Building a Detection Foundation: Part 4 - Sysmon
Table of contents
Filling the Gaps Native Logging Can't
At this point in our series, we have Windows Security events capturing logon sessions and process creation, and PowerShell logging capturing script execution. That's a solid foundation. But if you've worked Incident Response, you've hit the walls of native logging:
- "We know PowerShell ran, but what did it connect to?"
- "Something modified this registry key, but we don't know which process."
- "A malicious DLL was loaded—when? By what?"
This is where Sysmon enters the picture. Sysmon, a free Windows system service and driver from Microsoft Sysinternals that monitors and logs system activity to the Windows event log, is soon to be included in the latest versions of Windows Server and Windows 11. It's not a replacement for native logging—it's a complement that provides telemetry Windows simply doesn't offer natively.
I do have a small bias since I have been writing about the tool since it came out, given multiple training classes on it, and wrote most of the Sysmon Community Guide, but I do see where it falls short and will do my best to cover some of the basics. Do check the resources at the end of this blog to go deeper on how to leverage the tool.
What Sysmon Provides
Looking back at our MITRE ATT&CK data source coverage, here's where Sysmon fills critical gaps:
Data Component | Technique Coverage | Sysmon Event |
|---|---|---|
Process Creation | 452 | Event 1 (enhanced parent info, hashes) |
Network Connection Creation | 151 | Event 3 |
Module Load | 109 | Event 7 |
Windows Registry Key Modification | 86 | Events 12, 13, 14 |
Process Access | 77 | Event 10 |
File Creation | 174 | Event 11 |
Driver Load | 14 | Event 6 |
WMI Operations | 7 | Events 19, 20, 21 |
Named Pipe | 4 | Events 17, 18 |
DNS Queries | — | Event 22 |
Let me walk through the Sysmon events you should care about and why.
Essential Sysmon Events
Event 1: Process Creation
Yes, we have Event ID 4688 from native logging. So why use Sysmon Event 1?
What Sysmon adds:
- File hashes (MD5, SHA1, SHA256) of the executable
- More reliable parent process information
- Parent command line
- Integrity level
- More consistent formatting
Detection value:
- Hash lookups for known-bad binaries
- Detecting renamed legitimate tools (hash matches, name doesn't)
- Process tree reconstruction
Event 3: Network Connection
This is huge. Native Windows logging does not provide a reliable way to track which process connected to which IP address. Sysmon Event 3 captures:
- Source IP address and port
- Destination IP address and port
- Protocol
- The process that initiated the connection
- User context
Why this matters: You see PowerShell execute. It runs a download cradle. Event 3 shows you powershell.exe connected to 192.168.1.100:443. Now you have an IOC to hunt for across other systems and network logs.
What to prioritize:
When configuring Event 3, I recommend focusing on two categories:
1. C2 Channels: Ports commonly used for C2 traffic
- SSH (22) - Often used for encrypted C2
- HTTP (80) and HTTPS (443) - The most common C2 channels
- DNS (53) - DNS tunneling and C2 over DNS
2. Lateral Movement/Remote Management: Ports that indicate system-to-system access
- RDP (3389)
- WinRM (5985, 5986)
- SSH (22)
- SMB (445)
- Telnet (23)
- Common Remote Monitoring and Management (RMM) tools (varies by vendor—ScreenConnect, AnyDesk, TeamViewer, etc.)
The HTTPS exclusion problem:
Here's a challenge: every software vendor wants telemetry these days. Your environment is full of legitimate HTTPS traffic from browsers, update services, security tools, and business applications. If you log all port 443 traffic, you'll drown in noise.
The solution is compound exclusion rules. Don't exclude based on a single field—attackers can rename their tools. Instead, build exclusions that require multiple conditions to match:
- Image (full path) AND ParentImage (full path)
- Or Image AND User context
For example, don't just exclude chrome.exe. Exclude C:\Program Files\Google\Chrome\Application\chrome.exe when the parent is C:\Program Files\Google\Chrome\Application\chrome.exe (Chrome spawns child processes). An attacker who names their beacon chrome.exe and drops it in C:\Users\Public\ won't match your exclusion.
This approach takes more effort upfront but dramatically reduces your exposure to simple evasion techniques.
