service restart -- Sysmon applies config changes live and the service continues without interruption. Track config compliance by querying Sysmon Event ID 16 (configuration change) in your SIEM: Event 16 fires every time a config is loaded, including the config hash, allowing you to confirm which hash is active on each endpoint and alert on unexpected config changes that may indicate tampering.

Sources & references

  1. SwiftOnSecurity: sysmon-config GitHub
  2. Olaf Hartong: Sysmon-Modular GitHub
  3. Microsoft Sysinternals: Sysmon Documentation

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.