Edit Your Sysmon Config in Style

I describe upgrading from Notepad++ to a more capable development environment for editing Sysmon configuration files. While Notepad++ is a fantastic tool, I sought a better solution and found a workflow I’m satisfied with.

Setup Instructions

1. Install Visual Studio Code

Download from https://code.visualstudio.com/download

2. Install Extensions

Two VS Code extensions are recommended:

• Sysmon extension: Provides syntax highlighting and auto-complete specific to Sysmon configuration syntax
• Bookmarks extension: Enables marking important sections within large config files for easy navigation

3. Install Git for Windows

Download from https://git-scm.com/download/win

During installation, configure VS Code as the default editor for Git commits.

4. Initialize Repository

Set up a private GitHub repository for version control of your Sysmon configurations.

5. Create and Commit Config

• Create a new Sysmon config file in VS Code
• Save it to your Git repository folder
• Stage, commit, and push changes to GitHub through VS Code’s source control panel

6. Use Bookmarks for Navigation

Press Ctrl+Alt+K to toggle bookmarks at important sections (like ProcessCreate exclusions). Rename bookmarks for clarity to streamline large config management.

Recommended Resources

Credit to Carlos Perez for the Sysmon extension. Two high-quality Sysmon config repositories:

• https://github.com/SwiftOnSecurity/sysmon-config
• https://github.com/olafhartong/sysmon-modular