{"id":111353,"date":"2025-05-15T11:46:40","date_gmt":"2025-05-15T03:46:40","guid":{"rendered":"https:\/\/version-2.com\/?p=111353"},"modified":"2025-06-18T16:08:03","modified_gmt":"2025-06-18T08:08:03","slug":"windows-monitoring-with-sysmon-practical-guide-and-configuration","status":"publish","type":"post","link":"https:\/\/version-2.com\/en\/2025\/05\/windows-monitoring-with-sysmon-practical-guide-and-configuration\/","title":{"rendered":"Windows Monitoring with Sysmon: Practical Guide and Configuration"},"content":{"rendered":"<div data-elementor-type=\"wp-post\" data-elementor-id=\"111353\" class=\"elementor elementor-111353\">\n\t\t\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-4da8c5f9 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"4da8c5f9\" data-element_type=\"section\" data-e-type=\"section\" data-settings=\"{&quot;jet_parallax_layout_list&quot;:[{&quot;jet_parallax_layout_image&quot;:{&quot;url&quot;:&quot;&quot;,&quot;id&quot;:&quot;&quot;,&quot;size&quot;:&quot;&quot;},&quot;_id&quot;:&quot;decf9c3&quot;,&quot;jet_parallax_layout_image_tablet&quot;:{&quot;url&quot;:&quot;&quot;,&quot;id&quot;:&quot;&quot;,&quot;size&quot;:&quot;&quot;},&quot;jet_parallax_layout_image_mobile&quot;:{&quot;url&quot;:&quot;&quot;,&quot;id&quot;:&quot;&quot;,&quot;size&quot;:&quot;&quot;},&quot;jet_parallax_layout_speed&quot;:{&quot;unit&quot;:&quot;%&quot;,&quot;size&quot;:50,&quot;sizes&quot;:[]},&quot;jet_parallax_layout_type&quot;:&quot;scroll&quot;,&quot;jet_parallax_layout_direction&quot;:&quot;1&quot;,&quot;jet_parallax_layout_fx_direction&quot;:null,&quot;jet_parallax_layout_z_index&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_x&quot;:50,&quot;jet_parallax_layout_bg_x_tablet&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_x_mobile&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_y&quot;:50,&quot;jet_parallax_layout_bg_y_tablet&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_y_mobile&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_size&quot;:&quot;auto&quot;,&quot;jet_parallax_layout_bg_size_tablet&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_size_mobile&quot;:&quot;&quot;,&quot;jet_parallax_layout_animation_prop&quot;:&quot;transform&quot;,&quot;jet_parallax_layout_on&quot;:[&quot;desktop&quot;,&quot;tablet&quot;]}]}\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-133ba185\" data-id=\"133ba185\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-fc2da8d post-content elementor-widget elementor-widget-text-editor\" data-id=\"fc2da8d\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p><img fetchpriority=\"high\" decoding=\"async\" class=\"alignnone size-full\" src=\"https:\/\/pandorafms.com\/blog\/wp-content\/uploads\/2025\/05\/sysmon-pfms-blog-980x549.png\" width=\"980\" height=\"549\" \/><\/p><div class=\"entry-content\"><p>One might think that, considering how effective some companies are at logging everything we do to serve us ads, they\u2019d at least apply that to help us understand what\u2019s happening on our systems and monitor their performance and security. But in the case of Windows, traditional logs fall short \u2014 and that\u2019s where the importance of Sysmon comes in.<br \/>Sysmon is a <strong>Windows service that logs operating system activity into the event log<\/strong>. However, it\u2019s not installed by default, so you\u2019ll need to <a href=\"https:\/\/download.sysinternals.com\/files\/Sysmon.zip\" target=\"_blank\" rel=\"noopener\">download it from here<\/a>.<br \/>Once installed, Sysmon logs are significantly more advanced and comprehensive than the default Windows Event Log, which is <strong>critical for ensuring the security<\/strong> of your systems.<br \/>That\u2019s why we\u2019re taking a deep dive into Sysmon.<\/p><p>\u00a0<\/p><h2 id=\"1\">How to Install Sysmon<\/h2><p>Sysmon isn\u2019t installed like a common Windows program, and here are the steps to do it without running into weird errors:<\/p><ul class=\"lista\"><li>Run PowerShell <strong>as Administrator<\/strong>.<\/li><li>Use the command line to navigate to the location where you retrieved the previously linked Sysmon file.<\/li><li>Then run: <span style=\"color: green; font-family: Pandora-Code!important;\">.\\Sysmon64.exe -i -accepteula<\/span><\/li><li>You\u2019ll see some installation messages, and just like that, Sysmon will be up and running.<\/li><\/ul><h3>Sysmon Log Location and Management<\/h3><p>So, how can we view Sysmon logs? Microsoft enjoys hiding things from us, but it\u2019s \u201ceasy\u201d:<\/p><ul class=\"lista\"><li>Press the Windows key and search for <strong>Event Viewer<\/strong>, then open it.