Sysmon Configuration Files
ICS Watch Dog provides Sysmon configurations that progress from enterprise IT baseline through ICS/OT-specific monitoring. All configs are built from scratch and mapped to the SANS ICS 5 Critical Controls. Download from the ICS Watch Dog GitHub repository.
Choosing a Configuration
| Situation | Recommended Config |
|---|---|
| First time deploying Sysmon on workstations/desktops | IT Workstation Baseline |
| First time deploying Sysmon on servers | IT Server Baseline |
| Domain Controller | Server: AD / DC |
| Database server, web server, or both (any engine) | Server: Services |
| OT historian (PI, Ignition, AVEVA Historian) | Server: Services (covers database + web engines used by historians) |
| Legacy Windows in OT (Server 2008/2012, Win 7/10 LTSC) | IT Workstation or OT Baseline (both schema 4.50) |
| OT environment, ready for ICS-specific monitoring | OT Baseline |
| Established OT monitoring, want broader coverage | OT Enhanced |
| Jump host, bastion host, or kiosk system | Jump Host |
| Experienced team, role-specific tuning | OT Advanced |
| Only need file creation monitoring | Community: File Create Only |
| Learning Sysmon, want a well-known reference | Reference: SwiftOnSecurity |
Tuning required: All configurations are starting points. Administrators MUST tune these configs for their specific environments. Test in a non-production environment before deploying to production systems. See Getting Started for deployment guidance.
Curated Configurations
These configs are maintained by the ICS Watch Dog project. Start with the baseline that matches your system role (workstation or server), then progress to OT-specific configs as your monitoring program matures.
IT Workstation Baseline
Minimum Sysmon: v13+ (schema 4.50)
SANS Controls: #1 (Incident Response), #4 (Secure Remote Access), #5 (Vulnerability Management)
CIS Alignment: Complements CIS Windows 10/11 Enterprise Benchmark
Starting point for Windows workstations, desktops, and laptops. Excludes common desktop noise (shell, search, audio, UWP processes) while monitoring process creation, network connections, file creation, registry changes, and remote access tools per CISA/NSA guidance. This is an IT-focused configuration and does not include OT-specific rules.
Best for: Teams deploying Sysmon on workstations for the first time. Start here for endpoints.
IT Server Baseline
Minimum Sysmon: v13+ (schema 4.50)
SANS Controls: #1 (Incident Response), #4 (Secure Remote Access), #5 (Vulnerability Management)
CIS Alignment: Complements CIS Windows Server 2019/2022 Benchmark (L1 Member Server)
Starting point for Windows servers. Unlike the workstation baseline, desktop processes are NOT excluded (they are unexpected on servers and worth investigating). Excludes server-specific noise (WinRM, .NET compilation). Monitors scheduled task directories and has fewer DNS exclusions because server DNS activity is more significant. Adds LSA and security provider registry monitoring.
Best for: Teams deploying Sysmon on servers for the first time. For Domain Controllers, database servers, or web servers, see the role-specific configs below.
Server: Active Directory / Domain Controller
Minimum Sysmon: v13+ (schema 4.50)
SANS Controls: #1 (Incident Response), #4 (Secure Remote Access), #5 (Vulnerability Management)
CIS Alignment: Complements CIS Windows Server 2019/2022 Benchmark (L1 Domain Controller)
MITRE ATT&CK: T1003.003, T1003.006, T1207, T1484.001, T1087.002
Self-contained config for Domain Controllers. Includes all server baseline rules plus DC-specific additions:
- RawAccessRead ENABLED (disabled in all baselines) - detects NTDS.dit credential extraction via raw disk reads
- NTDS.dit and SYSVOL monitoring - file creation in AD database and Group Policy directories
- Credential extraction tool detection - named ProcessCreate rules for ntdsutil, vssadmin, esentutl, diskshadow, csvde, ldifde
- DC-specific LSASS tuning - excludes legitimate DC processes (dns.exe, dfsr.exe) that access LSASS constantly
- AD registry monitoring - NTDS, Netlogon, DNS, DFSR, Kerberos service configuration
- AD named pipe awareness - drsuapi, samr, netlogon pipes not excluded (attack targets)
Note: Many AD attacks (DCSync, Golden Ticket, Kerberoasting) require Windows Security Event Logs, not Sysmon. This config documents complementary audit requirements in its header.
Best for: Domain Controllers in IT or OT environments.
Server: Database + Web Server Services
Minimum Sysmon: v13+ (schema 4.50)
SANS Controls: #1 (Incident Response), #4 (Secure Remote Access), #5 (Vulnerability Management)
CIS Alignment: Complements CIS IIS Benchmark and CIS SQL Server Benchmark
MITRE ATT&CK: T1059, T1505.001, T1505.003, T1505.004, T1053.005, T1005, T1190
Self-contained config for servers running database engines, web servers, or both. Covers all common engines in a single file (rules for absent services have zero cost):
- Database engines: SQL Server, PostgreSQL, MySQL/MariaDB, Oracle, MongoDB, InfluxDB
- Web servers: IIS, Apache httpd, Nginx, Tomcat/Java, PHP
- ImageLoad ENABLED (disabled in baselines) scoped to web worker processes for IIS module backdoor detection (T1505.004)
- Parent-child process detection - database or web process spawning cmd.exe/powershell.exe = compromise indicator
- Webshell file monitoring - .aspx, .asp, .php, .jsp, .war, web.config creation detection
- Database file monitoring - .bak, .mdf, .ldf, .dbf, .dmp, .sql creation and deletion
OT relevance: OT servers commonly colocate database and web services (Ignition = MySQL + Tomcat, AVEVA Historian = SQL Server + IIS). This config covers all combinations without modification.
