Sysmon Configuration for SOC Teams: Which Event IDs to Enable and Why

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
Native Windows event logging is not built for detection. Security Event Log entries like Event ID 4688 require manual audit policy configuration, lack command-line parameters by default in older OS versions, and provide no network connection or driver load context. Sysmon fills these gaps by installing a kernel-mode driver that captures granular endpoint telemetry and writes it to a dedicated event log channel. The catch: a default or poorly tuned Sysmon deployment can flood a SIEM with three to five times its prior log volume, turning a detection asset into an ingestion cost problem. This guide helps SOC teams make intentional decisions about which event IDs to enable, which to tune heavily, and which to skip based on their environment and budget.
What Sysmon Provides That Native Logging Does Not
Windows Security Event Log and Sysmon are complementary, not competitive. The Security Event Log captures authentication, authorization, and audit events. Sysmon captures process execution, network connections, file writes, registry modifications, driver loads, and inter-process activity at a level of detail that native logging does not provide without significant Group Policy configuration and third-party parsing.
The most important gap Sysmon closes is process creation with full command line (Event ID 1). While Event ID 4688 can be configured to capture command-line arguments, it requires specific audit policy settings that are often not enabled by default in older Windows environments, and it does not capture the parent process image hash, the current directory, or the LogonGUID that ties the process to a user session. Sysmon Event ID 1 captures all of these in a single structured record.
The second major gap is network connection logging per process (Event ID 3). Windows Firewall logging and NetFlow capture traffic at the network layer, but neither correlates a specific outbound connection to the exact process that initiated it, with the process hash and parent process context included. For detecting command-and-control beaconing or data exfiltration, this per-process network telemetry is essential.
Sysmon also captures events that have no native Windows equivalent: raw disk access (Event ID 9), named pipe creation and connection (Event IDs 17 and 18), and process tampering (Event ID 25). These cover techniques used in credential theft and defense evasion that would otherwise be invisible to a Windows-native logging stack.
Subscribe to unlock Remediation & Mitigation steps
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
Key Event IDs: Enable, Tune, or Skip
Not every Sysmon event ID belongs in every environment. The right configuration depends on your SIEM ingestion budget, your endpoint count, and the threat actors and techniques you are prioritizing. The following breakdown covers the event IDs that matter most for detection and the tradeoffs of each.
Event ID 1: Process Create. Enable in all environments. This is the highest-value single event ID in Sysmon and contributes detection coverage for more MITRE ATT&CK techniques than any other. Tune by excluding process paths that generate high-frequency benign events: endpoint agents, antivirus processes, and system processes that spawn child processes continuously. Do not suppress broadly; tune the filter rules to exclude specific known-good parent-child relationships.
Event ID 3: Network Connection. Enable with tuning. Without exclusions, this will generate massive volume from browsers, update services, and endpoint agents. Focus filters on excluding destination ports and process paths associated with known-good update traffic. Keep coverage for unusual ports and unusual source processes.
Event ID 7: Image Loaded. Enable only on high-value targets such as domain controllers, PAWs, and sensitive servers. On general endpoints this generates enormous volume. If SIEM cost is a constraint, consider limiting ID 7 to a subset of critical assets.
Event IDs 8 and 10: CreateRemoteThread and ProcessAccess. Enable both. These cover process injection techniques central to most post-exploitation frameworks. Tune to exclude known-good injection patterns from endpoint security products, which routinely use these mechanisms for legitimate monitoring.
Event ID 11: FileCreate. Enable with heavy tuning. Target specific directories used for initial access and persistence: user temp directories, startup folders, and browser download paths. Logging all file creation events is impractical and will generate high volume.
Event IDs 12, 13, and 14: RegistryEvent. Enable with targeted path coverage. Log modifications to Run keys, service registry paths, COM object registrations, and AppInit paths. Logging all registry activity is not viable; a targeted key list is the correct approach.