Event 6: Driver Load
Attackers load malicious drivers for kernel-level access, rootkit functionality, or to disable security tools. Event 6 captures:
- Driver path
- Hash
- Signature status
Why this matters: Recall the vulnerable driver attacks used to blind EDR? Event 6 would show that driver loading, giving you a fighting chance to detect it.
Event 7: Image Load (DLL)
This logs when a module (DLL) is loaded into a process and is critical for detecting:
- DLL hijacking
- Side-loading attacks
- Reflective DLL injection (in some cases)
Configuration consideration: This event is noisy. You'll want to filter aggressively—focus on non-standard paths, unsigned DLLs, specific DLLs that are known to provide attackers capabilities they need, and specific high-risk processes.
Event 10: Process Access
This fires when a process opens a handle to another process. This is your primary indicator for credential extraction techniques that access LSASS.
Why this matters: Mimikatz and similar tools need to open a handle to lsass.exe with specific access rights. Event 10 captures this.
What to watch for:
- Any process accessing LSASS with access mask
0x1010(PROCESS_VM_READ | PROCESS_QUERY_INFORMATION) - Pay special attention to access masks
0x1F1FFFor0x1FFFFFas these are the highest permission level and mean the memory is being extracted for the process. - Non-standard processes accessing LSASS at all
Event 11: File Create
Look at log file creation events. Combined with the process context, you know not just that a file was created but what created it.
Why this matters: Malware drops payloads. Event 11 shows powershell.exe created C:\Users\Public\payload.exe. You now have the full chain. By monitoring all executable file types and critical OS locations, you can detect:
• Malware dropping executables in system directories (C:\Windows\System32, C:\Windows\SysWOW64)
• Persistence mechanisms placing files in startup folders
• Driver/kernel module installations in \Windows\System32\drivers\
• DLL hijacking attempts in system directories
• Scripts being staged in temp directories
• Suspicious file creation in protected Windows folders
• Executable files created in public/shared locations that shouldn't contain them
The comprehensive file type coverage ensures you catch all executable formats Windows supports, not just .exe files. Monitoring critical OS paths catches attackers attempting to blend in with legitimate system files or establish deep persistence.
For additional file creation rules and examples to consider for your environment, see the Sysmon Modular project's File Create section here.
Events 12, 13, 14: Registry Operations
- Event 12: Registry object added or deleted
- Event 13: Registry value set
- Event 14: Registry object renamed
Why this matters: Registry persistence mechanisms (Run keys, services, COM hijacking) are everywhere in attacker tradecraft. Native Windows auditing can capture registry access, but it requires complex SACL configuration. Sysmon makes it straightforward.
Events 17, 18: Pipe Created / Pipe Connected
Why this matters: Certain pipe names are strong indicators of malicious activity, but here's the catch: attackers can (and do) randomize their pipe names. Targeting known-bad patterns will catch commodity tooling, but sophisticated actors will slip through.
The better approach: Rather than trying to enumerate all possible malicious pipe names, I recommend building a baseline of valid named pipes in your environment and then creating exclusions for those. Log everything else. This way, any new or unusual pipe that appears gets captured—and you handle the alerting logic at your SIEM where you have more flexibility.
We cover both strategies in depth in the TrustedSec Sysmon Community Guide—the targeted approach and the exclusion-based approach. I personally prefer the exclusion method with detection happening at the SIEM layer.
Events 19, 20, 21: WMI Events
- Event 19: WmiEventFilter activity
- Event 20: WmiEventConsumer activity
- Event 21: WmiEventConsumerToFilter activity
Why this matters: WMI event subscriptions are a stealthy persistence mechanism. These events let you see them being created. Paired with Microsoft-WMI-Activity/Operational Event ID 5858 that logs WMI errors, Event ID 5857 for providers loaded, and Event ID 5861 for permanent events, you have full redundancy in coverage.
Event 22: DNS Query
This logs DNS queries with the process that made them and is critical for detecting C2 communication, DNS tunneling, and domain generation algorithms.
Why this matters: You see powershell.exe queried evil-domain.com. Your network logs might show the DNS traffic, but without Sysmon you wouldn't know which process initiated it.
The better approach: I will be honest. This one in client machines is painful to get a good signal-to-noise ratio (SNR), and I prefer network management platforms. On servers where there is more control, less applications loading multiple websites, and new entries on a constant basis, it is of great value however. Use it if another solution is not available, but be aware on what role the host plays before implementing it.
