Today we are excited to announce the launch of the TrustedSec Sysmon Community Guide. This guide is intended to be a one-stop shop for all things Sysmon. Our goal for the project is to help empower defenders with the information they need to leverage this great tool and to help the infosec community spread the knowledge gained in working to detect attackers.

I set out to create the documentation for this helpful, powerful tool because it didn’t previously exist. To understand why I’m so passionate about Sysmon and creating a guide for the broader infosec community, I thought it might be helpful to understand the backstory of Sysmon.

In 2014, the Sysmon (System Monitor) tool was released as part of the Sysinternal Suite by Mark Russinovich from Microsoft and Thomas Garnier. The tool installs a service and driver that allows for system activity logging into the Windows event log.

One of the main reasons that this free tool from Microsoft has become one of the most popular tools used by defenders in Windows environments is because it allows defenders to create a series of filters to log and tag specific actions on a system. When combined with additional information that augments logs, the ability to correlate events is made easier.

There is currently no detailed documentation of Sysmon and only a handful of examples are included on the download page. It has been a community effort to examine new releases of the tool and share applications of new features, as well as understand the rules and filters as functionality changes. At TrustedSec, we see the value of Sysmon, recognizing the flexibility and benefits it can provide to our customers as part of a series of recommendations for improving security. Because of this, we have created a general guide to Sysmon to help the community with leveraging this tool.

Something that was critically important to us in creating the Sysmon Community Guide was that it remain open source and collaborative. We’ve released it on Github, where we can facilitate an open conversation about how to make improvements to the guide as necessary. As new versions of Sysmon are released, we’ll be able to update the guide and maintain accuracy, regardless of what changes are made to the actual tool. As with any tool on Github, users can contribute thoughts, ideas, and code within the repository, which can eventually make it into the tool itself.

Figure 1 – The guide on Github

Another initiative that our team took was to release the guide in multiple formats, such as EPUB, MOBI, and PDF, so that all kinds of users and teams have access to it, with the ability to fully leverage it no matter their preferred format.

Figure 2 – Formats the guide is available in

I hope that you’ll find value in the new TrustedSec Sysmon Community Guide and will take part in making it the best resource possible for all things Sysmon. Keep an eye out as we launch this guide and support it with other ongoing content.