ICS Watch Dog
Usable Sysmon configurations for enterprise IT and ICS/OT environments. From IT baseline to OT advanced, mapped to the SANS ICS 5 Critical Controls.
A Cutaway Security Project
Why ICS Watch Dog?
Microsoft Sysinternals Sysmon is one of the best tools for improving visibility into what happens on your Windows servers and workstations. But for many ICS/OT teams, Sysmon's configuration files are complex and intimidating -- especially for Windows administrators who haven't worked with them before.
- Progressive approach -- Start with the IT Baseline and advance through OT-specific configs as your program matures
- Mapped to SANS ICS 5 Critical Controls -- Supports incident response, defensible architecture, network visibility, secure remote access, and vulnerability management
- Remote access detection -- All configs detect known remote access tools (TeamViewer, AnyDesk, VNC, and others) per CISA/NSA guidance
- Legacy OS support -- Baseline configs use Sysmon schema 4.50 for compatibility with older Windows versions common in OT environments
- Ransomware detection indicators -- Recovery inhibition, credential theft, C2 pipe, and ransom note detection rules across all configs. See the Ransomware Detection Guide.
- No SIEM required -- Useful with just Windows Event Viewer, though configs work with centralized logging and SIEMs too
Configuration Files
Desktops and Laptops
Enterprise workstation monitoring with remote access tool detection. Start here for endpoints.
Sysmon v13+ | Schema 4.50 IT ServerGeneral Servers
Server-appropriate exclusions, minimal desktop noise. Start here for servers.
Sysmon v13+ | Schema 4.50 Server ServicesDatabase + Web Server
Covers all common database and web engines. Webshell detection, xp_cmdshell, backup monitoring.
Sysmon v13+ | Schema 4.50 OT BaselineICS/OT Monitoring
Adds OT vendor software monitoring and ICS-specific file type detection.
Sysmon v13+ | Schema 4.50 OT EnhancedIndustrial Ports
Modbus, EtherNet/IP, OPC-UA, DNP3, S7comm, and more. Process-to-port visibility.
Sysmon v13+ | Schema 4.50 Jump HostBastion / Kiosk
Comprehensive monitoring for OT remote access chokepoints. Clipboard tracking, minimal exclusions.
Sysmon v15+ | Schema 4.90New to Sysmon? Read the Getting Started guide for an overview of what Sysmon is, why it matters for ICS/OT, and step-by-step deployment instructions.
Important: All configurations are starting points. Administrators MUST tune these configs for their specific environments and test before production deployment.
Project Sponsor
This project was developed and is supported by Cutaway Security, LLC. in collaboration with each contributor.