<\/li><li>You\u2019ll see several folders \u2014 go to: <strong>Applications and Services Logs<\/strong>.<\/li><li>Open the <strong>Microsoft<\/strong> folder, then the <strong>Windows<\/strong> folder.<\/li><li>In the central panel, scroll down until you find <strong>Sysmon<\/strong>, then click on it. You\u2019ll see a log named <strong>Operational<\/strong>, which you may manage using the options on the right-hand side. Click to open it.<\/li><li>Everything that\u2019s happening is recorded there, and you can select events, copy them, save them, etc.<\/li><\/ul><h2 id=\"2\">Why Sysmon Logs Are Essential for a SIEM<\/h2><p>With Sysmon\u2019s detailed logging, our <a href=\"https:\/\/pandorafms.com\/en\/it-topics\/siem\/\" target=\"_blank\" rel=\"noopener\">SIEM<\/a>\u2014 such as Pandora SIEM \u2014 can analyze and correlate those records, <strong>detecting and alerting the <a href=\"https:\/\/pandorafms.com\/en\/it-topics\/what-is-security-operations-center-soc\/\" target=\"_blank\" rel=\"noopener\">SOC<\/a> about threats that would otherwise go unnoticed with basic logs.<\/strong>.<\/p><p>For example, a process hollowing attack \u2014 where a malicious actor creates a \u201clegitimate\u201d process like svchost.exe, but injects it with malicious code \u2014 would likely slip past default event logs, assuming they <a href=\"https:\/\/attack.mitre.org\/techniques\/T1562\/002\/\" target=\"_blank\" rel=\"nofollow noopener\">haven\u2019t been disabled altogether<\/a>.<br \/>But thanks to Sysmon, <strong>our SIEM can detect and raise alerts for this and other techniques by analyzing its logs<\/strong>. That\u2019s why in today\u2019s security landscape, <strong>Sysmon is essential<\/strong> if you\u2019re managing Windows systems and dealing with threats more advanced than a basic <a href=\"https:\/\/pandorafms.com\/en\/it-topics\/attack-ddos-security\/\" target=\"_blank\" rel=\"noopener\">DDoS attack<\/a>.<\/p><h2 id=\"3\">Events Logged by Sysmon<\/h2><p>With Sysmon, we go from <a href=\"https:\/\/www.ncsc.gov.uk\/collection\/device-security-guidance\/managing-deployed-devices\/logging-and-protective-monitoring\" target=\"_blank\" rel=\"nofollow noopener\">logging<\/a> almost nothing to logging nearly everything. The service assigns an Event ID number to each type of activity it monitors, and these are the events it records:<\/p><ul class=\"lista\"><li><strong>1:<\/strong> Process creation.<\/li><li><strong>2:<\/strong> A process changed the creation time of a file.<\/li><li><strong>3:<\/strong> Network connection.<\/li><li><strong>4:<\/strong> Sysmon service state changed.<\/li><li><strong>5:<\/strong> Process terminated.<\/li><li><strong>6:<\/strong> Driver loaded.<\/li><li><strong>7:<\/strong> Image loaded.<\/li><li><strong>8:<\/strong> CreateRemoteThread.<\/li><li><strong>9:<\/strong> RawAccessRead.<\/li><li><strong>10:<\/strong> ProcessAccess.<\/li><li><strong>11:<\/strong> FileCreate.<\/li><li><strong>12:<\/strong> RegistryEvent (object creation and deletion).<\/li><li><strong>13:<\/strong> RegistryEvent (value sets).<\/li><li><strong>14:<\/strong> RegistryEvent (key and value names).<\/li><li><strong>15:<\/strong> FileCreateStreamHash.<\/li><li><strong>16:<\/strong> ServiceConfigurationChange.<\/li><li><strong>17:<\/strong> PipeEvent (pipe created).<\/li><li><strong>18:<\/strong> PipeEvent (pipe connected).<\/li><li><strong>19:<\/strong> WmiEvent (WmiEventFilter activity detected).<\/li><li><strong>20:<\/strong> WmiEvent (WmiEventConsumer activity detected).<\/li><li><strong>21:<\/strong> WmiEvent (WmiEventConsumerToFilter activity detected).<\/li><li><strong>22:<\/strong> DNSEvent (DNS query).<\/li><li><strong>23:<\/strong> FileDelete (archived file deletion).<\/li><li><strong>24:<\/strong> ClipboardChange (new clipboard content).<\/li><li><strong>25:<\/strong> ProcessTampering (image change in a process).<\/li><li><strong>26:<\/strong> FileDeleteDetected (logged file deletion).<\/li><li><strong>27:<\/strong> FileBlockExecutable.<\/li><li><strong>28:<\/strong> FileBlockShredding.<\/li><li><strong>29:<\/strong> FileExecutableDetected.<\/li><li><strong>255:<\/strong> Error \u2014 reserved for when Sysmon fails to complete a task or encounters other issues.<\/li><\/ul><p>As you can see, it logs everything from file creation and modification, to clipboard activity and network requests. With this granular logging, <strong>we can correlate events that may appear harmless on their own but together may be the signs of a sophisticated attack<\/strong>.