About ICS Watch Dog
Mission
ICS Watch Dog lowers the barrier to Sysmon adoption in industrial and critical infrastructure environments. The project provides curated configurations, a modular detection library, and assessment tools that help Windows administrators deploy and mature endpoint monitoring -- from first install through advanced OT-specific detection.
What the Project Provides
- Progressive configurations -- Start with an IT baseline and advance through OT-specific configs as your monitoring program matures. No need to write XML from scratch.
- 48 detection modules -- Vendor-specific (Siemens, Rockwell, Schneider, AVEVA, Ignition), industrial protocol (Modbus, OPC-UA, DNP3, S7comm), sector-specific, and LOLBAS detection modules that merge into any base config.
- Coverage toolchain -- Measure how well your config fits your actual system, capture inventories for offline analysis, and compare hosts to track changes.
- MITRE ATT&CK integration -- Every detection rule is tagged with ATT&CK technique IDs. SIEMs can extract structured data directly from Sysmon events without lookup tables.
- SANS ICS 5 Critical Controls alignment -- Configs are mapped to incident response, defensible architecture, network visibility, secure remote access, and vulnerability management.
- Honest provenance -- Every module includes a confidence level (verified-in-lab, vendor-documented, security-research, or theoretical) and a validation file documenting what has and has not been tested.
- No SIEM required -- Useful with just Windows Event Viewer, though all configs work with centralized logging and SIEMs.
- Legacy OS support -- A dedicated Win7 config (schema 4.23) and PS 2.0 compatible tools for OT environments that cannot upgrade.
How It Works
The project follows a progression model. Each step builds on the previous one:
- Deploy a curated config -- Choose by system role (workstation, server, OT, jump host). Each config is self-contained and deployable without editing. See Configuration Files.
- Assess your coverage -- Run the coverage tool to measure how well the config fits your system. Identify unmonitored processes, uncovered vendors, and unmatched ports. See Coverage Assessment.
- Extend with modules -- Merge vendor, protocol, or sector modules to close gaps. The merge tool combines a base config with selected modules into a deployable config. See Module Library.
- Validate detection -- Run the efficacy test to confirm Sysmon is generating expected events. See Efficacy Testing.
- Build and contribute -- Write custom modules for your environment and share them with the community. See Build Your Own Module and Community Contributions.
SANS ICS 5 Critical Controls
Every curated configuration maps to the SANS ICS 5 Critical Controls:
| Control | How ICS Watch Dog Supports It |
|---|---|
| #1 ICS Incident Response | Forensic evidence via process, file, registry, and network logs |
| #2 Defensible Architecture | Detection of processes crossing network boundaries |
| #3 ICS Network Visibility | Host-side complement to network monitoring (process-to-connection correlation) |
| #4 Secure Remote Access | Detection of known remote access and RMM tools per CISA/NSA guidance |
| #5 Vulnerability Management | Software execution, driver loading, and service change logging |
For the full control-by-control mapping with specific Sysmon Event IDs, see the SANS ICS 5 Controls guide.
Project History
ICS Watch Dog was created to address a gap in the ICS/OT cybersecurity community: Sysmon is a powerful, free tool for Windows endpoint visibility, but its XML configuration format is a barrier for many OT teams. Existing Sysmon config projects (SwiftOnSecurity, sysmon-modular) target enterprise IT environments and do not address the specific needs of industrial control systems.
The project started with curated configurations and has grown to include a modular detection library, a coverage assessment toolchain, MITRE ATT&CK integration, LOLBAS detection, a provenance and validation framework, and a community contribution process.
This project is dual-licensed. The open-source license is Creative Commons Attribution-ShareAlike 4.0 International (CC BY-SA 4.0) -- you may use, modify, and redistribute with attribution, provided derivative works are shared under the same or compatible license. Organizations that need to incorporate ICS Watch Dog content into proprietary products or services without the ShareAlike obligation may obtain a commercial license from Cutaway Security, LLC.
Sponsor
This project was developed and is supported by Cutaway Security, LLC. in collaboration with each contributor.