Community Contributions

How to Contribute

Option 1: Pull Request

Fork the ICS Watch Dog repository, add your contribution, and submit a pull request. Community Sysmon configs should be placed in the sysmon-configs/community/ directory.

Option 2: GitHub Issue

Open a GitHub issue with the "feature enhancement" label. Describe your proposed config or improvement. The project team will review and may implement it or work with you to integrate it.

What to Include

When contributing a Sysmon configuration, please include:

• XML header with version, author name/handle, license, and a description of what the config monitors
• Descriptive rule names using the Sysmon name attribute on each rule for log traceability
• Comments explaining the purpose of each rule group and any non-obvious rules
• Schema version and minimum Sysmon version required
• Testing notes describing what environment the config was tested in (if any)

Naming Convention

Community config files should follow the naming pattern:

sysmonconfig-[description].xml

Examples:

• sysmonconfig-filecreate-only.xml
• sysmonconfig-dns-focused.xml
• sysmonconfig-historian-server.xml

Use lowercase with hyphens. No spaces or underscores in filenames.

Review Process

All contributions are reviewed for:

• Well-formed XML - The config must pass XML validation
• Descriptive comments - Rules should be documented so others can understand them
• No sensitive data - No internal hostnames, IP addresses, or credentials
• Attribution - Author information must be included in the XML header

Community configs are accepted as-is after basic review. They are not modified by the project team beyond formatting adjustments.