Sysmon Modular

A repository of sysmon configuration modules
Alternatives To Sysmon Modular
Project NameStarsDownloadsRepos Using ThisPackages Using ThisMost Recent CommitTotal ReleasesLatest ReleaseOpen IssuesLicenseLanguage
Sysmon Modular2,165
a month ago28mitPowerShell
A repository of sysmon configuration modules
Sentinel Attack692
2 years ago9mitHCL
Tools to rapidly deploy a threat hunting capability on Azure Sentinel that leverages Sysmon and MITRE ATT&CK
3 years ago3gpl-3.0Python
Endpoint detection & Malware analysis software
2 years agogpl-3.0
Sysmon and wazuh integration with Sigma sysmon rules [updated]
Alternatives To Sysmon Modular
Select To Compare

Alternative Project Comparisons

sysmon-modular | A Sysmon configuration repository for everybody to customise

license Maintenance GitHub last commit Build Sysmon config with all modules Twitter Discord Shield

This is a Microsoft Sysinternals Sysmon download here configuration repository, set up modular for easier maintenance and generation of specific configs.

Please keep in mind that any of these configurations should be considered a starting point, tuning per environment is strongly recommended.

The sysmonconfig.xml within the repo is automatically generated after a successful merge by the PowerShell script and a successful load by Sysmon in an Azure Pipeline run. More info on how to generate a custom config, incorporating your own modules here

Pre-Grenerated configurations

Type Config Description
default sysmonconfig.xml This is the balanced configuration, most used, more information here
verbose sysmonconfig-excludes-only.xml This is the very verbose configuration, all events are included, only the exclusion modules are applied. This should not be used in production without validation, will generate a significant amount of data and might impact performance. More information here
super verbose sysmonconfig-research.xml A configuration with extreme verbosity. The log volume expected from this file is significantly high, really DO NOT USE IN PRODUCTION! This config is only for research, this will use way more CPU/Memory. Only enable prior to running the to be investigated technique, when done load a lighter config.
MDE augment sysmonconfig-mde-augmentation.xml A configuration to augment Defender for Endpoint, intended to augment the information and have as little overlap as possible. This is based on the default/balanced config and will not generate all events for Sysmon, there are comments in the config. In the benefit of IR, consider using the excludes only config and only ingest the enriching events. (Blog with more rationale soon)


Next to the documentation below, there is also a video on how to use this project.

how to use this project

NOTICE; Sysmon below 13 will not completely be compatible with this configuration

Older versions are still available in the branches, but are not as complete as the current branch

To understand added features in the latest version, have a look at my small blog post or watch my DerbyCon talk

Note: I do recommend using a minimal number of configurations within your environment for multiple obvious reasons, like; maintenance, output equality, manageability and so on. But do make tailored configurations for Domain Controllers, Servers and workstations.

Sysmon Community

There are three major Sysmon configurations:


Pull requests / issue tickets and new additions will be greatly appreciated!

More information

I started a series of blog posts covering this repo;


I strive to map all configurations to the ATT&CK framework whenever Sysmon is able to detect it. Please note this is a possible log entry that might lead to a detection, not in all cases is this the only telemetry for that technique. Additionally there might be more techniques releated to that rule, the one mapped is the one I deemed most likely.

Required actions

I highly recommend looking at the configs before implementing them in your production environment. This enables you to have as actionable logging as possible and as litte noise as possible.


You will need to install and observe the results of the configuration in your own environment before deploying it widely. For example, you will need to exclude actions of your antivirus, which will otherwise likely fill up your logs with useless information.

Generating a config


$> git clone
$> cd sysmon modular
$> . .\Merge-SysmonXml.ps1
$> Merge-AllSysmonXml -Path ( Get-ChildItem '[0-9]*\*.xml') -AsString | Out-File sysmonconfig.xml

Generating custom configs

Below functions with great thanks to mbmy

New Function: Find-RulesInBasePath - takes a base path (i.e. C:\folder\sysmon-modular) and finds all candidate xml rule files based upon regex pattern

Example: PS C:\Users\sysmon\sysmon-modular> Find-RulesInBasePath -BasePath C:\users\sysmon\sysmon-modular\ -OutputRules | Out-File available_rules.txt

Merge-AllSysmonXml New Parameters:

-BasePath - finds all candidate xml rule files from a provided path based upon regex pattern and merges them

Example: PS C:\Users\sysmon\sysmon-modular> Merge-AllSysmonXml -AsString -BasePath C:\Users\sysmon\sysmon-modular\

-ExcludeList - Combined with -BasePath, takes a list of rules and excludes them from found rules prior to merge

Example: PS C:\Users\sysmon\sysmon-modular> Merge-AllSysmonXml -AsString -BasePath C:\Users\sysmon\sysmon-modular\ -ExcludeList C:\users\sysmon\sysmon-modular\exclude_rules.txt

-IncludeList - Combined with -BasePath, finds all available rules from base path but only merges those defined in a list

Example: PS C:\Users\sysmon\sysmon-modular> Merge-AllSysmonXml -AsString -BasePath C:\Users\sysmon\sysmon-modular\ -IncludeList C:\users\sysmon\sysmon-modular\include_rules.txt

NOTE The BasePath needs to be the full path to the sysmon-modular files (for example c:\tools\sysmon-modular), otherwise PowerShell will not be able to locate them, resulting in a default config.

Include/Exclude List Format Example:


Building a config with all sysmon-modular rules for certain event IDs (include whole directory) and then disabling all event ids without imported rules


# generate the config
$sysmonconfig =  Merge-AllSysmonXml  -BasePath . -IncludeList $workingFolder\include.txt -VerboseLogging -PreserveComments

# flip off any rule groups where rules were not imported
foreach($rg in $sysmonconfig.SelectNodes("/Sysmon/EventFiltering/RuleGroup [*/@onmatch]"))
    $ruleNodes = $rg.SelectNodes("./* [@onmatch]")

    if(     $ruleNodes -eq $null `
        -or $ruleNodes.ChildNodes.count -gt 0)
        # no rule nodes found (unlikely) or more than one rule found

    # RuleGroup with only one rule node
    $ruleNode = $ruleNodes[0]

    if($ruleNode.onmatch -eq "exclude" -and $ruleNode.ChildNodes.count -eq 0 )
        $message = "{0} {1} has no matching conditions.  Toggled to 'include' to limit output" -f $ruleNode.Name,$rg.Name
        Write-Warning $message

        $ruleNode.onmatch = "include"
        $comment = $sysmonconfig.CreateComment($message)
        $rg.AppendChild($comment) | Out-Null

Include/Exclude List Format Example (for entire rule/event families):




Run with administrator rights

sysmon.exe -accepteula -i sysmonconfig.xml

Update existing configuration

Run with administrator rights

sysmon.exe -c sysmonconfig.xml
Popular Sysmon Projects
Popular Security Tools Projects
Popular Security Categories
Related Searches

Get A Weekly Email With Trending Projects For These Categories
No Spam. Unsubscribe easily at any time.
Security Tools
Threat Hunting
Mitre Attack