<\/p><h2 id=\"4\">Sysmon Log Lifecycle<\/h2><p>To <a href=\"https:\/\/www.ncsc.gov.uk\/guidance\/introduction-logging-security-purposes\" target=\"_blank\" rel=\"nofollow noopener\">manage logs efficiently<\/a>, we need to define what happens at each stage of their lifecycle.<br \/>Sysmon begins recording events in real time <strong>based on the configuration defined in an XML file<\/strong>.<br \/>By default, it uses a generic configuration to start logging, but the real power\u2014and what any SOC truly cares about\u2014is <strong>customizing that XML to suit the organization\u2019s needs<\/strong> security policies <a href=\"https:\/\/pandorafms.com\/en\/it-topics\/risk-management-business-safety\/\" target=\"_blank\" rel=\"noopener\">risk management<\/a> approach, and infrastructure (such as the SIEM being used).<br \/>This allows us to configure Sysmon to ignore irrelevant \u201cnoise\u201d and focus only on what matters.<br \/>Once event logging begins, entries are stored until the log reaches its maximum defined size, <strong>which can be adjusted through the Event Viewer<\/strong>.<br \/>To configure this, navigate again to Operational, right-click it, select Properties, and there you can define:<\/p><ul class=\"lista\"><li><strong>Maximum log size<\/strong>.<\/li><li><strong>What happens when the limit is reached:<\/strong> Overwrite events starting with the oldest, archive the log so it won\u2019t be overwritten, or choose not to overwrite at all (because you\u2019ll manually clear the logs\u2014something you probably promise to do and never will).<\/li><\/ul><p>These logs reach their full potential <strong>when analyzed by a SIEM<\/strong>, Manually going through every Sysmon line for clues might build character\u2014but also eye strain\u2014and is much slower and more error-prone than letting a SIEM handle it, implying a high risk of overlooking issues such as <a href=\"https:\/\/pandorafms.com\/en\/it-topics\/what-is-malware-how-to-prevent-it\/\" target=\"_blank\" rel=\"noopener\">malware<\/a>.<br \/>For example, Pandora SIEM\u2019s agent collects these logs and sends them to a centralized server for analysis and correlation alongside other logs\u2014without burning through your eyelashes. This allows you to detect real-time threats that might be buried within endless log lines, and correlate them with other activity across the network, even from non-Windows machines.<br \/>Even better: if the Windows <a href=\"https:\/\/pandorafms.com\/en\/it-topics\/what-is-an-endpoint\/\" target=\"_blank\" rel=\"noopener\">endpoint<\/a> is compromised beyond recovery, <strong> you\u2019ll still have a centralized copy of the log in your SIEM<\/strong>, which is vital for <a href=\"https:\/\/pandorafms.com\/en\/it-topics\/what-is-cyber-forensics\/\" target=\"_blank\" rel=\"noopener\">forensic analysis<\/a> to understand what caused the catastrophic failure.<br \/>And what happens to the logs once they\u2019ve been analyzed?<br \/>That depends on finding the right balance between smart archiving and deletion, and meeting both forensic investigation needs and regulatory compliance regarding long-term log retention.<\/p><h2 id=\"5\">How Eventlog Analyzer Processes Sysmon Logs<\/h2><p>A Sysmon log captures a vast amount of information, but what <strong>we truly need is actionable insight<\/strong> for our <a href=\"https:\/\/www.mitre.org\/sites\/default\/files\/2022-04\/11-strategies-of-a-world-class-cybersecurity-operations-center.pdf\" target=\"_blank\" rel=\"noopener\">defense strategies<\/a>. To achieve this, various tools can leverage Sysmon logs to detect malicious patterns and alert us accordingly.<br \/>Eventlog Analyzer, a tool by ManageEngine, includes powerful log analysis capabilities\u2014not just for Sysmon, but also for routers, IDS systems, and more.<br \/>It normalizes, correlates, and presents the most relevant data visually through dashboards and alerts.<br \/>This simplifies threat detection, forensic investigations during security breaches, and ensures compliance with regulatory requirements.<\/p><h2 id=\"6\">Monitoring Sysmon with Pandora FMS and Pandora SIEM<\/h2><p>Pandora SIEM also <strong>enables centralized and advanced analysis of Sysmon logs<\/strong> (as well as logs from other areas of your IT infrastructure) via the Log Collector. It then <strong>transforms that information into actionable insights and quickly detects threats<\/strong>, It doesn\u2019t matter if you\u2019re running both Windows and Linux machines, and Sysmon data needs to work in harmony with Syslog or Auditd\u2014everything gets integrated and analyzed together.