Sysmon Config Builder

Sysmon Config Builder is a GUI tool for creating, editing, importing, and exporting Microsoft Sysmon configuration files. It allows users to construct event filtering rules without manually editing XML, making it easier to build and maintain custom Sysmon configurations.

Features

• Import existing Sysmon configuration XML files
• Create and modify Sysmon event filtering rules
• Support for all Sysmon Event IDs (1–30)
• Field-aware rule creation based on event type
• Preset values for common binaries and processes
• Export valid Sysmon XML configurations
• Cross-platform GUI built with PySide6

Running the Application (Recommended)

Download

Windows

Expand-Archive sysmon-builder-windows.zip

Run:

dist/sysmon-builder/sysmon-builder.exe

or double-click sysmon-builder.exe.

Linux

tar -xzvf sysmon-builder-linux.tar.gz

Run:

./sysmon-builder

No Python installation is required when using the packaged release.

Running From Source

If you want to run the project directly from source.

Requirements

• Python 3.11+
• PySide6

Setup virtual environment python -m venv sysmon

(LINUX) activate virtual environment source sysmon/bin/activate

(WINDOWS) activate virtual environment sysmon\Scripts\activate

Install dependencies:

pip install -r requirements

Run the application:

python main.py

Usage

1. Select a Sysmon event from the event list.

2. Choose rule parameters:

   • Rule type (include or exclude)
   • Field
   • Condition
   • Value (preset or custom)

3. Add rules to build the configuration.

4. Import an existing Sysmon XML configuration if desired.

5. Export the configuration to a new XML file.