Best for: Any server running database or web services, including OT historians and SCADA web dashboards.
OT Baseline
Minimum Sysmon: v13+ (schema 4.50)
SANS Controls: #1, #2 (Defensible Architecture), #3 (Network Visibility), #4, #5
CIS Alignment: Complements CIS Windows 10/11 Enterprise Benchmark (OT systems may require CIS adaptation for legacy OS)
Builds on the IT Workstation Baseline with OT-specific additions. Adds monitoring examples for major ICS/OT vendor software (Siemens, Rockwell, Schneider Electric, AVEVA/OSIsoft PI, Ignition, SEL), ICS-relevant file type monitoring, and adjusted exclusions for OT environments. Vendor-specific rules are examples that must be validated against your actual installations.
Best for: OT environments ready for ICS-specific endpoint monitoring.
Jump Host / Bastion Host
Minimum Sysmon: v15+ (schema 4.90)
SANS Controls: #1, #2, #3, #4 (PRIMARY FOCUS), #5
CIS Alignment: Complements CIS Windows Server 2019/2022 Benchmark (L2 recommended for jump hosts)
Comprehensive monitoring for jump hosts, bastion hosts, and kiosk systems used for OT remote access. These systems are the primary controlled entry point into OT networks and warrant the most thorough monitoring. Features include:
- Minimal process exclusions (jump hosts should have very predictable activity)
- ALL network connections logged (every connection through the chokepoint matters)
- Clipboard monitoring (Event ID 24) for detecting data transfer between networks
- New executable detection (Event ID 29, schema 4.90)
- AppLocker and RDP configuration change monitoring
- DLL image loading enabled (disabled in baselines)
- Recycle Bin and Group Policy monitoring
Best for: Jump hosts, bastion hosts, kiosk workstations providing controlled remote access to OT networks.
OT Enhanced
Minimum Sysmon: v13+ (schema 4.50)
SANS Controls: #1, #2, #3 (PRIMARY FOCUS), #4, #5
CIS Alignment: Complements CIS Windows 10/11 Enterprise Benchmark (OT systems may require CIS adaptation for legacy OS)
Builds on the OT Baseline with industrial protocol port monitoring. Logs which processes communicate on Modbus TCP (502), EtherNet/IP (44818), OPC-UA (4840), DNP3 (20000), S7comm (102), BACnet/IP (47808), IEC 60870-5-104 (2404), MQTT (1883/8883), Ignition Gateway (8088/8043), PI Data Archive (5450), GE SRTP (18245), and PROFINET ports. Also adds expanded vendor directory monitoring (GE, Honeywell, Emerson, ABB, Yokogawa), additional ICS file types (Rockwell .ACD/.L5K, Schneider .stu/.xef, SEL .rdb), and OPC/DCOM registry monitoring.
Note: Sysmon monitors which PROCESS connects to which PORT. It does NOT inspect protocol payloads. For protocol-level inspection, use dedicated ICS network monitoring tools.
Best for: Teams with established monitoring looking to increase visibility into OT network activity and vendor software changes.
OT Advanced
Minimum Sysmon: v15+ (schema 4.90)
SANS Controls: #1, #2, #3, #4, #5
CIS Alignment: Complements CIS Windows 10/11 Enterprise Benchmark (OT systems may require CIS adaptation for legacy OS)
Builds on the OT Enhanced config with Sysmon schema 4.90 features:
- Event ID 27 (FileBlockExecutable): Logs executable file creation in OT vendor directories and persistence locations
- Event ID 28 (FileBlockShredding): Logs file shredding attempts (evidence destruction, backup wiping)
- Event ID 29 (FileExecutableDetected): Detects any new PE executable written to disk regardless of file extension (catches renamed executables)
Includes role-specific tuning guidance for HMI stations, engineering workstations, historians, and OT domain controllers. Requires Sysmon v15+ (will not work on older versions). For legacy OS, use the OT Baseline or Enhanced configs.
Best for: Experienced teams with mature monitoring on systems running current Sysmon versions.
Community Configurations
Community-contributed configurations for specific use cases. These are not maintained or tested by Cutaway Security, LLC. Users must perform their own review and testing before deployment.
File Create Only
Author: Aaron Boyd (icsblitz)
Minimum Sysmon: v13+ (schema 4.50)
Monitors file creation events, tracking dangerous attachment types, scripts, executables, and other files of interest. Useful for environments where file creation monitoring is the immediate priority.
Reference Configurations
Third-party configs retained for learning and comparison. Not maintained by ICS Watch Dog. ICS Watch Dog curated configs are recommended for deployment.
SwiftOnSecurity Sysmon Config
Source Version: 74 (2021-07-08)
Source Project: SwiftOnSecurity/sysmon-config
The well-known SwiftOnSecurity configuration. Retained as a reference for comparison and learning. This is an IT-focused general-purpose configuration with extensive inline documentation.