<br \/>One of Pandora\u2019s strongest features is its adaptability\u2014 <strong>you can fully tailor the tool to match your workflows<\/strong>, organization structure, and specific needs.<br \/>Similarly, Pandora dashboards can be configured to <strong>display exactly what matters to you\u2014such as listing Sysmon events sorted by severity<\/strong> \u2014and alert you only when needed, filtering out the noise.<br \/>It also provides advanced <strong>reporting and search capabilities<\/strong>, going far beyond the features offered by many other tools.<br \/>Pandora is a comprehensive solution\u2014think of it as the Enterprise\u2019s central computer\u2014designed to monitor and manage diverse systems so they run in sync. Its SIEM is synonymous with top-tier security, but you can also incorporate <strong>remote monitoring, control, and ticketing<\/strong> into a single unified platform.<br \/>This prevents your stack from turning into a Frankenstein\u2019s monster of stitched-together tools\u2014something all too common in IT\u2014which also brings the added headache of fragmented support, where each vendor blames \u201cthe other applications.\u201d<\/p><h2 id=\"7\">How to Properly Configure Sysmon<\/h2><p>With great power comes great responsibility\u2026 and complexity. That\u2019s why anyone who needs to filter out \u201cnoise\u201d and receive only critical information from Sysmon should use a <strong>custom XML configuration<\/strong>.<br \/>You can do this with the following command:<\/p><p style=\"color: green; font-family: Pandora-Code!important;\">.\\Sysmon64.exe -i -accepteula c:\\micarpeta\\mixmlpersonal.xml<\/p><p>But writing that XML from scratch can feel like one of Hercules\u2019 labors\u2014which is why Pandora provides a starter configuration file, which you can <strong><a href=\"https:\/\/pandorafms.com\/blog\/wp-content\/uploads\/2025\/05\/sysmonconfig-pandora.xml\" target=\"_blank\" rel=\"noopener\">download here<\/a><\/strong>.<br \/>This file is based on <strong>best practices and specially adapted to help Pandora extract the key information<\/strong> necessary for effective protection. However, it should always be tailored to fit your environment.<br \/>The file comes well-commented (which makes working with it much easier) and includes some Pandora-specific rules, but you can and should customize it as needed.<br \/>Some key points in the XML you may want to adapt include:<\/p><ul class=\"lista\"><li><strong>Critical processes<\/strong> (search for <img \/><\/li><li><strong>Ports commonly used by attackers<\/strong> (search for &lt;destinationport&#8230;) \u2014=&#8221;&#8221; keep=&#8221;&#8221; an=&#8221;&#8221; eye=&#8221;&#8221; on=&#8221;&#8221; suspicious=&#8221;&#8221; ports=&#8221;&#8221; like=&#8221;&#8221; 4444,=&#8221;&#8221; often=&#8221;&#8221; used=&#8221;&#8221; by=&#8221;&#8221; metasploit.&lt;=&#8221;&#8221; li=&#8221;&#8221;&gt;<br \/>&lt;\/destinationport&#8230;)&gt;<\/li><li><strong>Registry modifications<\/strong> (search for &lt;targetobject&#8230;).&lt; li=&#8221;&#8221;&gt;<br \/>&lt;\/targetobject&#8230;).&lt;&gt;<\/li><li><strong>Executables launched from suspicious locations<\/strong>, like \/temp or the Recycle Bin.<\/li><\/ul><p>Becoming familiar with the XML format, its structure, and the meaning of each field is one of the best skills you can develop for protecting Windows systems.<br \/>This way, you can ensure that Sysmon\u2019s potential doesn\u2019t go to waste, quietly collecting gigabytes of dusty virtual logs.<br \/>As we\u2019ve seen, if you manage Windows endpoints, Sysmon is essential\u2014because while Microsoft might know everything about us, the default event logs leave us knowing little about Windows itself. That\u2019s why you need to start logging with Sysmon\u2014but don\u2019t stop there.<br \/>Its massive logging capabilities are also its biggest challenge, which is why the best approach is to customize its XML and integrate it with a SIEM. The SIEM can then do the heavy lifting of detecting threats hidden among the thousands of log lines<\/p><\/div>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-8085a61 post-content elementor-widget elementor-widget-shortcode\" data-id=\"8085a61\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"shortcode.