Table of Contents

Introduction

In a world where endpoint visibility is critical, Sysmon (System Monitor) has become a go-to tool for Windows system monitoring and forensic analysis. However, deploying Sysmon at scale, particularly in enterprise environments, poses logistical challenges.

This article walks you through deploying Sysmon using Microsoft Intune, leveraging Win32 app packaging. Ideal for IT administrators and security analysts, this approach ensures consistent deployment, configuration, and updates.

What Is Sysmon?

Sysmon is a powerful utility from Microsoft Sysinternals that runs as a Windows service and logs system activity to the Windows Event Log. Key telemetry includes:

Process creation
Network connections
Image loading
Registry key changes
File creation time changes

These logs are invaluable for threat detection and response, especially when parsed via SIEM platforms.

Sysmon writes logs to:

Event Viewer → Applications and Services Logs → Microsoft → Windows → Sysmon → Operational

Deployment Prerequisites

Before diving into Intune deployment, ensure:

Microsoft Intune tenant is fully configured.
Devices are Windows 10/11 Pro or Enterprise, enrolled in Intune.
You have access to create and assign Win32 apps.
Download Sysmon and a valid XML configuration file (like SwiftOnSecurity’s Sysmon config).

Step 1: Prepare Sysmon Package

Download Files
- Sysmon64.exe or Sysmon.exe
- Your sysmon-config.xml
Create Installation Script
Save this as install.cmd
```
Sysmon64.exe -accepteula -i sysmon-config.xml
```
Create Uninstall Script
Save this as uninstall.cmd
```
Sysmon64.exe -u
```

Folder Structure for Packaging

C:\SysmonDeployment\ 
├── Sysmon64.exe 
├── sysmon-config.xml 
├── install.cmd 
├── uninstall.cmd

Package the App Using Microsoft Win32 Content Prep Tool
Download and run IntuneWinAppUtil to convert the folder into .intunewin the format:
```
IntuneWinAppUtil.exe -c "C:\SysmonDeployment" -s install.cmd -o "C:\SysmonWin32"
```

Step 2: Upload to Intune

Sign in to Microsoft Intune Admin Center.
Go to Apps > Windows > Add.
Select App type: Windows app (Win32).
Upload the .intunewin package.

Step 3: App Information

Provide the following:

Name: Sysmon
Description: Deploys and configures Sysmon64 with XML settings for endpoint monitoring.
Publisher: Microsoft Sysinternals
Category: Security

Step 4: Program Settings

Install Command:
```
install.cmd
```
Uninstall Command:
```
uninstall.cmd
```
Install Behavior: System
Device Restart Behavior: No specific action

Step 6: Requirements

Operating System Architecture: 64-bit
Minimum OS: Windows 10 1903

Step 5: Detection Rules

Choose Manually configure detection rules and configure:

Rule Type: File
Path: C:\Windows
File or Folder: Sysmon64.exe
Detection Method: File exists

Step 7: Assignments

Assign the app to a device group:

Choose Required to enforce installation.
Select your target device group.

Step 8: Monitor Deployment

Once deployed:

Confirm install status under Intune > Apps > Monitor > Device Install Status.
On a target device, open Event Viewer to verify Sysmon is generating logs.

Event Viewer → Applications and Services Logs → Microsoft → Windows → Sysmon → Operational

What Happens Behind the Scenes?

Upon installation:

C:\Windows\Sysmon64.exe: Binary responsible for telemetry gathering.
C:\Windows\SysmonDrv.sys: Kernel-mode driver registers callbacks via ETW and minifilter framework.

Sysmon’s service loads at boot and monitors activity, offering deep observability into runtime behavior—critical for threat hunting.

Best Practices

Regularly update your XML config.
Use filters to reduce event noise.
Integrate with SIEM tools like Sentinel, Splunk, or Log Analytics.
Periodically validate Event IDs like 1 (process creation), 3 (network), and 7 (image load).

Conclusion

By using Intune and Win32 app packaging, deploying Sysmon becomes scalable, secure, and manageable. It provides a robust layer of telemetry for proactive detection and response.

If you’re serious about security, this is a foundational step toward modern endpoint protection.