A Practical Sysmon Configuration
Below is a production-ready Sysmon configuration that balances visibility with performance. This isn't a one-size-fits-all solution, aka you should tune it for your environment, but it's a strong starting point.
This configuration can be copied to an XML document and applied using the Sysmon.exe process on a test system. Once tuned, you can deploy the registry value using GPO or Intune, depending on your environment. I would recommend the Learning Sysmon video series I recorded if you are not familiar on how to do this. I go over each event type and recommendations for each.
<?xml version="1.0" encoding="UTF-8"?>
<Sysmon schemaversion="4.90">
<!--
Sysmon Configuration for Detection Foundation
Tune exclusions based on your environment's baseline noise
-->
<HashAlgorithms>md5,sha256,IMPHASH</HashAlgorithms>
<DnsLookup>False</DnsLookup>
<EventFiltering>
<!-- Event 1: Process Creation - Log all, exclude known-noisy processes -->
<RuleGroup name="ProcessCreate" groupRelation="or">
<ProcessCreate onmatch="exclude">
<!-- Tune these based on your environment -->
<Image condition="is">C:\Windows\System32\backgroundTaskHost.exe</Image>
<Image condition="is">C:\Windows\System32\RuntimeBroker.exe</Image>
<Image condition="is">C:\Windows\System32\taskhostw.exe</Image>
<ParentImage condition="is">C:\Windows\System32\svchost.exe</ParentImage>
<!-- Add your environment-specific exclusions here -->
</ProcessCreate>
</RuleGroup>
<!-- Event 3: Network Connection - Focus on C2 and lateral movement -->
<!-- Priority: C2 channels (443, 80, 53, 22) and management ports (3389, 5985, 5986, 445, 23) -->
<RuleGroup name="NetworkConnect" groupRelation="or">
<NetworkConnect onmatch="include">
<!-- C2 Channel Ports -->
<DestinationPort condition="is">443</DestinationPort>
<DestinationPort condition="is">80</DestinationPort>
<DestinationPort condition="is">53</DestinationPort>
<DestinationPort condition="is">22</DestinationPort>
<!-- Lateral Movement / Remote Management Ports -->
<DestinationPort condition="is">3389</DestinationPort> <!-- RDP -->
<DestinationPort condition="is">5985</DestinationPort> <!-- WinRM HTTP -->
<DestinationPort condition="is">5986</DestinationPort> <!-- WinRM HTTPS -->
<DestinationPort condition="is">445</DestinationPort> <!-- SMB -->
<DestinationPort condition="is">23</DestinationPort> <!-- Telnet -->
<DestinationPort condition="is">135</DestinationPort> <!-- RPC -->
<!-- Common RMM Tool Ports - adjust for tools in your environment -->
<DestinationPort condition="is">8040</DestinationPort> <!-- ScreenConnect -->
<DestinationPort condition="is">7070</DestinationPort> <!-- AnyDesk -->
<DestinationPort condition="is">5938</DestinationPort> <!-- TeamViewer -->
<!-- High-risk processes regardless of port -->
<Image condition="end with">\powershell.exe</Image>
<Image condition="end with">\cmd. exe</Image>
<Image condition="end with">\wscript.exe</Image>
<Image condition="end with">\cscript.exe</Image>
<Image condition="end with">\mshta.exe</Image>
<Image condition="end with">\rundll32.exe</Image>
<Image condition="end with">\regsvr32.exe</Image>
<Image condition="end with">\certutil.exe</Image>
<Image condition="end with">\bitsadmin.exe</Image>
</NetworkConnect>
</RuleGroup>
<!--
HTTPS Exclusions - COMPOUND RULES ONLY
CRITICAL: Use multiple fields (Image + ParentImage with FULL PATHS) to prevent bypass via renaming
Single-field exclusions are trivially bypassed by attackers
Example compound exclusion structure (implement based on your environment):
<NetworkConnect onmatch="exclude">
<Rule groupRelation="and">
<Image condition="is">C:\Program Files\Google\Chrome\Application\chrome.exe</Image>
<ParentImage condition="is">C:\Program Files\Google\Chrome\Application\chrome.exe</ParentImage>
<DestinationPort condition="is">443</DestinationPort>
</Rule>
<Rule groupRelation="and">
<Image condition="is">C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe</Image>
<ParentImage condition="is">C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe</ParentImage>
<DestinationPort condition="is">443</DestinationPort>
</Rule>
</NetworkConnect>
Build your exclusion list by baselining legitimate HTTPS traffic in your environment.
