PRACTITIONER GUIDE | DETECTION ENGINEERING
Practitioner GuideUpdated 11 min read

Sysmon Deployment and Configuration: How to Build Endpoint Visibility Without a Commercial EDR

29
Event types Sysmon can generate
$0
Licensing cost for Sysmon
~10 MB/day
Typical Sysmon log volume per endpoint with a tuned config

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

Sysmon fills the visibility gap that Windows default event logging leaves open. Default Windows audit logs tell you someone logged in and an account was created -- they do not tell you what process made a network connection, what DLL loaded into a process, or what command a PowerShell script executed. Sysmon provides all of that. The two most common deployment mistakes are running Sysmon with no configuration file (which generates enormous noisy log volume) or running it with an overly permissive configuration that still misses key events. This guide covers both: picking the right starting configuration, deploying at scale via Group Policy, and understanding which event IDs to actually alert on versus which to keep for forensic context.

Choose Your Configuration Before You Deploy

Sysmon with no config logs almost nothing useful. Sysmon with a default-all config generates 50 to 200 MB per endpoint per day and is impossible to work with in most SIEMs. The configuration file is what makes Sysmon useful. Two community configs are the standard starting points: SwiftOnSecurity sysmon-config (github.com/SwiftOnSecurity/sysmon-config) and olaf hartong's sysmon-modular (github.com/olafhartong/sysmon-modular). SwiftOnSecurity is a single-file config maintained for operational environments -- it includes reasonable include rules for common attack techniques and exclude rules to suppress noisy legitimate processes. It is the right starting point for most organizations. Sysmon-modular is a modular framework where you compose the config from individual module files -- more flexibility, more maintenance, better for mature security programs that want precise control. Download and review the config before deployment: look at the exclusion rules to confirm they match your environment. The default configs exclude common security products and system processes; verify those match what is actually installed. Do not deploy sysmon-config without reading it. Some exclusions that suppress noise in one environment will suppress genuine attacker activity in another.

Install and Deploy via Group Policy

Single-host install: copy Sysmon64.exe and your config file (sysmonconfig.xml) to the target, then run Sysmon64.exe -accepteula -i sysmonconfig.xml. Sysmon installs as a service and driver. Verify with: sc query sysmon64. Enterprise deployment via GPO: create a network share accessible to all endpoints. Place Sysmon64.exe and sysmonconfig.xml there. Create a scheduled task via GPO (User Configuration > Preferences > Control Panel Settings > Scheduled Tasks) that runs on startup: Sysmon64.exe -accepteula -i \share\sysmon\sysmonconfig.xml. Add a second scheduled task that runs the update command: Sysmon64.exe -c \share\sysmon\sysmonconfig.xml. This lets you push config updates without reinstalling the binary. Configuration updates are live: running Sysmon64.exe -c newconfig.xml replaces the active config within seconds without stopping the service. Use this for incremental tuning without service restarts. For SCCM/Intune deployment: package Sysmon64.exe and config as an application with the install command above, and a detection rule that checks for the Sysmon64 service running.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Key Event IDs to Monitor and Alert On

Sysmon event IDs are not all equal. Event ID 1 (Process Create) is the most valuable for detection: it includes the full command line, parent process, user, and SHA256 hash. Alert on: cmd.exe or powershell.exe spawned by Office applications (parent: winword.exe, excel.exe, outlook.exe); PowerShell with encoded commands (-enc or -encodedcommand); mshta.exe, wscript.exe, or cscript.exe execution; processes spawned from temp directories or user AppData. Event ID 3 (Network Connection) is noisy but useful: filter on outbound connections from processes that should not make network connections (lsass.exe, svchost with non-standard command lines, Office applications connecting to non-Microsoft IPs). Event ID 7 (Image Loaded) logs DLL loads -- useful for detecting DLL hijacking and injection but high volume; use selectively. Event ID 8 (CreateRemoteThread) is almost always suspicious outside of known injection-based AV products -- alert on this broadly. Event ID 10 (ProcessAccess) specifically for lsass.exe access: this is your primary Mimikatz indicator. Any process accessing lsass.exe with PROCESS_VM_READ rights (access mask 0x1010 or 0x1038) should be investigated. Event ID 11 (File Create) for executable drops in temp and user-writable directories. Event ID 22 (DNS Query) for detecting C2 beaconing via DNS -- high-frequency DNS queries to rare domains from internal hosts. Event IDs 17 and 18 (Pipe Created/Connected) are valuable for detecting lateral movement tools that use named pipes (Cobalt Strike, PsExec, Impacket).

Tune Out the Noise

After initial deployment, expect high log volume from a few noisy sources. The most common noise sources: antivirus software accessing many files (add process excludes for your AV binary); backup agents making network connections (add network connection excludes for known backup server IPs); software update agents spawning child processes (add excludes for known update executables); browser processes making DNS queries (add DNS query excludes for browsers by process name). Tuning process: query your SIEM for the highest-volume event ID and process combinations over 24 hours. For each high-volume entry, decide: is this process ever relevant to an alert? If not, add an exclude rule. If it is relevant in some contexts, add a more specific exclude (e.g., exclude network connections from chrome.exe to known CDN IP ranges while keeping alerts for chrome.exe connecting to RFC1918 addresses). Test every exclude rule: does the final config still catch the behaviors you care about? Use a test VM to manually trigger each attack simulation (encoded PowerShell, lsass access, DLL injection) and confirm event generation after adding excludes.

