Skip to main content

What is Sysmon?

Sysmon is a monitoring and logging agent that is part of the Microsoft Sysinternals suite of tools. It is designed to identify malicious or anomalous activity and help IT understand how intruders and malware operate on a company’s network.

Sysmon Architecture

Sysmon consists of a Windows system service and a device driver. Combined, they monitor system activity. Whenever Sysmon observes some activity that matches one of the rules of its configuration XML file it writes an event to the Windows event log. The events generated by Sysmon are typically picked up by a log collecting tool and forwarded to a SIEM such as Splunk. Event forwarding and analysis are not handled by Sysmon but require additional software.

uberAgent ESA as Sysmon Alternative

The following sections compare Sysmon with uberAgent ESA, highlighting the pros and cons of both products.

Non-Technical Aspects


Sysmon is available free of charge. However, this also means that there is no technical support available. The Sysinternals Licensing FAQ states: All Sysinternals tools are offered ‘as is’ with no official Microsoft support.

Without a vendor support channel, there is no way to influence the roadmap or request new features.

uberAgent ESA

uberAgent ESA is a fully supported commercial product (but much less expensive than most other security analytics products).

Customer feedback is very welcome and influences development. In fact, some of uberAgent’s best features originated in customer suggestions.

Technical Overview: Agent


Sysmon is configured through an XML file.

The resulting events are written to the Windows event log from where they need to be picked up and forwarded by another tool or agent.

uberAgent ESA

uberAgent ESA is configured either through a configuration file or through Active Directory Group Policy. The configuration file’s syntax is easy and intuitive. Configuration errors are clearly marked as such in the agent’s log file.

Resulting events are transmitted directly to the backend(s) without the need for additional log collection or forwarding software.

uberAgent ESA’s activity monitoring engine comes with its own query language. uAQL borrows from SQL and popular scripting languages to provide a powerful yet easy-to-read query syntax for suspicious system activities.

uberAgent ESA is based on the user experience monitoring product uberAgent UXM: rich application, inventory, and performance data are available for context.

uberAgent ESA and UXM share a single agent. Consequently, uberAgent’s footprint on the endpoint is small: only minimal CPU and RAM resources are needed, third-party agents are not required.

uberAgent’s endpoint agent maintains a detailed human-readable log file for easy troubleshooting.

Technical Overview: Ruleset


Sysmon does not ship with monitoring rules; it needs to be configured from scratch by the customer.

Many rules are available on the internet. The rulesets published by SwiftOnSecurity and Olaf Hartong seem to be the most popular.

uberAgent ESA

uberAgent ESA ships with a comprehensive set of rules from two different sources: vast limits rules and third-party rules. The former are curated by vast limits, while the latter are converted from sources such as the Sigma project.

Converters for Sigma signatures and Sysmon rules to uberAgent ESA rules are part of the product.

More Information on uberAgent ESA

For more detailed information on the capabilities of uberAgent Endpoint Security Analytics (ESA) please follow this link to the documentation.