Always use full paths. Never exclude based on process name alone.
-->
<!-- Event 6: Driver Load - Log all, watch for unsigned -->
<RuleGroup name="DriverLoad" groupRelation="or">
<DriverLoad onmatch="include">
<Signed condition="is">false</Signed>
</DriverLoad>
</RuleGroup>
<!-- Event 7: Image Load (DLL) - Very noisy, focus on specific scenarios -->
<RuleGroup name="ImageLoad" groupRelation="or">
<ImageLoad onmatch="include">
<!-- DLLs loaded from unusual paths -->
<ImageLoaded condition="contains">\Users\</ImageLoaded>
<ImageLoaded condition="contains">\Temp\</ImageLoaded>
<ImageLoaded condition="contains">\AppData\</ImageLoaded>
<ImageLoaded condition="contains">\Downloads\</ImageLoaded>
<!-- Unsigned DLLs (adjust based on noise) -->
<Signed condition="is">false</Signed>
</ImageLoad>
<ImageLoad onmatch="exclude">
<Image condition="is">C:\Windows\System32\svchost.exe</Image>
<Image condition="is">C:\Windows\explorer.exe</Image>
</ImageLoad>
</RuleGroup>
<!-- Event 10: Process Access - Focus on LSASS -->
<RuleGroup name="ProcessAccess" groupRelation="or">
<ProcessAccess onmatch="include">
<TargetImage condition="is">C:\Windows\System32\lsass.exe</TargetImage>
</ProcessAccess>
<ProcessAccess onmatch="exclude">
<!-- Known legitimate LSASS accessors - tune for your environment -->
<SourceImage condition="is">C:\Windows\System32\wbem\WmiPrvSE.exe</SourceImage>
<SourceImage condition="is">C:\Windows\System32\svchost.exe</SourceImage>
<SourceImage condition="is">C:\Windows\System32\lsass.exe</SourceImage>
<SourceImage condition="contains">\Microsoft\Windows Defender\</SourceImage>
</ProcessAccess>
</RuleGroup>
<!-- Event 11: File Create - Focus on executable and script types -->
<!-- Event 11: File Create - Focus on executable types and critical OS locations -->
<RuleGroup name="FileCreate" groupRelation="or">
<FileCreate onmatch="include">
<!-- All Windows executable file types -->
<TargetFilename condition="end with">.exe</TargetFilename>
<TargetFilename condition="end with">.dll</TargetFilename>
<TargetFilename condition="end with">.sys</TargetFilename>
<TargetFilename condition="end with">.drv</TargetFilename>
<TargetFilename condition="end with">.ocx</TargetFilename>
<TargetFilename condition="end with">.cpl</TargetFilename>
<TargetFilename condition="end with">.scr</TargetFilename>
<TargetFilename condition="end with">.com</TargetFilename>
<TargetFilename condition="end with">.pif</TargetFilename>
<!-- Script file types -->
<TargetFilename condition="end with">.ps1</TargetFilename>
<TargetFilename condition="end with">.psm1</TargetFilename>
<TargetFilename condition="end with">.psd1</TargetFilename>
<TargetFilename condition="end with">.bat</TargetFilename>
<TargetFilename condition="end with">.cmd</TargetFilename>
<TargetFilename condition="end with">.vbs</TargetFilename>
<TargetFilename condition="end with">.vbe</TargetFilename>
<TargetFilename condition="end with">.js</TargetFilename>
<TargetFilename condition="end with">.jse</TargetFilename>
<TargetFilename condition="end with">.wsf</TargetFilename>
<TargetFilename condition="end with">.wsh</TargetFilename>
<TargetFilename condition="end with">.hta</TargetFilename>
<!-- Other potentially malicious file types -->
<TargetFilename condition="end with">.msi</TargetFilename>
<TargetFilename condition="end with">.msp</TargetFilename>
<TargetFilename condition="end with">.lnk</TargetFilename>
<TargetFilename condition="end with">.url</TargetFilename>
<TargetFilename condition="end with">.inf</TargetFilename>
<TargetFilename condition="end with">.reg</TargetFilename>
<!-- Critical OS directories - Windows System directories -->
<TargetFilename condition="begin with">C:\Windows\System32\</TargetFilename>
<TargetFilename condition="begin with">C:\Windows\SysWOW64\</TargetFilename>
<TargetFilename condition="begin with">C:\Windows\</TargetFilename>
<!-- Boot and startup locations -->
