Install Sysmon using the Group Policy Management Console

Note: Arctic Wolf does not recommend upgrading to Sysmon version 15.20 unless running Arctic Wolf Agent version 2026-01_47 or later.

You can install Sysmon on multiple Windows endpoints using the Group Policy Management Console (GPMC) and Sysmon Assistant.

When Sysmon is installed on a device:
  • The Arctic Wolf configuration is applied and set by default when Arctic Wolf Agent and Sysmon are installed on a device without a previous Sysmon configuration. If a different configuration already exists, it will not be overwritten.
  • The installation method does not affect how the Arctic Wolf Agent interacts with Sysmon.
  • The location of Sysmon.exe does not change the behavior of Sysmon on the system because it runs as a service and a separate driver.
  • Sysmon events are forwarded to Arctic Wolf regardless of the Sysmon installation method and configuration. But, the Arctic Wolf pipeline is optimized to work with Arctic Wolf configurations. If you use your own configuration, some events might not be alerted on.

These resources are required:

  • Arctic Wolf®Agent

    See Install Arctic Wolf Agent for more information.

  • One of these operating systems (OS):
    • Windows 10 or newer for 64- and 32-bit systems
    • Windows Server 2016 or newer for 64-bit systems
    Note: Agent OS minimum requirements are different from Sysmon minimum OS requirements. If you are installing Sysmon, make sure that you are installing the appropriate version for your OS. For older operating systems that Agent supports but Sysmon does not, we recommend that you upgrade to a current version of the OS. Arctic Wolf cannot support you with any configuration issues for older versions of Sysmon.

These actions are required:

  • Download the Sysmon.zip file for the latest Sysmon version, which includes the executable files, from the Microsoft website.
  • Install Sysmon Assistant. To download Sysmon Assistant, in the Arctic Wolf Unified Portal, click Resources > Downloads, go to the Sysmon section, and then click Download Assistant to download the latest Sysmon Assistant MSI file.

    For more information about Sysmon Assistant, see Sysmon Assistant.

Prepare the Sysmon Assistant installation package

  1. Extract Sysmon.zip.
  2. Save these Sysmon Assistant installation files in the same folder:
    Note:

    Do not include Sysmon64a.exe.

    Tip:

    Saving the executable files and the Assistant MSI file together enables the Sysmon Assistant installer to choose the appropriate file for your systems. For example, if your organization includes both 32-bit and 64-bit systems, Sysmon Assistant installs Sysmon on each system using the appropriate executable file.

    • sysmon-assistant-<version>.msi
    • Sysmon.exe
    • Sysmon64.exe

Create a distribution point

  1. Sign in to the server with administrator permissions.
  2. Create a shared network folder for the SysmonAssistant.msi package.
  3. Set a minimum of Read permissions on the folder to allow access to the distribution package.
  4. Copy the package from Prepare the Sysmon Assistant installation package, and then paste it into the shared folder.

Create a Group Policy Object

The SysmonAssistant.msi package is deployed or distributed through Group Policy as a Group Policy Object (GPO).

  1. Click Start, and then open the GPMC.
  2. In the navigation menu, click Forest: <DomainName>, where DomainName is the name of your domain, and then click the Domains folder.
  3. Right-click the domain name. If you:
    • Already have a Sysmon GPO — Select Link an Existing GPO, and then click Edit.
    • Do not have an existing Sysmon GPO — Create a new GPO:
      1. Select Create a GPO in this domain, and Link it here.
      2. In the New GPO dialog box, enter a name for the new GPO.
      3. Verify that the Source Starter GPO menu says (none).
      4. Click OK.
        Tip:

        To assign a security group and make sure that Sysmon is deployed to the correct group of computers, see Assign Security Group Filters to the GPO.

      5. Right-click the new GPO, and then click Enforced to enable it.

        The GPO is enabled. A lock appears on the GPO icon in the navigation menu.

      6. Right-click the new GPO, and then select Edit.
  4. In the new window, right-click the Sysmon object, and then click Properties.
  5. Click the Security tab.
  6. Select a group or user.
  7. In the Apply Group Policy section, select the Allow checkbox.

    The policy is applied to the specified groups.

  8. Click OK.

Assign the Sysmon Assistant package

You can assign one package on each machine. If the Sysmon Assistant is assigned, it is automatically installed.

  1. Open the GPMC.
  2. Right-click the Arctic Wolf Sysmon object that you created, and then click Edit.
  3. In the navigation menu, click Computer Configuration > Policies > Software Settings.
  4. Right-click Software Installation, and then click New > Package.
  5. In the Open dialog, enter the full Universal Naming Convention (UNC) path of the distribution point containing the MSI file.
  6. Select the MSI file to create the Sysmon package.
  7. Click Open.
  8. Click Assigned, and then click OK.

    The package is added to the Group Policy window.

  9. Close the Group Policy snap-in, and then click OK to exit.
Note:

The assigned package will install when the client computers start, if:

  • Group policy applies.
  • Group policy is applied to the client computer.
  • The distribution point is accessible.

Enable startup policy for the Sysmon Assistant package

This step is optional. Arctic Wolf recommends enabling startup policy if you have Sysmon deployment issues. This policy is intended to speed up the process of deploying the Sysmon Assistant package.

  1. Open the GPMC.
  2. Right-click the Sysmon Assistant object that you created, and then click Edit.
  3. In the navigation menu, in the Computer Settings section, expand Policies, and then expand Administrative Templates > System > Logon.
  4. Click Always wait for the network computer startup and logon.
  5. Select Enabled, and then click OK to close the dialog.
  6. In the navigation menu, in the System section, expand Group Policy.
  7. Right-click Specify startup policy processing wait time, and then click Edit.
  8. Select Enabled.
  9. In the Amount of time to wait field, enter 90.
  10. Click OK to save your changes
  11. Close the Group Policy snap-in, and then click OK to exit.