Event ID 15: FileCreateStreamHash. Enable. This captures Alternate Data Stream creation, which is used by some downloaders to store payloads in ADS. Volume is low in most environments.
Event ID 22: DNSEvent. Enable in environments where DNS-based C2 is a priority threat. Volume can be high in environments with frequent DNS queries from monitoring agents. Tune to exclude known-good resolver traffic.
Event ID 25: ProcessTampering. Enable. This was added in Sysmon 13 to detect process image replacement and hollowing. Volume is low and the signal is almost always meaningful.
Subscribe to unlock Remediation & Mitigation steps
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Community Configs: Swift on Security vs. Olaf Hartong
Two community Sysmon configurations dominate practitioner discussion: the SwiftOnSecurity config and the Olaf Hartong sysmon-modular project. Both are legitimate starting points and both have meaningful tradeoffs.
The SwiftOnSecurity config is a single XML file designed for immediate deployment. It is conservative by design: it enables a broad set of event IDs with extensive exclusion filters for common benign processes. The goal is a config that works out of the box in most enterprise environments with minimal initial noise. The tradeoff is that the exclusion lists may be too broad for some environments and are not easily decomposed into per-technique modules. For teams new to Sysmon, this is the recommended starting point.
The Olaf Hartong sysmon-modular project takes a different approach. Instead of a single monolithic config, it provides individual XML modules organized by MITRE ATT&CK technique. Teams can compose a custom config by selecting only the modules relevant to their detection priorities. This approach is more powerful and more maintainable at scale, but requires more initial effort to assemble and test. For mature SOC teams with an established detection engineering practice, sysmon-modular is the better long-term foundation.
Florian Roth's fork of the SwiftOnSecurity config adds additional detection logic for specific threat actor techniques and is worth reviewing as a supplementary reference when tuning for targeted threats.
The critical mistake practitioners make is deploying any community config without validating it against their specific environment. Run the chosen config in a test environment for one week, measure the alert volume per event ID, and identify the top noise sources before rolling out to production. No community config will be right for your environment without some degree of local tuning.
SIEM Ingestion Cost by Event ID
Sysmon is free to run on endpoints, but the data it generates is not free to ingest. Most commercial SIEM platforms charge by data volume, and an untuned Sysmon deployment on a large endpoint fleet can meaningfully increase monthly costs. Understanding which event IDs drive the most volume allows teams to make deliberate tradeoffs between coverage and cost.
Event ID 1 is high value and moderate volume in a well-tuned deployment. It should always be prioritized even in budget-constrained environments. Event ID 3 is the primary cost driver in most deployments because every network connection from every process generates a record. On endpoints with active browsers and update clients, this can produce thousands of records per hour per host. Aggressive tuning of known-good network traffic is essential.
Event ID 7 (Image Load) is the most expensive event ID in high-activity environments. On a developer workstation or build server, DLL loads occur at very high frequency. This event ID should be considered optional for general endpoints and reserved for high-value targets where the coverage is worth the cost.
A practical approach for cost management: calculate the per-event-ID volume in your test deployment, multiply by your endpoint count, and then multiply by your SIEM's per-GB rate to get a monthly cost estimate per event ID. This number makes the coverage-versus-cost tradeoff concrete and defensible when presenting a Sysmon deployment plan to leadership.
Subscribe to unlock Remediation & Mitigation steps
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
Validating Coverage After Deployment
Deploying Sysmon without validating that your detection rules fire is the equivalent of installing a camera without checking that it records. Coverage validation should be part of every Sysmon deployment and every significant config change.
Use Atomic Red Team to run technique-specific tests that correspond to the event IDs you have enabled. For Event ID 1, test with T1059 (Command and Scripting Interpreter) variations. For Event IDs 8 and 10, test with T1055 (Process Injection) atomics. For Event ID 22, test with T1071.004 (DNS) C2 simulation. After each test, confirm that the relevant Sysmon event was logged to the endpoint event log and forwarded to your SIEM.
