Microsoft actually does something useful, adds Sysmon to Windows

There is good news for administrators: Microsoft has delivered on its promise to build Sysmon functionality into Windows.

The functionality arrived in the Dev and Beta Windows Insider channels this week in builds 26300.7733 and 26220.7752, respectively. It allows administrators to capture system events via custom configuration files, filter for specific events, and write them to the standard Windows event log for pickup by third-party applications, including security tools.

Sysmon, part of the Sysinternals toolset, has long been useful for monitoring Windows' internals. Mark Russinovich, Microsoft technical fellow and co-founder of Winternals, from whence Sysinternals (and Sysmon) sprang, said: "It helps in detecting credential theft, uncovering stealthy lateral movement, and powering forensic investigations.

"Its granular diagnostic data feeds security information and event management (SIEM) pipelines and enables defenders to spot advanced attacks."

But deployment has been painful for administrators, managing potentially thousands of endpoints across an enterprise that ...