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-shortcode\">\t\t<div data-elementor-type=\"page\" data-elementor-id=\"18103\" class=\"elementor elementor-18103\">\n\t\t\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-748947f elementor-section-full_width elementor-section-height-default elementor-section-height-default\" data-id=\"748947f\" data-element_type=\"section\" data-e-type=\"section\" data-settings=\"{&quot;jet_parallax_layout_list&quot;:[{&quot;jet_parallax_layout_image&quot;:{&quot;url&quot;:&quot;&quot;,&quot;id&quot;:&quot;&quot;,&quot;size&quot;:&quot;&quot;},&quot;_id&quot;:&quot;c4f773e&quot;,&quot;jet_parallax_layout_image_tablet&quot;:{&quot;url&quot;:&quot;&quot;,&quot;id&quot;:&quot;&quot;,&quot;size&quot;:&quot;&quot;},&quot;jet_parallax_layout_image_mobile&quot;:{&quot;url&quot;:&quot;&quot;,&quot;id&quot;:&quot;&quot;,&quot;size&quot;:&quot;&quot;},&quot;jet_parallax_layout_speed&quot;:{&quot;unit&quot;:&quot;%&quot;,&quot;size&quot;:50,&quot;sizes&quot;:[]},&quot;jet_parallax_layout_type&quot;:&quot;scroll&quot;,&quot;jet_parallax_layout_direction&quot;:&quot;1&quot;,&quot;jet_parallax_layout_fx_direction&quot;:null,&quot;jet_parallax_layout_z_index&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_x&quot;:50,&quot;jet_parallax_layout_bg_x_tablet&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_x_mobile&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_y&quot;:50,&quot;jet_parallax_layout_bg_y_tablet&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_y_mobile&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_size&quot;:&quot;auto&quot;,&quot;jet_parallax_layout_bg_size_tablet&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_size_mobile&quot;:&quot;&quot;,&quot;jet_parallax_layout_animation_prop&quot;:&quot;transform&quot;,&quot;jet_parallax_layout_on&quot;:[&quot;desktop&quot;,&quot;tablet&quot;]}]}\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-7995c19\" data-id=\"7995c19\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-a437045 elementor-widget elementor-widget-image-box\" data-id=\"a437045\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image-box.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"elementor-image-box-wrapper\"><div class=\"elementor-image-box-content\"><h3 class=\"elementor-image-box-title\">About Version 2 Digital<\/h3><p class=\"elementor-image-box-description\">Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.\n<br><br>\nThrough an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.<\/p><\/div><\/div>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>\n\t\t\n\t\t<div data-elementor-type=\"page\" data-elementor-id=\"38636\" class=\"elementor elementor-38636\">\n\t\t\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-7400e5a2 elementor-section-full_width elementor-section-height-default elementor-section-height-default\" data-id=\"7400e5a2\" data-element_type=\"section\" data-e-type=\"section\" data-settings=\"{&quot;jet_parallax_layout_list&quot;:[{&quot;_id&quot;:&quot;58112d0&quot;,&quot;jet_parallax_layout_image&quot;:{&quot;url&quot;:&quot;&quot;,&quot;id&quot;:&quot;&quot;,&quot;size&quot;:&quot;&quot;},&quot;jet_parallax_layout_image_tablet&quot;:{&quot;url&quot;:&quot;&quot;,&quot;id&quot;:&quot;&quot;,&quot;size&quot;:&quot;&quot;},&quot;jet_parallax_layout_image_mobile&quot;:{&quot;url&quot;:&quot;&quot;,&quot;id&quot;:&quot;&quot;,&quot;size&quot;:&quot;&quot;},&quot;jet_parallax_layout_speed&quot;:{&quot;unit&quot;:&quot;%&quot;,&quot;size&quot;:50,&quot;sizes&quot;:[]},&quot;jet_parallax_layout_type&quot;:&quot;scroll&quot;,&quot;jet_parallax_layout_direction&quot;:&quot;1&quot;,&quot;jet_parallax_layout_fx_direction&quot;:null,&quot;jet_parallax_layout_z_index&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_x&quot;:50,&quot;jet_parallax_layout_bg_x_tablet&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_x_mobile&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_y&quot;:50,&quot;jet_parallax_layout_bg_y_tablet&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_y_mobile&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_size&quot;:&quot;auto&quot;,&quot;jet_parallax_layout_bg_size_tablet&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_size_mobile&quot;:&quot;&quot;,&quot;jet_parallax_layout_animation_prop&quot;:&quot;transform&quot;,&quot;jet_parallax_layout_on&quot;:[&quot;desktop&quot;,&quot;tablet&quot;]}]}\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-131f5cf2\" data-id=\"131f5cf2\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-1114ae95 elementor-widget elementor-widget-text-editor\" data-id=\"1114ae95\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p><strong>About PandoraFMS<\/strong><br>\nPandora FMS is a flexible monitoring system, capable of monitoring devices, infrastructures, applications, services and business processes.