Again it is fairly simple to create an alert on an occurrence like this. Whenever the State is not Started, alert.

index=* sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=4 State!=Started

| table _time Computer State

Additionally you should also be monitoring the Windows System Event Log for EventID 7034 and 7036 for Sysmon State changes if you are auditing and ingesting these logs.

No more logging received

This is either because the host is down, or there is something else going on. Easiest is to make sure whether there is no logging at all coming from the machine, it could happen that there is no Sysmon generated data simply because the machine is fairly idle. This also depends on your configuration obviously, but you should be creating some baselines and grouping these servers in several alerting classes.

However tools like Invoke-Phant0m may cause a machine to be online but not logging, without generating an event. It does this by killing the threads but not the service, which is monitored. By now you could rely on your network and Active Directory logging to still be able to spot activity from this machine, if there is any but you are not getting any logs alert and investigate.

Accessing the configuration through the registry

Sysmon rules and configuration settings are saved in the registry under;

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Sysmon\

and

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SysmonDrv\

You can monitor access in two events;

EventID 1 where the registry path is in the command line, so for instance

reg query HKLM\SYSTEM\CurrentControlSet\services\SysmonDrv\Parameters >> sysmon.dump