Why Sysmon Still Matters, Even With EDR

“Why run Sysmon when we already have EDR?”
It’s a fair question, and a common one.

If you’ve already got a mature EDR stack, running another logging agent might seem redundant. But Sysmon gives you something most EDRs don’t: raw, unfiltered visibility.

In this post, we will break down why Sysmon is still critical, even in modern detection environments, some considerations for log retention/cost, and some tuning tips.

---

1: EDRs Focus on Detection, Not Full Visibility

EDR platforms are built for detection and response. That means aggressive filtering. You won’t always get a full trace of what happened, just what the vendor thinks is “interesting.”

Sysmon, by contrast, records what you tell it to, in detail.

Example:
Most EDRs won’t alert on lsass.exe access unless a known malicious tool is used. Sysmon Event ID 10 logs that access clearly.

Sysmon Event ID 10: ProcessAccess  
Source: winlogon.exe  
Target: lsass.exe  
GrantedAccess: 0x1410

Detection use case:

• Credential dumping
• Early-stage lateral movement
• Suspicious parent-child relationships

---

2: Long-Term Retention

This isn’t just an EDR problem, it’s also an event log problem, a syslog problem, an application log problem, etc.

EDR logs typically roll off after 30–90 days unless you’re paying extra for long-term storage/shipping them off to a SIEM. If you’re investigating a dormant threat or trying to recreate an attacker’s path, that’s a problem.

The same goes for sysmon. If you just leave the logs on a box and overwrite them, the potential for missing critical information exists.

However, Sysmon data pushed to a SIEM or data lake stays as long as you need it. If an alert fires a month later, you still have the breadcrumbs.

---

3: Cost

Sysmon itself is free — it’s part of Microsoft Sysinternals. But the real cost comes from how you use it:

Component	Cost	Notes
Sysmon Agent	Free	No licensing required. Lightweight binary.
Configuration Management	Free (manual) / Low	Can be managed manually or automated via GPO, InTune, or other configuration tools.
Log Ingestion	Variable	Depends on where you send the logs. Most cost comes from SIEM/storage.
SIEM (e.g., Sentinel, Splunk)	High if ingesting full events	Sysmon can generate a lot of data. Filter logs at source or parse before ingest.
Maintenance/Monitoring	Low to Medium	Requires periodic tuning to reduce noise and avoid duplicate alerts.

Ways to control cost:

• Tune your config: Don’t log everything. Log what matters (e.g., ProcessCreate, NetworkConnect, FileCreate for non-system dirs). We cover this a little bit more in depth in the next section.
• Forward only high-value events.
• Use a log collector that can filter before ingestion (e.g., NxLog, Winlogbeat).
• In Sentinel: use the Basic/Auxiliary Log tier where possible, or stream only critical Sysmon events to full tables.
  • https://learn.microsoft.com/en-us/azure/sentinel/billing?tabs=simplified%2Ccommitment-tiers#auxiliary-logs
• Archive older data in cheaper storage (Blob, S3) and selectively restore if needed.

---

4: Fully Customizable Logging

Sysmon’s configuration is yours to define. You can enable or suppress exactly what matters in your environment.

To save some time, look into community configurations of sysmon and find a good starting point for your use-case:

• https://github.com/SwiftOnSecurity/sysmon-config
• https://github.com/olafhartong/sysmon-modular

Use cases:

• Targeted logging for specific attack techniques
• Parent-child process tracking
• Encoded PowerShell
• WMI abuse
• Suspicious network connections
• DLL loading from user-writable directories

Example Rule: Detect encoded PowerShell:

xmlCopyEdit<RuleGroup name="EncodedPowerShell">
  <Image condition="end with">powershell.exe</Image>
  <CommandLine condition="contains">-enc</CommandLine>
</RuleGroup>

---

5: Defense in Depth, Because Even The Best EDRs Can Be Bypassed

Attackers test and evade commercial EDRs all the time. They rarely go after Sysmon, especially if logs are forwarded off-host.

Sysmon is less of a target, and even if an attacker disables it, the attempt itself can be a detection opportunity, especially if you’ve set permissions correctly.

---

EDR vs. Sysmon – Summary

Capability	EDR	Sysmon
Primary Role	Detection & response	Logging & context
Coverage	Tuned/suppressed	Highly Customizable
Evasion Risk	High-profile target	Less likely

---

Final Thoughts

Sysmon isn’t a replacement for your EDR, it’s an augmentation.

If your job includes threat hunting, detection engineering, or incident response, you need reliable logs for an incident. Ideally your EDR pulls everything, some EDRs will even build sysmon in, but if yours does not, how are you going to track down that bad guy calling comsvcs.dll from rundll32 maliciously when your edr didn’t catch it?

Sysmon is high-value and (should) work with whatever tooling you’re already using.

There are no silver bullets, Layered telemetry wins every time.