<br>\nOf course, one of the things that Pandora FMS can control is the hard disks of your computers.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>","protected":false},"excerpt":{"rendered":"<p>Windows monitoring with Sysmon requires custom XML configuration for effective security logging. Integrating Sysmon with a SIEM like Pandora SIEM enhances centralized analysis, threat detection, and correlation for robust security management and operational efficiency.<\/p>","protected":false},"author":149011790,"featured_media":112474,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[474,1305,61],"tags":[475,1077,1319],"class_list":["post-111353","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-pandorafms","category-1305","category-press-release","tag-pandorafms","tag-1077","tag-home-page"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.3 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Windows Monitoring with Sysmon: Practical Guide and Configuration - Version 2<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/pandorafms.com\/blog\/windows-monitoring-with-sysmon\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Windows Monitoring with Sysmon: Practical Guide and Configuration - Version 2\" \/>\n<meta property=\"og:description\" content=\"Windows monitoring with Sysmon requires custom XML configuration for effective security logging. Integrating Sysmon with a SIEM like Pandora SIEM enhances centralized analysis, threat detection, and correlation for robust security management and operational efficiency.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/pandorafms.com\/blog\/windows-monitoring-with-sysmon\/\" \/>\n<meta property=\"og:site_name\" content=\"Version 2\" \/>\n<meta property=\"article:published_time\" content=\"2025-05-15T03:46:40+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-06-18T08:08:03+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/version-2.com\/wp-content\/uploads\/2025\/06\/post-img-PandoraFMS.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1768\" \/>\n\t<meta property=\"og:image:height\" content=\"1079\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"tracylamv2\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"tracylamv2\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"8 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/pandorafms.com\\\/blog\\\/windows-monitoring-with-sysmon\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/version-2.com\\\/2025\\\/05\\\/windows-monitoring-with-sysmon-practical-guide-and-configuration\\\/\"},\"author\":{\"name\":\"tracylamv2\",\"@id\":\"https:\\\/\\\/version-2.com\\\/zh\\\/#\\\/schema\\\/person\\\/011bc7c3731c930bcfeecd52fefb6365\"},\"headline\":\"Windows Monitoring with Sysmon: Practical Guide and Configuration\",\"datePublished\":\"2025-05-15T03:46:40+00:00\",\"dateModified\":\"2025-06-18T08:08:03+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/version-2.com\\\/2025\\\/05\\\/windows-monitoring-with-sysmon-practical-guide-and-configuration\\\/\"},\"wordCount\":1645,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/version-2.com\\\/zh\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/pandorafms.com\\\/blog\\\/windows-monitoring-with-sysmon\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/version-2.com\\\/wp-content\\\/uploads\\\/2025\\\/06\\\/post-img-PandoraFMS.jpg\",\"keywords\":[\"Pandorafms\",\"2025\",\"home-page\"],\"articleSection\":[\"PandoraFMS\",\"2025\",\"Press Release\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/pandorafms.com\\\/blog\\\/windows-monitoring-with-sysmon\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/version-2.com\\\/2025\\\/05\\\/windows-monitoring-with-sysmon-practical-guide-and-configuration\\\/\",\"url\":\"https:\\\/\\\/pandorafms.com\\\/blog\\\/windows-monitoring-with-sysmon\\\/\",\"name\":\"Windows Monitoring with Sysmon: Practical Guide and Configuration - Version 