Sources, configuration and how to detect evil things utilizing Microsoft Sysmon.
Switch branches/tags
Nothing to show
Clone or download
Michael Haag Michael Haag
Michael Haag and Michael Haag FIRST 2018
Advanced Incident Detection and Threat Hunting using Sysmon (and Splunk) - 2018 - Tom Ueltschi
Latest commit 1c37d40 Apr 27, 2018
Failed to load latest commit information.
Resources BSides Athens Sysmon Jun 26, 2017
config Updates Mar 27, 2017
LICENSE Initial commit Jan 11, 2017
README.legacy typo Mar 2, 2017 FIRST 2018 Apr 27, 2018

Sysmon - DFIR

A curated list of resources for learning about deploying, managing and hunting with Microsoft Sysmon. Contains presentations, deployment methods, configuration file examples, blogs and additional github repositories.

Sysmon Learning Resources


Sysmon Configuration

@SwiftOnSecurity config


Config will assist with bringing you up to speed in relation to critical process monitoring, network utilization, and so on. Note that the concept is to not log everything, but the most important items.


Solid, detailed config. Probably one of the best ones out there in relation to completeness.



Basic config that will monitor critical Windows process execution. Very basic, but a good config to get used to sysmon and how things operate.

Blog post by blacklanternsecurity


Crypsis Group published config and PDF. Fairly detailed list of excludes that should assist with understanding how they work and get a configuration started.

Crypsis Group Config

Crypsis Group PDF


Great configuration to understand excludes and contains.

Decent Security Config


Solid blog post related to getting started with Sysmon. Config is nicely laid out and easy to understand.

909Research Blog


Config is specific but it provides a good foundation for capturing a lot of specific data.

(Translated comments to english)


Provided by - Roberto Rodriguez


Related material from Splunking the Endpoint .conf talk by James Brodsky and Dimitri McKay.

Splunking the Endpoint - Files from presentation

Configs are optimized for Splunk.

Additional configs

Configs are updated frequently --

SwiftOnSecurity Fork by Ion-Storm

Server Config:

Client config: