Getting Started with Sysmon in ICS/OT

Why Sysmon for ICS/OT?

Many ICS/OT environments have limited visibility into what happens on Windows-based systems such as HMIs, engineering workstations, historians, and domain controllers. Common challenges include:

• No centralized logging -- Many OT networks lack a SIEM or log aggregation platform
• Legacy operating systems -- Older Windows versions are common and may not support modern EDR tools
• Change-averse environments -- OT teams are cautious about installing new software on production systems
• Limited security staff -- Windows administrators may not have security monitoring experience

Sysmon addresses these challenges because:

• It is a lightweight, signed Microsoft tool (no third-party agent)
• It works on older Windows versions (Windows 7, Server 2008 R2 and later)
• It requires no network infrastructure to provide value (logs are local)
• A well-tuned configuration file controls exactly what is logged, minimizing noise and performance impact

How to Deploy Sysmon

1. Download Sysmon

Download Sysmon from Microsoft: https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon

Extract the archive to a location on the target system (e.g., C:\Tools\Sysmon\).

2. Choose a Configuration File

Visit the Configuration Files page and select the config that matches your environment. For first-time deployments, start with the IT Workstation Baseline for desktops/laptops or the IT Server Baseline for servers.

Download the XML configuration file to the same directory as Sysmon (e.g., C:\Tools\Sysmon\sysmonconfig-baseline-it-workstation.xml).

3. Install Sysmon

Open an elevated (Administrator) command prompt and run:

sysmon.exe -accepteula -i sysmonconfig-baseline-it-workstation.xml

Replace sysmonconfig-baseline-it-workstation.xml with the name of your chosen configuration file.

4. Verify Installation

Open Windows Event Viewer and navigate to:

Applications and Services Logs > Microsoft > Windows > Sysmon > Operational

You should see events appearing. If the log is empty, wait a few minutes for activity to generate events.

You can also verify Sysmon is running:

sc query Sysmon64

5. Update a Configuration

To change the configuration on a system where Sysmon is already installed:

sysmon.exe -c sysmonconfig-new.xml

6. Uninstall Sysmon

If you need to remove Sysmon:

sysmon.exe -u

Centralized Log Collection (Optional)

While Sysmon works without centralized logging, forwarding events to a central location improves visibility across multiple systems. Options include:

• Windows Event Forwarding (WEF) -- Built into Windows, no additional software needed. See Microsoft WEF documentation.
• Syslog forwarding -- Third-party tools can forward Windows events to a syslog collector
• SIEM integration -- Most SIEMs can ingest Sysmon events via agents or WEF

To allow the Network Service to access Sysmon logs for forwarding:

wevtutil.exe sl Microsoft-Windows-Sysmon/Operational /ca:O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;;NS)

Performance and Latency

A common concern in ICS/OT environments is whether Sysmon will impact system performance or introduce network latency. Key points:

• Sysmon does not introduce network latency - It logs events locally; it does not intercept or delay network traffic
• CPU/memory impact is minimal - Sysmon is designed to be lightweight. Baseline configs are conservative by design.
• OT systems typically generate fewer events - OT workstations and HMIs run fewer applications than IT systems, resulting in less Sysmon activity
• High-volume events are disabled by default - ImageLoad (Event ID 7) and RawAccessRead (Event ID 9) are disabled in baseline configs due to volume

For detailed guidance on phased deployment, system criticality decisions, and tuning, see the Deployment Considerations page.