2\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/version-2.com\\\/zh\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/pandorafms.com\\\/blog\\\/windows-monitoring-with-sysmon\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/pandorafms.com\\\/blog\\\/windows-monitoring-with-sysmon\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/version-2.com\\\/wp-content\\\/uploads\\\/2025\\\/06\\\/post-img-PandoraFMS.jpg\",\"datePublished\":\"2025-05-15T03:46:40+00:00\",\"dateModified\":\"2025-06-18T08:08:03+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/pandorafms.com\\\/blog\\\/windows-monitoring-with-sysmon\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/pandorafms.com\\\/blog\\\/windows-monitoring-with-sysmon\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/pandorafms.com\\\/blog\\\/windows-monitoring-with-sysmon\\\/#primaryimage\",\"url\":\"https:\\\/\\\/version-2.com\\\/wp-content\\\/uploads\\\/2025\\\/06\\\/post-img-PandoraFMS.jpg\",\"contentUrl\":\"https:\\\/\\\/version-2.com\\\/wp-content\\\/uploads\\\/2025\\\/06\\\/post-img-PandoraFMS.jpg\",\"width\":1768,\"height\":1079},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/pandorafms.com\\\/blog\\\/windows-monitoring-with-sysmon\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"\u9996\u9801\",\"item\":\"https:\\\/\\\/version-2.com\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Windows Monitoring with Sysmon: Practical Guide and Configuration\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/version-2.com\\\/zh\\\/#website\",\"url\":\"https:\\\/\\\/version-2.com\\\/zh\\\/\",\"name\":\"Version 2\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/version-2.com\\\/zh\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/version-2.com\\\/zh\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/version-2.com\\\/zh\\\/#organization\",\"name\":\"Version 2\",\"url\":\"https:\\\/\\\/version-2.com\\\/zh\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/version-2.com\\\/zh\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/i0.wp.com\\\/version-2.com\\\/wp-content\\\/uploads\\\/2020\\\/08\\\/v2-hk-hor-4.png?fit=1795%2C335&ssl=1\",\"contentUrl\":\"https:\\\/\\\/i0.wp.com\\\/version-2.com\\\/wp-content\\\/uploads\\\/2020\\\/08\\\/v2-hk-hor-4.png?fit=1795%2C335&ssl=1\",\"width\":1795,\"height\":335,\"caption\":\"Version 2\"},\"image\":{\"@id\":\"https:\\\/\\\/version-2.com\\\/zh\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/version-2.com\\\/zh\\\/#\\\/schema\\\/person\\\/011bc7c3731c930bcfeecd52fefb6365\",\"name\":\"tracylamv2\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/9d01d79cbfd8b2e878f5d701a362cc9fca466d33fec977b59706c23c1a2db15c?s=96&d=identicon&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/9d01d79cbfd8b2e878f5d701a362cc9fca466d33fec977b59706c23c1a2db15c?s=96&d=identicon&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/9d01d79cbfd8b2e878f5d701a362cc9fca466d33fec977b59706c23c1a2db15c?s=96&d=identicon&r=g\",\"caption\":\"tracylamv2\"},\"url\":\"https:\\\/\\\/version-2.com\\\/en\\\/author\\\/tracylamv2\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Windows Monitoring with Sysmon: Practical Guide and Configuration - Version 2","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/pandorafms.com\/blog\/windows-monitoring-with-sysmon\/","og_locale":"en_US","og_type":"article","og_title":"Windows Monitoring with Sysmon: Practical Guide and Configuration - Version 2","og_description":"Windows monitoring with Sysmon requires custom XML configuration for effective security logging. Integrating Sysmon with a SIEM like Pandora SIEM enhances centralized analysis, threat detection, and correlation for robust security management and operational efficiency.","og_url":"https:\/\/pandorafms.com\/blog\/windows-monitoring-with-sysmon\/","og_site_name":"Version 2","article_published_time":"2025-05-15T03:46:40+00:00","article_modified_time":"2025-06-18T08:08:03+00:00","og_image":[{"width":1768,"height":1079,"url":"https:\/\/version-2.com\/wp-content\/uploads\/2025\/06\/post-img-PandoraFMS.jpg","type":"image\/jpeg"}],"author":"tracylamv2","twitter_card":"summary_large_image","twitter_misc":{"Written by":"tracylamv2","Est. reading time":"8 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/pandorafms.com\/blog\/windows-monitoring-with-sysmon\/#article","isPartOf":{"@id":"https:\/\/version-2.com\/2025\/05\/windows-monitoring-with-sysmon-practical-guide-and-configuration\/"},"author":{"name":"tracylamv2","@id":"https:\/\/version-2.com\/zh\/#\/schema\/person\/011bc7c3731c930bcfeecd52fefb6365"},"headline":"Windows Monitoring with Sysmon: Practical Guide and Configuration","datePublished":"2025-05-15T03:46:40+00:00","dateModified":"2025-06-18T08:08:03+00:00","mainEntityOfPage":{"@id":"https:\/\/version-2.com\/2025\/05\/windows-monitoring-with-sysmon-practical-guide-and-configuration\/"},"wordCount":1645,"commentCount":0,"publisher":{"@id":"https:\/\/version-2.com\/zh\/#organization"},"image":{"@id":"https:\/\/pandorafms.com\/blog\/windows-monitoring-with-sysmon\/#primaryimage"},"thumbnailUrl":"https:\/\/version-2.com\/wp-content\/uploads\/2025\/06\/post-img-PandoraFMS.jpg","keywords":["Pandorafms","2025","home-page"],"articleSection":["PandoraFMS","2025","Press