<TargetFilename condition="contains">\Windows\System32\drivers\</TargetFilename>
<TargetFilename condition="contains">\Windows\System32\config\</TargetFilename>
<!-- User profile critical locations -->
<TargetFilename condition="contains">\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\</TargetFilename>
<TargetFilename condition="contains">\AppData\Local\Temp\</TargetFilename>
<!-- Public and shared locations -->
<TargetFilename condition="contains">\Users\Public\</TargetFilename>
<TargetFilename condition="contains">\ProgramData\</TargetFilename>
<!-- Temp directories -->
<TargetFilename condition="contains">\Temp\</TargetFilename>
<TargetFilename condition="contains">\Windows\Temp\</TargetFilename>
<!-- Common download and staging locations -->
<TargetFilename condition="contains">\Downloads\</TargetFilename>
<TargetFilename condition="contains">\Desktop\</TargetFilename>
<!-- Recycle bin (sometimes used for staging) -->
<TargetFilename condition="contains">\$Recycle.Bin\</TargetFilename>
</FileCreate>
</RuleGroup>
<!-- Events 12, 13, 14: Registry - Focus on persistence locations -->
<RuleGroup name="RegistryEvent" groupRelation="or">
<RegistryEvent onmatch="include">
<!-- Run keys -->
<TargetObject condition="contains">\CurrentVersion\Run</TargetObject>
<!-- Services -->
<TargetObject condition="contains">\Services\</TargetObject>
<!-- COM hijacking -->
<TargetObject condition="contains">\Classes\CLSID\</TargetObject>
<!-- Image File Execution Options -->
<TargetObject condition="contains">\Image File Execution Options\</TargetObject>
<!-- AppInit DLLs -->
<TargetObject condition="contains">\Windows\AppInit_DLLs</TargetObject>
<!-- Winlogon -->
<TargetObject condition="contains">\Winlogon\</TargetObject>
<!-- Security packages -->
<TargetObject condition="contains">\Lsa\</TargetObject>
</RegistryEvent>
</RuleGroup>
<!-- Events 17, 18: Named Pipes - Exclusion-based approach -->
<!-- Build a baseline of valid pipes in YOUR environment and exclude those -->
<!-- Alert on everything else at the SIEM layer -->
<RuleGroup name="PipeEvent" groupRelation="or">
<PipeEvent onmatch="exclude">
<!--
IMPORTANT: Baseline your environment's legitimate pipes and add them here.
The goal is to log unusual/new pipes and alert at the SIEM.
These are common Windows pipes - adjust for your environment.
See: https://github.com/trustedsec/SysmonCommunityGuide/blob/master/chapters/named-pipes.md
-->
<PipeName condition="is">\lsass</PipeName>
<PipeName condition="is">\ntsvcs</PipeName>
<PipeName condition="is">\scerpc</PipeName>
<PipeName condition="is">\wkssvc</PipeName>
<PipeName condition="is">\srvsvc</PipeName>
<PipeName condition="is">\winreg</PipeName>
<PipeName condition="is">\spoolss</PipeName>
<PipeName condition="is">\netlogon</PipeName>
<PipeName condition="is">\samr</PipeName>
<PipeName condition="is">\browser</PipeName>
<!-- Add your environment-specific legitimate pipes below -->
<!-- Example: Your EDR, management tools, LOB applications -->
</PipeEvent>
</RuleGroup>
<!-- Events 19, 20, 21: WMI - Log all -->
<RuleGroup name="WmiEvent" groupRelation="or">
<WmiEvent onmatch="include">
<Operation condition="is">Created</Operation>
</WmiEvent>
</RuleGroup>
<!-- Event 22: DNS Query - Focus on interesting processes -->
<RuleGroup name="DnsQuery" groupRelation="or">
<DnsQuery onmatch="include">
<Image condition="contains">powershell</Image>
<Image condition="contains">cmd. exe</Image>
<Image condition="contains">wscript</Image>
<Image condition="contains">cscript</Image>
<Image condition="contains">rundll32</Image>
<Image condition="contains">regsvr32</Image>
</DnsQuery>
<DnsQuery onmatch="exclude">
<QueryName condition="end with">.microsoft.com</QueryName>
<QueryName condition="end with">.windows.com</QueryName>
<QueryName condition="end with">.windowsupdate.com</QueryName>
</DnsQuery>
</RuleGroup>
</EventFiltering>
</Sysmon>Deploying Sysmon
Installation
Download Sysmon from the official Sysinternals page.
