Detection Engineering

Sysmon Configuration for Threat Detection

A practical Sysmon configuration for threat detection — the event IDs that matter, a tuned config approach, what to send to your SIEM, and the rules it powers.

A dark screen showing cyan endpoint-telemetry streams converging into a sensor, with one stream flagged red

Sysmon configuration is the foundation almost every Windows detection rests on — and the most common reason rules never fire is that the underlying telemetry was never collected or tuned. Sysmon (System Monitor) is a free Sysinternals tool that logs rich, granular endpoint events: process creation with command lines and hashes, network connections, driver loads, LSASS access, DNS queries. Configure it well and your detections have data; configure it badly and you either drown in noise or miss the event. This guide is the practical configuration and the event IDs that matter.

Sysmon is the data source behind the rest of darkpwn’s Windows detections — LSASS credential dumping, NTLM relay, and LOLBins — and it is the practical prerequisite for the detection engineering workflow on Windows.

What is Sysmon and why does it matter?

Sysmon is a Windows system service and driver that records detailed security events to the event log, far beyond what Windows logs by default. A single process-creation event (ID 1) includes the full command line, the parent process, the user, and file hashes — everything a detection needs to spot a malicious pattern. Multiply that across network connections, driver loads, and process-access events, and you have the raw material for behavioral detection.

The catch is configuration. Sysmon with no config logs little; Sysmon with a naive “log everything” config buries the SIEM in noise and cost. The art is a tuned config that captures the security-relevant minority and excludes the predictable majority.

Which Sysmon event IDs should you collect?

Event IDWhat it capturesPowers detection of
1Process creation (cmdline, parent, hashes)LOLBins, suspicious children, malware
3Network connectionC2, exfiltration, lateral movement
6Driver loadBYOVD / vulnerable-driver abuse
7Image/DLL loadDLL sideloading, injected modules
10Process accessLSASS credential dumping
11File createDropped payloads, web shells, minidumps
12–14Registry add/set/deletePersistence, defense evasion
22DNS queryDNS tunneling, C2 resolution

These cover the overwhelming majority of behavioral detections. Collect them well before adding the rarer event types — depth on the core beats breadth on the noise.

How to configure Sysmon well

Do not hand-write a config from scratch. Start from a maintained community baseline and tune it:

  1. Adopt a baselinesysmon-modular (Olaf Hartong) or the SwiftOnSecurity config. Both are ATT&CK-aware and filtered.
  2. Deploy in a pilot ring and measure event volume per ID before going wide.
  3. Tune by exclusion — drop the noisiest predictable sources (signed Microsoft network beacons, browser image loads, known service accounts) while keeping security-relevant events.
  4. Forward to the SIEM with the core event IDs above, and confirm field parsing.
  5. Review monthly — the noisiest sources drift; refine the exclude filters.

A minimal illustrative slice of a tuned config:

<Sysmon schemaversion="4.90">
  <EventFiltering>
    <RuleGroup groupRelation="or">
      <!-- Always capture access to LSASS -->
      <ProcessAccess onmatch="include">
        <TargetImage condition="end with">lsass.exe</TargetImage>
      </ProcessAccess>
      <!-- Capture driver loads (BYOVD), exclude known-good signers elsewhere -->
      <DriverLoad onmatch="include"><Signed condition="is">false</Signed></DriverLoad>
    </RuleGroup>
  </EventFiltering>
</Sysmon>

How a tuned Sysmon config produces detections

Once the telemetry flows, detections write themselves against it. A process-creation event (ID 1) carries the command line, so a LOLBin or encoded-PowerShell rule has the data it needs:

Sigma A Detection Built on Sysmon Process-Creation Telemetry
title: Encoded PowerShell via Sysmon Process Creation
id: 3d1f8c52-darkpwn-illustrative
status: stable
logsource:
  product: windows
  category: process_creation   # Sysmon Event ID 1
detection:
  selection:
    Image|endswith: '\powershell.exe'
    CommandLine|contains: [' -enc ', ' -EncodedCommand ']
  condition: selection
falsepositives:
  - Some legitimate deployment scripts (allowlist by parent/path)
level: medium
tags:
  - attack.t1059.001

How to validate your Sysmon deployment

  1. Generate benign versions of key behaviors (a dump of notepad.exe, an encoded PowerShell echo) and confirm the matching event IDs appear.
  2. Confirm the events reach the SIEM with fields parsed (command line, hashes, parent).
  3. Check event volume per ID against your baseline; investigate any source flooding.
  4. Run an Atomic Red Team test and confirm the relevant Sysmon events are captured.

Common Sysmon mistakes

  • No config or default config. Captures almost nothing useful.
  • Log-everything config. Explodes SIEM cost; gets tuned to death.
  • Not forwarding/parsing fields. Events exist locally but the SIEM can’t query them.
  • Set-and-forget. Noise sources drift; configs need monthly tuning.

Sysmon configuration checklist

  1. Adopt a maintained baseline (sysmon-modular or SwiftOnSecurity).
  2. Pilot it and measure event volume per ID before wide deployment.
  3. Capture the core IDs: 1, 3, 6, 7, 10, 11, 12–14, 22.
  4. Tune by exclusion to drop predictable noise; keep security-relevant events.
  5. Forward to the SIEM and confirm field parsing.
  6. Validate with Atomic Red Team that key behaviors produce events.
  7. Review the noisiest sources monthly and refine filters.
  8. Treat the config as a logsource gate for every new Windows detection.

The takeaway

Sysmon configuration is the data foundation of Windows detection: adopt a tuned community baseline, collect the core event IDs, exclude predictable noise to control cost, and treat the config as the logsource gate for every rule. Telemetry first, rules second. Continue with the detection engineering workflow, LOLBins detection and BYOVD attack detection (malicious driver-load events), or browse the full Detection Engineering pillar.

Training & tools referenced

Disclosure: Some links below are affiliate links. If you buy through them, darkpwn may earn a commission at no extra cost to you. We only recommend training and tools we actually use in our own lab, and affiliate links never influence editorial coverage.

  • TryHackMeAuthorized labs to practice Windows telemetry and detection engineeringSecurity Training
    Start training
  • PluralsightWindows endpoint detection and Sysmon learning pathsSecurity Training
    Browse courses

Frequently asked questions

What is the best Sysmon configuration for threat detection?

Start from a community baseline like sysmon-modular or the SwiftOnSecurity config, then tune it to your environment rather than logging everything. Prioritize a core set of event IDs: process creation (1), network connection (3), driver load (6), image load (7), process access (10), file create (11), and registry events (12-14). Exclude high-volume noise so the SIEM stays affordable.

Which Sysmon event IDs matter most?

The highest-value event IDs are 1 (process creation with command line and hashes), 3 (network connection), 6 (driver load — BYOVD), 7 (image/DLL load), 10 (process access — LSASS reads), 11 (file create), and 22 (DNS query). These power the majority of behavioral detections on Windows.

Is Sysmon an EDR replacement?

No. Sysmon is a rich, free telemetry source, but it does not block, respond, or provide a management console. It complements an EDR by giving detection engineers granular, taggable events to write rules against, and it is invaluable where an EDR is not deployed.

How do you tune Sysmon to control log volume?

Use the config's include/exclude filters to drop predictable noise — known service accounts, signed Microsoft binaries in network events, browser image loads — while keeping security-relevant events. Tuning is continuous: review the noisiest event sources monthly and refine the filters.

Newsletter

Liked this breakdown?

Defensive security research — detection, hardening, and hardware — delivered when there is something worth saying. No spam, unsubscribe anytime.