Sysmon Config Builder is a GUI tool for creating, editing, importing, and exporting Microsoft Sysmon configuration files. It allows users to construct event filtering rules without manually editing XML, making it easier to build and maintain custom Sysmon configurations.
- Import existing Sysmon configuration XML files
- Create and modify Sysmon event filtering rules
- Support for all Sysmon Event IDs (1–30)
- Field-aware rule creation based on event type
- Preset values for common binaries and processes
- Export valid Sysmon XML configurations
- Cross-platform GUI built with PySide6
Expand-Archive sysmon-builder-windows.zip
Run:
dist/sysmon-builder/sysmon-builder.exe
or double-click sysmon-builder.exe.
tar -xzvf sysmon-builder-linux.tar.gz
Run:
./sysmon-builderNo Python installation is required when using the packaged release.
If you want to run the project directly from source.
- Python 3.11+
- PySide6
Setup virtual environment
python -m venv sysmon
(LINUX) activate virtual environment
source sysmon/bin/activate
(WINDOWS) activate virtual environment
sysmon\Scripts\activate
Install dependencies:
pip install -r requirementsRun the application:
python main.py-
Select a Sysmon event from the event list.
-
Choose rule parameters:
- Rule type (
includeorexclude) - Field
- Condition
- Value (preset or custom)
- Rule type (
-
Add rules to build the configuration.
-
Import an existing Sysmon XML configuration if desired.
-
Export the configuration to a new XML file.