Download
sysmon-modular is a community-driven repository that provides a modular, production-ready set of Sysmon configuration modules designed to be easily composed and tuned for different environments. The project organizes detection logic into per-event modules (for example, process creation, file create, network connection, registry events, image load, and many more) so operators can pick and choose which rules to enable without editing a monolithic XML by hand. It includes pre-generated configuration variants (balanced, default with FileDelete, verbose, super-verbose, and a Microsoft Defender for Endpoint augmentation) to cover common use cases while warning about the performance tradeoffs of very verbose settings. The repo ships helper tooling (PowerShell and Python scripts) to merge selected modules into a final sysmonconfig.xml, automating CI builds and allowing repeatable config generation.
Features
- Per-environment presets (dev, prod, SOC-lite, MDE-augment) to quickly apply safe defaults
- Interactive generator UI (CLI or web) that previews merged XML and estimated log volume
- Automated benchmark estimator that predicts CPU and storage impact for a selected module set
- Policy-aware module templates that map rules to MITRE ATT&CK tactics and detection confidence
- Versioned module change log with suggested tuning notes and rollback capability
- Integration plugins for major SIEMs (Elastic, Splunk, Azure Sentinel) that include ingest parsers and dashboards
Project Samples