Install with configuration:
I recommend you copy the configuration shown above into an XML document and apply it.
sysmon64.exe -accepteula -i sysmon-config.xmlUpdate existing configuration:
After tunning the configuration to your liking, you can apply the tuned config to a system using scripts, GPO, or Intune. The command below will apply the updated config.
sysmon64.exe -c sysmon-config.xmlCheck current configuration:
sysmon64.exe -cLog Location
Sysmon events appear in:
Applications and Services Logs → Microsoft → Windows → Sysmon → OperationalLog Size Configuration
Default log size is typically too small. Increase it:
wevtutil sl "Microsoft-Windows-Sysmon/Operational" /ms:524288000Or via GPO:
Computer Configuration
→ Administrative Templates
→ Windows Components
→ Event Log Service
→ Sysmon
→ Specify maximum log file size: 512000 KBConfiguration Tuning Philosophy
The configuration I provided is a starting point. I took the effort to ensure that the config would serve as a starting point for workstation and server alike. As you tune the config, ensure that you tune one for workstation and one for server. Once this is done, depending on the roles for servers and who uses the workstations, you can tune even further. Start slow and test. You need to tune it for your environment. Here's my approach:
- Start noisy, filter down: Enable more than you need initially. See what generates volume. Add exclusions for verified benign activity.
- Threat model drives filtering: What attacks are you most concerned about? Adjust your filters accordingly. If you're worried about insider threats, you might want more coverage. If you're focused on commodity malware, you can be more aggressive with exclusions.
- Baseline before excluding: This is especially important for named pipes but applies broadly. Understand what's normal in your environment before you start filtering. Otherwise, you risk excluding something an attacker is abusing.
- Test before deploying: Deploy to a test group first. Measure log volume and system impact. Adjust before rolling out widely.
- Iterate continuously: Your environment changes. So do attacker techniques. Review and update your configuration quarterly, at minimum.
- Use community resources: The TrustedSec Sysmon Community Guide goes deep on each event type with practical configuration guidance. We cover strategies for named pipes, network connections, registry monitoring, and more. It's worth reading through before finalizing your configuration.
If you prefer video content, we also have a Sysmon YouTube series that walks through configuration concepts and practical deployment scenarios.
Sysmon Alternatives and Companions
I want to be transparent—Sysmon isn't the only option. Some alternatives:
- Velociraptor – Open-source DFIR tool with endpoint visibility
- osquery – SQL-based endpoint telemetry
- EDR-native capabilities – Many EDRs provide similar telemetry (but that's our single-source problem)
The advantage of Sysmon is that it's free, it's from Microsoft (so no third-party driver concerns), and the logs go to the standard Windows Event Log infrastructure.
What We've Built So Far
Across Parts 1-4 of this blog series, we've established:
Part 2 - Windows Security Events:
- Logon/Logoff for session tracking
- Process Creation (4688) with command lines
- Service installation
- Scheduled tasks
- Script Block Logging (4104) for deobfuscated scripts
- Module Logging (4103) for command execution
- Transcription for full session recording
Part 4 - Sysmon:
- Enhanced process creation with hashes
- Network connections by process
- Registry modifications
- File creation
- Driver and DLL loading
- Named pipe activity
- WMI events
- DNS queries
In Part 5, we'll bring it all together—correlating across these sources during investigations and building detections that leverage the full foundation.
Resources for Going Deeper
- TrustedSec Sysmon Community Guide – Comprehensive documentation on each Sysmon event type with configuration strategies and examples
- Sysmon Video Series – Video walkthroughs covering deployment, configuration, and practical use cases
- Microsoft Sysmon Documentation – Official documentation and download