Deploying Sysmon with Wazuh for Enhanced Endpoint Visibility
This guide outlines how to deploy Sysmon on a Windows endpoint and configure it to send event data to Wazuh using a Wazuh-curated XML configuration file. This setup enhances detection capabilities for suspicious activity like process injection, file creation, and network connections.
A few prerequisites:
Wazuh agent installed and connected to the manager
Administrative access to the Windows endpoint
PowerShell for downloading files
Step 1: Download Sysmon
👉 https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon
I moved mine to C:\Sysmon for easy access
Step 2: Download the Wazuh Sysmon Configuration
Wazuh provides a Sysmon configuration file aimed at maximizing useful logging while reducing noise.
Invoke-WebRequest -Uri "https://wazuh.com/resources/blog/emulation-of-attack-techniques-and-detection-with-wazuh/sysmonconfig.xml" -OutFile "C:\Sysmon\sysmonconfig.xml"
Step 3: Install Sysmon
Use the following command to install Sysmon and apply the configuration:
cd C:\Sysmon
.\Sysmon64.exe -accepteula -i sysmonconfig.xml
✅ If successful, you’ll see output confirming Sysmon service was installed and started.
Step 4: Configure Wazuh Agent to Monitor Sysmon Logs
On the Windows endpoint, edit the ossec.conf file (typically in C:\Program Files (x86)\ossec-agent\).
Add this block inside the <ossec_config> section:
<localfile>
<location>Microsoft-Windows-Sysmon/Operational</location>
<log_format>eventchannel</log_format>
</localfile>
Restart the Wazuh agent:
Restart-Service -Name wazuh
Step 5: Validate Event Flow
In the Wazuh dashboard, navigate to Security Events or Logs.
Filter logs by the tag sysmon or source Microsoft-Windows-Sysmon/Operational.
You should start seeing events like process creation, driver load, and network activity.
🎯 Next Steps
Tailor the Sysmon config further to fit your specific environment.
Create custom rules in Wazuh to alert on specific Sysmon event IDs.
Integrate with MITRE ATT&CK mapping for improved detection coverage.