Forward Sysmon Logs to Your SIEM

Sysmon writes to Microsoft-Windows-Sysmon/Operational. Forward this channel via your existing log collection method. Windows Event Forwarding (WEF): add the Sysmon channel to your WEF subscription. Winlogbeat (Elastic): add the Sysmon channel to the winlogbeat.yml event_logs list. Splunk UF: add the Sysmon channel to the inputs.conf monitor stanza. Log volume planning: a well-tuned config generates 5 to 20 MB per endpoint per day. One thousand endpoints produce 5 to 20 GB per day of Sysmon data. Factor this into your SIEM ingestion budget before deployment. Hash algorithm: the default hash is SHA1. Add MD5 and SHA256 in the config HashAlgorithms element for cross-referencing with threat intel: HashAlgorithms value of MD5,SHA256,IMPHASH. IMPHASH (import hash) is valuable for detecting renamed malware variants that share the same code -- it hashes the import table rather than the file content. VirusTotal accepts IMPHASH lookups. DNS event forwarding: Event ID 22 is high volume even after tuning. Consider forwarding it only for non-browser processes, or storing it at cold tier in your SIEM for forensic queries rather than real-time alerting.

The bottom line

Deploy Sysmon before you need it -- after an incident is not when you want to discover that command-line logging was not enabled. Use SwiftOnSecurity's config as your starting point, tune it for your environment over two weeks, and build alerts specifically on Event ID 10 (lsass access), Event ID 8 (remote thread injection), and Event ID 1 for Office-spawned cmd or PowerShell. The effort to deploy is low. The detection value against credential dumping, lateral movement, and initial access is significant.

Frequently asked questions

Does Sysmon slow down endpoints?

With a properly tuned configuration, the performance impact is negligible for most endpoints. Sysmon with no config or a default-all config that logs every event has a measurable impact (up to 5% CPU on active file servers). The SwiftOnSecurity config is specifically tuned to minimize overhead while retaining useful events. Servers with high DLL load activity (IIS, SQL Server, domain controllers) may see higher overhead from Event ID 7 -- consider disabling image load logging (Event ID 7) on those specific systems if performance is a concern.

Should I run Sysmon if I already have EDR?

Yes, for most organizations. Commercial EDR agents do not expose their raw telemetry in the same queryable format as Sysmon event logs. Sysmon gives you SIEM-native event data you can query directly, join with other log sources, and build custom detections against without being dependent on the EDR vendor's detection library. It also serves as an independent data source for forensics -- if your EDR agent is killed or tampered with, Sysmon logs (if forwarded) remain available.

Which Sysmon config should I use: SwiftOnSecurity or sysmon-modular?

SwiftOnSecurity for most organizations: it is a single file, well-maintained, and production-ready. Sysmon-modular if you have a dedicated detection engineer who wants granular per-event-type control and is willing to maintain a more complex configuration. Both are significantly better than deploying with no config.

How do I update Sysmon when a new version is released?

Replace the binary on your network share and run Sysmon64.exe -u (uninstall), then Sysmon64.exe -accepteula -i sysmonconfig.xml (reinstall with new binary). The reinstall process takes 5 to 10 seconds per endpoint. During that window, Sysmon events are not generated -- this gap is negligible for most environments. Automate the update via your existing software deployment mechanism (SCCM, Intune, GPO startup script).

What Sysmon event IDs are the most valuable for SOC detection use cases?

The highest-value event IDs for detection: Event ID 1 (Process Create) provides full command-line arguments, parent process, and a process hash -- essential for detecting LOLBAS abuse and malicious process chains. Event ID 3 (Network Connect) links processes to outbound connections -- critical for detecting C2 beaconing. Event ID 7 (Image Loaded) catches DLL loading -- used to detect DLL hijacking and process injection. Event ID 11 (File Create) tracks new executables dropped to disk. Event ID 22 (DNS Query) reveals domain lookups by process -- exposes C2 domain requests. Event ID 25 (Process Tampering) detects process hollowing. Prioritize these six IDs in your SIEM detection rules before expanding to lower-volume events.

How do I tune my Sysmon configuration to reduce noise without losing visibility?

Start with a community-maintained config (SwiftOnSecurity's sysmon-config on GitHub is the most widely used baseline) and refine from there. Noise reduction focuses on excluding known-safe patterns from high-volume event IDs: exclude chrome.exe and msedge.exe from Event ID 3 (network connects) for standard browser traffic, exclude system processes like svchost.exe making connections to known Microsoft infrastructure IP ranges, and exclude Event ID 7 (image loaded) for Microsoft-signed DLLs. For Event ID 1 (process create), exclude frequent system tasks (scheduled tasks that run svchost, Windows Defender scans) rather than suppressing the entire event type. The key principle: exclude by specific process hash or signed certificate where possible rather than by process name alone (attackers rename processes to match excluded names). Review your SIEM alert volume after each tuning change and compare against a detection engineering checklist to verify you have not suppressed critical detection paths.

Sources & references

  1. Microsoft Sysinternals Sysmon Documentation
  2. SwiftOnSecurity Sysmon Config
  3. olafhartong Sysmon Modular Config

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.