Default Windows logging tells you that a process ran. Sysmon tells you the full command line, the parent process that launched it, the SHA256 hash of the executable, every network connection and which process made it, every file created and its hash, every DNS query, and registry modifications. That is the difference between knowing a door opened and knowing who opened it, what they were carrying, and where they went.
Installation
Download Sysmon and the SwiftOnSecurity community configuration — a well-maintained ruleset that enables the right events and filters out most noise out of the box.
# Install with community config
C:\Windows\Sysmon64.exe -accepteula -i sysmonconfig.xml
# Verify running
Get-Service Sysmon64Adding Sysmon to the Wazuh agent config
The Wazuh agent needs to be told to collect from the Sysmon channel. Add to ossec.conf:
<localfile>
<location>Microsoft-Windows-Sysmon/Operational</location>
<log_format>eventchannel</log_format>
</localfile>Sysmon event IDs that matter for detection
| Event ID | What it captures |
|---|---|
1 | Process creation — full command line, parent process, hash |
3 | Network connection — destination IP, port, process responsible |
7 | Image loaded — DLL loading into a process |
10 | Process access — one process opening another's memory |
11 | File created — path and hash |
13 | Registry modification |
22 | DNS query |
The group tag syntax difference
Built-in Wazuh rules for Sysmon use if_group not if_sid. The tag naming is inconsistent across event IDs — this is a real trap:
<if_group>sysmon_event1</if_group> <!-- Process creation — no underscore -->
<if_group>sysmon_event_11</if_group> <!-- File creation — underscore before 11 -->Always verify the exact group tag from the built-in rule files before using it:
sudo grep -A5 "sysmon_event" /var/ossec/ruleset/rules/0330-sysmon_rules.xmlUsing pcre2 for command line matching
<field name="win.eventdata.image" type="pcre2">(?i)\powershell(\.exe)?$</field>
<field name="win.eventdata.commandLine" type="pcre2">(?i)(invoke-webrequest|\.downloadfile)</field>(?i) makes the match case insensitive — attackers frequently change case to evade simple string matching.
First Sysmon rule — PowerShell download detection
<rule id="100010" level="12">
<if_group>sysmon_event1</if_group>
<field name="win.eventdata.image" type="pcre2">(?i)\powershell(\.exe)?$</field>
<field name="win.eventdata.commandLine" type="pcre2">(?i)(invoke-webrequest|\.downloadfile|\.downloadstring|iwr\s|wget\s|curl\s)</field>
<description>Sysmon: PowerShell downloading content from internet</description>
<group>sysmon,sysmon_powershell_download,</group>
<mitre><id>T1105</id></mitre>
</rule>Tested with a real Invoke-WebRequest command. Rule fired at level 12. The alert captured the full SHA256 hash of the PowerShell executable — ready for VirusTotal enrichment when that gets added.