Release"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/pandorafms.com\/blog\/windows-monitoring-with-sysmon\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/version-2.com\/2025\/05\/windows-monitoring-with-sysmon-practical-guide-and-configuration\/","url":"https:\/\/pandorafms.com\/blog\/windows-monitoring-with-sysmon\/","name":"Windows Monitoring with Sysmon: Practical Guide and Configuration - Version 2","isPartOf":{"@id":"https:\/\/version-2.com\/zh\/#website"},"primaryImageOfPage":{"@id":"https:\/\/pandorafms.com\/blog\/windows-monitoring-with-sysmon\/#primaryimage"},"image":{"@id":"https:\/\/pandorafms.com\/blog\/windows-monitoring-with-sysmon\/#primaryimage"},"thumbnailUrl":"https:\/\/version-2.com\/wp-content\/uploads\/2025\/06\/post-img-PandoraFMS.jpg","datePublished":"2025-05-15T03:46:40+00:00","dateModified":"2025-06-18T08:08:03+00:00","breadcrumb":{"@id":"https:\/\/pandorafms.com\/blog\/windows-monitoring-with-sysmon\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/pandorafms.com\/blog\/windows-monitoring-with-sysmon\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/pandorafms.com\/blog\/windows-monitoring-with-sysmon\/#primaryimage","url":"https:\/\/version-2.com\/wp-content\/uploads\/2025\/06\/post-img-PandoraFMS.jpg","contentUrl":"https:\/\/version-2.com\/wp-content\/uploads\/2025\/06\/post-img-PandoraFMS.jpg","width":1768,"height":1079},{"@type":"BreadcrumbList","@id":"https:\/\/pandorafms.com\/blog\/windows-monitoring-with-sysmon\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"\u9996\u9801","item":"https:\/\/version-2.com\/"},{"@type":"ListItem","position":2,"name":"Windows Monitoring with Sysmon: Practical Guide and Configuration"}]},{"@type":"WebSite","@id":"https:\/\/version-2.com\/zh\/#website","url":"https:\/\/version-2.com\/zh\/","name":"Version 2","description":"","publisher":{"@id":"https:\/\/version-2.com\/zh\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/version-2.com\/zh\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/version-2.com\/zh\/#organization","name":"Version 2","url":"https:\/\/version-2.com\/zh\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/version-2.com\/zh\/#\/schema\/logo\/image\/","url":"https:\/\/i0.wp.com\/version-2.com\/wp-content\/uploads\/2020\/08\/v2-hk-hor-4.png?fit=1795%2C335&ssl=1","contentUrl":"https:\/\/i0.wp.com\/version-2.com\/wp-content\/uploads\/2020\/08\/v2-hk-hor-4.png?fit=1795%2C335&ssl=1","width":1795,"height":335,"caption":"Version 2"},"image":{"@id":"https:\/\/version-2.com\/zh\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/version-2.com\/zh\/#\/schema\/person\/011bc7c3731c930bcfeecd52fefb6365","name":"tracylamv2","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/9d01d79cbfd8b2e878f5d701a362cc9fca466d33fec977b59706c23c1a2db15c?s=96&d=identicon&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/9d01d79cbfd8b2e878f5d701a362cc9fca466d33fec977b59706c23c1a2db15c?s=96&d=identicon&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/9d01d79cbfd8b2e878f5d701a362cc9fca466d33fec977b59706c23c1a2db15c?s=96&d=identicon&r=g","caption":"tracylamv2"},"url":"https:\/\/version-2.com\/en\/author\/tracylamv2\/"}]}},"jetpack_featured_media_url":"https:\/\/version-2.com\/wp-content\/uploads\/2025\/06\/post-img-PandoraFMS.jpg","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/pbQRKm-sY1","post_mailing_queue_ids":[],"_links":{"self":[{"href":"https:\/\/version-2.com\/en\/wp-json\/wp\/v2\/posts\/111353","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/version-2.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/version-2.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/version-2.com\/en\/wp-json\/wp\/v2\/users\/149011790"}],"replies":[{"embeddable":true,"href":"https:\/\/version-2.com\/en\/wp-json\/wp\/v2\/comments?post=111353"}],"version-history":[{"count":9,"href":"https:\/\/version-2.com\/en\/wp-json\/wp\/v2\/posts\/111353\/revisions"}],"predecessor-version":[{"id":112495,"href":"https:\/\/version-2.com\/en\/wp-json\/wp\/v2\/posts\/111353\/revisions\/112495"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/version-2.com\/en\/wp-json\/wp\/v2\/media\/112474"}],"wp:attachment":[{"href":"https:\/\/version-2.com\/en\/wp-json\/wp\/v2\/media?parent=111353"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/version-2.com\/en\/wp-json\/wp\/v2\/categories?post=111353"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/version-2.com\/en\/wp-json\/wp\/v2\/tags?post=111353"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}