A modular and customizable repository of Sysmon configuration modules designed to simplify the creation and maintenance of Sysmon configs for endpoint security.
A repository of sysmon configuration modules
This tool is used by security professionals and system administrators to deploy and manage tailored Sysmon configurations for endpoint protection and intrusion detection. It enables easy customization and generation of Sysmon configs to fit specific environments, improving security monitoring and automation capabilities.
This repository provides starting point configurations that should be carefully tuned to the target environment to avoid excessive logging and performance impact. The super verbose and research configurations generate high log volumes and should not be used in production. Integration with Defender for Endpoint is supported via a dedicated augmentation config to minimize event overlap. Regular updates and merges, such as with LOLdrivers, are recommended to maintain detection efficacy.
Download and install Microsoft Sysinternals Sysmon from the official site
Clone the sysmon-modular repository from GitHub
Use the provided PowerShell script to generate a custom Sysmon configuration by merging desired modules
Deploy the generated sysmonconfig.xml to your endpoints with Sysmon installed
Tune and customize configurations per environment as strongly recommendedPowerShell script to generate config
Runs the script to merge selected modules and generate a custom sysmonconfig.xml
sysmon -i sysmonconfig.xml
Installs Sysmon with the generated configuration file
sysmon -c sysmonconfig.xml
Updates Sysmon with a new configuration without reinstalling
Add LOLdrivers config to 29_file_execute_detected folder
Enhances detection capabilities by merging the latest LOLdrivers config into the modular setup