ICS Watch Dog

Sysmon monitoring for industrial and critical infrastructure environments. Curated configurations, detection modules, and coverage tools mapped to the SANS ICS 5 Critical Controls.

A Cutaway Security Project

New to Sysmon? Read the Getting Started guide for an overview of what Sysmon is, why it matters for ICS/OT, and step-by-step deployment instructions.

Deploy

Configuration Files

9 curated Sysmon configs from IT baseline through OT advanced, plus a legacy Win7 config. Choose by system role.

Sysmon v15+ | Schema 4.90 Extend

Module Library

48 opt-in modules for OT vendors, IT software, industrial protocols, cloud storage, and remote access tools.

7 Categories | 48 Modules Measure

Coverage Assessment

Measure config-to-system fit, identify monitoring gaps, capture inventories, and compare hosts.

3 Tools | PS 2.0+ Compatible Detect

LOLBAS Detection

Three-tier Living off the Land detection. High-signal core rules in all configs, comprehensive modules for advanced users.

Tier 1-3 | 153 Rules Build

Build Your Own Module

Detection cookbook with 7 worked examples. Process, file, network, registry, pipe, and composite rule patterns.

Step-by-Step Guide Contribute

Community

Submit modules, system inventories, and feature requests. Three-tier acceptance process for community contributions.

GitHub Issue Templates