---
title: Microsoft Sysmon
description: Gain insights into Windows system activity events.
breadcrumbs: Docs > Integrations > Microsoft Sysmon
---

# Microsoft Sysmon
Supported OS Integration version1.2.0           Microsoft Sysmon - Overview 1Microsoft Sysmon - Overview 2Microsoft Sysmon - Overview 3Microsoft Sysmon - Overview 4Microsoft Sysmon - Overview 5Microsoft Sysmon - Overview 6Microsoft Sysmon - Overview 7
## Overview{% #overview %}

[Microsoft Sysmon](https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon) is a Windows system service and device driver that provides detailed logging of system activity, including process creation, network connections, file modifications, and registry changes.

This integration enriches and ingests the [Sysmon event logs](https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events). Use the pre-built dashboard to get a high-level view of the Sysmon events helping security teams monitor system activity.

**Minimum Agent version:** 7.67.0

## Setup{% #setup %}

### Installation{% #installation %}

To install the Microsoft Sysmon integration, run the following Agent installation command and the steps below. For more information, see the [Integration Management](https://docs.datadoghq.com/agent/guide/integration-management.md?tab=windowspowershell#install) documentation.

**Note**: This step is not necessary for Agent version >= 7.66.0.

Run powershell.exe as admin and execute the following command:

```powershell
& "$env:ProgramFiles\Datadog\Datadog Agent\bin\agent.exe" integration install datadog-microsoft_sysmon==1.0.0
```

### Configuration{% #configuration %}

#### Configure Log Collection{% #configure-log-collection %}

1. Collecting logs is disabled by default in the Datadog Agent. Enable it in the `datadog.yaml` file with:

   ```yaml
     logs_enabled: true
   ```

1. Add this configuration block to your `microsoft_sysmon.d/conf.yaml` file to start collecting your Microsoft Sysmon logs:

   ```yaml
     logs:
     - type: windows_event
       channel_path: "Microsoft-Windows-Sysmon/Operational"
       source: microsoft-sysmon
       service: microsoft-sysmon
       sourcecategory: windowsevent
   ```

See the [sample microsoft_sysmon.d/conf.yaml](https://github.com/DataDog/integrations-core/blob/master/microsoft_sysmon/datadog_checks/microsoft_sysmon/data/conf.yaml.example) for available configuration options.
[Restart the Agent](https://docs.datadoghq.com/agent/configuration/agent-commands.md#restart-the-agent).
#### Configure Sysmon{% #configure-sysmon %}

Follow these steps to install Sysmon:

1. Download the zip file from the [Sysmon download page](https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon). Extract its zip file content.

1. Create an XML file for configuring Sysmon. For example, if you want to monitor processes created by apps from AppData folders, the configuration file will look like content shown below. You can add more event filters under the `EventFiltering` XML tag for other events in the same way.

   ```xml
     <Sysmon schemaversion="4.90">
         <HashAlgorithms>md5,sha256</HashAlgorithms>
         <CheckRevocation/>
         <EventFiltering>
           <ProcessCreate onmatch="include">
               <Image condition="contains">C:\Users\*\AppData\Local\Temp\</Image>
               <Image condition="contains">C:\Users\*\AppData\Roaming\</Image>
           </ProcessCreate>
         </EventFiltering>
     </Sysmon>
   ```

**Note:** Sysmon is highly configurable using the XML configuration file, which allows you to:

   - Control which events to monitor
   - Filter events based on processes, paths, etc.

Enabling too many Sysmon event types can lead to excessive data ingestion. Community resources such as [sysmon-modular](https://github.com/olafhartong/sysmon-modular/tree/master) and the [SwiftOnSecurity Sysmon config](https://github.com/SwiftOnSecurity/sysmon-config/tree/master) provide recommended configurations, including examples of event inclusions and exclusions. These are intended as a starting point, and you can refer to them when tuning your own configuration.

1. Run the following command as admin from the extracted folder:

   ```powershell
     .\Sysmon -i [<configfile>]
   ```

For more details, please refer to the [Sysmon docs](https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#configuration-files).

### Validation{% #validation %}

[Run the Agent's status subcommand](https://docs.datadoghq.com/agent/guide/agent-commands.md#agent-status-and-information) and look for `microsoft_sysmon` under the Checks section.

## Data Collected{% #data-collected %}

### Logs{% #logs %}

The Microsoft Sysmon integration collects the following [Sysmon event logs](https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events):

- Process activity logs
- Network activity logs
- File activity logs
- Registry activity logs
- WMI activity logs
- Sysmon service activity logs
- Named Pipe and Clipboard activity logs

### Metrics{% #metrics %}

The Microsoft Sysmon integration does not include any metrics.

### Events{% #events %}

The Microsoft Sysmon integration does not include any events.

### Service Checks{% #service-checks %}

The Microsoft Sysmon integration does not include any service checks.

## Support{% #support %}

Need help? Contact [Datadog support](https://docs.datadoghq.com/help/).