Keep a coverage matrix that maps each enabled event ID to the MITRE ATT&CK techniques it is intended to cover, the test used to validate it, and the date of last validation. This matrix serves as the authoritative record of what your Sysmon deployment actually detects, not just what it is configured to collect. When you tune a config, update the matrix. When a technique is escalated as a priority threat, check the matrix to confirm you have coverage before the next adversary simulation cycle.
The bottom line
Start with the SwiftOnSecurity config as a baseline, deploy to a test environment for one week, and measure per-event-ID volume before touching production. Enable Event IDs 1, 3, 8, 10, 11, 12/13/14, 15, and 25 at minimum; restrict Event ID 7 to high-value assets only; and validate every enabled event ID against an Atomic Red Team test before declaring coverage complete.
Frequently asked questions
Which Sysmon event IDs should every SOC enable?
At minimum, every SOC should enable Event ID 1 (Process Create), Event IDs 8 and 10 (CreateRemoteThread and ProcessAccess), Event ID 11 (FileCreate with targeted directories), Event IDs 12, 13, and 14 (RegistryEvent for persistence key paths), Event ID 15 (FileCreateStreamHash), and Event ID 25 (ProcessTampering). Event ID 3 (Network Connect) should be enabled with heavy tuning to manage volume. Event ID 22 (DNS) is recommended for environments where DNS-based command-and-control is a priority. Event ID 7 (Image Load) should be reserved for high-value targets due to its high volume on active endpoints.
What is the difference between the SwiftOnSecurity Sysmon config and sysmon-modular?
The SwiftOnSecurity config is a single pre-built XML file with broad event ID coverage and extensive exclusion filters for common enterprise software. It is designed to work in most environments with minimal modification and is the best starting point for teams new to Sysmon. The Olaf Hartong sysmon-modular project is a collection of individual XML modules organized by MITRE ATT&CK technique, designed to be composed into a custom config. It requires more initial setup but is more maintainable and transparent about coverage intent. Mature detection engineering teams with the capacity to maintain a custom config will generally prefer sysmon-modular for its precision and modularity.
How do I stop Sysmon from flooding my SIEM?
The primary sources of Sysmon-generated SIEM volume are Event ID 3 (Network Connect) and Event ID 7 (Image Load). For Event ID 3, add exclude rules for known-good destination ports and process images associated with browsers, update services, and endpoint agents. For Event ID 7, consider disabling it on general endpoints entirely and enabling it only on domain controllers and privileged access workstations. Always test config changes in a staging environment for at least one week before production rollout, and measure per-event-ID volume before and after each change to verify the expected reduction.
Does Sysmon replace an EDR?
No. Sysmon is a telemetry collector, not a detection or response product. It generates structured event log data that a SIEM or SOAR platform can use for detection, but it does not perform behavioral analysis, block malicious activity, or provide response capabilities on its own. An EDR platform provides real-time prevention, automated response, and managed threat intelligence that Sysmon cannot replicate. Sysmon is best used to augment an existing logging stack in environments where EDR coverage is partial, to provide independent telemetry that complements EDR data, or as a cost-effective visibility layer on endpoints that cannot run a full EDR agent.
How does Sysmon compare to native Windows Event ID 4688 for process logging?
Sysmon Event ID 1 provides significantly richer process creation data than Windows Security Event ID 4688. Event ID 4688 can be configured to include command-line parameters, but it requires a specific audit policy setting that is not enabled by default in many environments, and it does not capture image hashes, parent process image hash, the LogonGUID, or the current directory at process launch. Sysmon Event ID 1 captures all of these fields in a single structured record with no additional policy configuration. For detection purposes, Sysmon Event ID 1 is strongly preferred over 4688 for process execution monitoring. The two are not mutually exclusive: running both provides redundancy if the Sysmon driver is tampered with by a sophisticated attacker.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
