Skip to main content

Microsoft Sysmon

System Monitor (Sysmon) is a Windows system service and device driver that, once installed on a system, remains resident across system reboots to monitor and log system activity to the Windows event log.

Microsoft Windows Sysmon

This pack includes Cortex XSIAM content.

XDRC (XDR Collector)

To create or configure the Winlogbeat collector, use the information described here.

You can configure the vendor and product by replacing [vendor]_[product]_raw with microsoft_sysmon_raw.

When configuring the instance, you should use a YML file that configures the vendor and product, as shown in the below configuration for the Windows Sysmon service.

Copy and paste the following in the Winlogbeat Configuration File section (inside the relevant profile under the XDR Collectors Profiles).

Winlogbeat Configuration File

winlogbeat.event_logs:
  - name: Microsoft-Windows-Sysmon/Operational
    processors:
    - add_fields:
        fields:
          vendor: microsoft
          product: sysmon

PUBLISHER

PLATFORMS

Cortex XSIAM

INFO

CertificationRead more
Supported ByCortex
CreatedMarch 17, 2024
Last ReleaseJune 14, 2026
DISCLAIMER
By downloading or using Marketplace content, you agree to the applicable Terms of Use and End User License Agreement. Third-party content is provided by its publisher, and Palo Alto Networks does not warrant, endorse, support, or assume responsibility for content not expressly identified as owned by Palo Alto Networks.