Skip to main content

Introduction


Revision History​

DateAuthorSummary
18-JUN-2022TSgt. BernadotteInitial draft
12-DEC-2022TSgt. BernadotteAdded Sysmon Community Guide appendix
19-MAR-2026CW2 BernadotteMajor revision β€” condensed and restructured; replaced Community Guide dump with operational reference content

Purpose​

The purpose of this aid is to provide the knowledge necessary to reduce noise generated by Sysmon by excluding known-good activity through configuration tuning. Tuning may be performed prior to deployment or as part of an ongoing effort to continually update deployed configurations.


End-State​

  • Operators understand the Sysmon XML configuration structure and can read, modify, and validate sysmonconfig.xml files.
  • Operators can identify high-noise event types and write targeted exclusion rules to suppress known-good activity.
  • Operators can test a modified configuration locally before deploying to production hosts.
  • Operators know the workflow for applying updated configurations to both pre- and post-deployment scenarios.

Requirements​

  1. Sysmon installed on a Windows test host for validating configuration changes before deployment.
  2. Access to the base sysmonconfig.xml:
    • Pre-deployment: /opt/tfplenum/agent_pkgs/sysmon/sysmonconfig.xml on the DIP Controller (only present on DIPs configured IAW 262COS-DIP-SOP-001).
    • Post-deployment: C:\Program Files\Sysmon\sysmonconfig.xml on the deployed host.
  3. A text editor or IDE with XML syntax highlighting.

Considerations​

  • Tune before deployment when possible. If known EDRs, AV, or other security tools are present in the environment, exclude their activity from relevant event types before deploying agents.
  • The 262COS/DOK base config at /opt/tfplenum/agent_pkgs/sysmon/sysmonconfig.xml combines elements of SwiftOnSecurity, OlafHartong, and NIPR-specific tuning. Build on this config rather than replacing it from scratch.
  • Exclude approach: The base config uses onmatch="exclude" for most event types β€” all activity is logged unless it matches an exclusion rule. This maximizes detection coverage at the cost of higher volume.
  • CPU cost of operators: contains, contains any, and contains all are the most CPU-intensive operators. Prefer is, begins with, or ends with on high-frequency event types (ProcessCreate, NetworkConnect) where possible.
  • Always test a modified config with sysmon.exe -n -l -i <config> on a test host before deploying to production.
  • EventID 16 is generated in the Windows Event Log whenever the Sysmon configuration is updated via the command-line tool.