Related Projects
ICS Watch Dog stands on the shoulders of several excellent projects in the Sysmon and ATT&CK community. This page acknowledges them and explains when each is appropriate alongside or instead of ICS Watch Dog.
Microsoft Sysinternals Sysmon
Sysmon is the Windows system service and device driver that everything else in this ecosystem depends on. Without Sysmon, none of this works. Mark Russinovich and Thomas Garnier deserve credit for building and maintaining it.
ICS Watch Dog provides Sysmon configuration files. Sysmon itself must be downloaded separately from Microsoft.
SwiftOnSecurity sysmon-config
SwiftOnSecurity/sysmon-config is the most widely deployed Sysmon configuration in the world. It is the foundational reference that introduced many of the patterns ICS Watch Dog uses. The current version (v74) targets enterprise IT environments and was last updated in 2021-07-08.
ICS Watch Dog ships an unmodified copy of v74 in sysmon-configs/reference/ for learning and comparison. ICS Watch Dog's curated configs are built independently and add ICS/OT-specific monitoring that SwiftOnSecurity does not address.
When to Use SwiftOnSecurity
- You want a battle-tested baseline for IT enterprise environments
- You want a single config file that has been validated by thousands of deployments
- You are not deploying in ICS/OT environments and don't need OT-specific rules
When to Use ICS Watch Dog Instead
- You are deploying in ICS/OT environments (OT baseline, enhanced, advanced configs)
- You need role-specific configs (DC, database/web servers, jump host)
- You want ATT&CK technique tagging in rule names for SIEM correlation
- You want SANS ICS 5 Critical Controls mapping
- You need ransomware indicator detection bundled in
olafhartong/sysmon-modular
olafhartong/sysmon-modular by Olaf Hartong is the inspiration for ICS Watch Dog's module library architecture and the structured ATT&CK rule tagging convention. sysmon-modular targets enterprise IT environments and provides a much larger module catalog than ICS Watch Dog (200+ modules) plus a sophisticated PowerShell merge framework.
When to Use sysmon-modular
- You want the broadest enterprise IT module catalog available
- You are running Sysmon v15+ and don't need legacy Windows compatibility
- You are deploying in enterprise IT environments (Windows 10/11, Server 2019+)
- You want pre-generated configs (default, research, MDE-augment, excludes-only variants)
When to Use ICS Watch Dog Instead
- You are deploying in ICS/OT environments and need OT-specific rules
- You need legacy Windows compatibility (Server 2012, Windows 7, LTSC versions)
- You want OT vendor modules (Siemens, Rockwell, Schneider, AVEVA, Ignition)
- You want sector-specific modules (electric, water, oil/gas, manufacturing)
- You want a smaller, opinionated curated config set rather than a large modular catalog
Compatibility
ICS Watch Dog's ATT&CK tagging convention is a strict superset of sysmon-modular's format. SIEM parsers written for sysmon-modular work on ICS Watch Dog tags with one minor change (rename the technique_name field to technique). Teams running both projects can normalize on either format. See the ATT&CK Rule Tagging page for details.
MITRE ATT&CK
MITRE ATT&CK is the canonical source for adversary technique IDs and names. ICS Watch Dog tags every detection rule with the ATT&CK technique it is designed to detect, using both the Enterprise matrix (T1xxx) for IT/host techniques and the ICS matrix (T0xxx) for industrial protocol and OT-specific techniques.
SANS ICS 5 Critical Controls
The SANS Five ICS Cybersecurity Critical Controls by Robert M. Lee provides the strategic framework that ICS Watch Dog configs are organized around. Every curated config maps to one or more of the five controls. See the SANS ICS 5 Controls page for details.
LOLRMM
LOLRMM (Living Off the Land Remote Monitoring and Management) is a community-maintained catalog of remote access and RMM tools commonly abused by threat actors. ICS Watch Dog's remote-access module library draws on the LOLRMM catalog for tool identification and detection patterns. CISA's AA23-025A advisory makes the case for monitoring all RMM tools by default.
Adversary Emulation Tools
For deeper validation of Sysmon detection coverage beyond the ICS Watch Dog efficacy test script, consider:
- Atomic Red Team by Red Canary -- 1,000+ ATT&CK-mapped tests for blue team validation
- MITRE Caldera -- adversary emulation platform for full attack chain testing
- SCYTHE -- commercial adversary emulation platform
- SysmonSimulator by Securonix -- C-based tool that exercises 25+ Sysmon event types
These tools generate richer adversary behavior than the ICS Watch Dog efficacy script, but require more setup and care when deploying in OT environments.