Module for the creation and managing of Sysinternal Sysmon configuration XML files.

Minimum PowerShell version


Installation Options

Copy and Paste the following command to install this package using PowerShellGet More Info

Install-Module -Name Posh-Sysmon -RequiredVersion 0.7.3

Copy and Paste the following command to install this package using Microsoft.PowerShell.PSResourceGet More Info

Install-PSResource -Name Posh-Sysmon -Version 0.7.3

You can deploy this package directly to Azure Automation. Note that deploying packages with dependencies will deploy all the dependencies to Azure Automation. Learn More

Manually download the .nupkg file to your system's default download location. Note that the file won't be unpacked, and won't include any dependencies. Learn More



(c) 2016 Carlos Perez carlos_Perez@darkoperator.com. All rights reserved.

Package Details


  • Carlos Perez carlos_Perez@darkoperator.com


Sysmon Security Logging


Get-SysmonHashingAlgorithm Get-SysmonRule New-SysmonConfiguration New-SysmonDriverLoadFilter New-SysmonFileCreateFilter New-SysmonImageLoadFilter New-SysmonNetworkConnectFilter New-SysmonProcessCreateFilter New-SysmonProcessTerminateFilter Remove-SysmonRule Remove-SysmonRuleFilter Set-SysmonHashingAlgorithm Set-SysmonRule Get-SysmonEventData Get-SysmonRuleFilter New-SysmonProcessAccess New-SysmonFileCreateStreamHash New-SysmonRegistryEvent


This module has no dependencies.

Release Notes

Version 0.7.3
* Several bug fixes when creating RawAccess and ProcessOpen rules.
* By default the new schema is 3.2 for the latest version of Sysmon 5.0
* New-SysmonConfiguration function has options to enable all logging for FileCreate, RegistryEvent and FileCreateStreamHash
* Get-SysmonEventData can now parse File Create, Registry and File Stream creation events.
* New function New-SysmonFileCreateFilter for creating file creation filters.
* New function New-SysmonRegistryEvent for creating registry event filters.
* New function New-SysmonFileCreateStreamHash for creating file stream hash event filters.
* Updated Get-SysmonRule, Set-SysmonRule, Remove-SysmonRule and Remove-SysmonRuleFilter for the new event type rules.
* Added Online Help option for all functions.


Version History

Version Downloads Last updated
1.2 1,916 9/21/2018
1.1 225 3/5/2018
1.0 21 3/4/2018
0.7.5 400 2/20/2017
0.7.3 (current version) 121 11/20/2016
0.7.2 88 8/25/2016
0.7.1 29 8/16/2016
0.7 19 8/15/2016
0.6 29 7/29/2016
0.5.1 104 2/25/2016
0.4 65 11/4/2015
Show more