Microsoft Integrates Sysmon Threat Detection Natively in Windows

Microsoft has announced a significant upgrade for cybersecurity defenders and threat hunters operating within the Windows ecosystem. The company is integrating the popular System Monitor (Sysmon) tool directly into the operating system, starting with Windows 11 Insider Preview Build 26300.7733 (KB5074178) released to the Dev Channel.

Previously available only as a standalone tool within the Sysinternals suite, this move simplifies how security teams deploy advanced logging capabilities to monitor for malware and malicious activity.

Native Threat Detection Capabilities

For years, Sysmon has been a critical tool for Incident Response (IR) teams and Security Operations Centers (SOCs).

It provides detailed information about process creations, network connections, and changes to file creation time.

By integrating this natively, Microsoft ensures that granular event logging is more accessible without requiring external downloads. The native version retains the core functionality that security professionals rely on.

It captures specific system events useful for threat detection and writes them directly to the Windows Event Log.

This integration ensures seamless compatibility with existing Security Information and Event Management (SIEM) solutions and other security applications.

Users can still use custom XML configuration files to filter events, ensuring that defenders capture only relevant data and avoid log noise.

Microsoft has adopted a “secure by default” approach; as a result, the built-in Sysmon feature is disabled by default. Administrators must explicitly enable it.

To enable the feature, run the following command:

powershellDism /Online /Enable-Feature /FeatureName:Sysmon

Once the feature is enabled, the service must be installed to begin capturing events:

sysmon -i

Security teams currently running the standalone version of Sysmon (downloaded from the Sysinternals website) must take caution.

Microsoft has stated that the legacy version must be uninstalled before enabling the built-in Windows version to avoid conflicts.

Beyond security enhancements, this build addresses several stability issues. Microsoft fixed a critical bug that caused applications to freeze when interacting with files on OneDrive or Dropbox.

Additionally, improvements were made to File Explorer, including better keyboard navigation and fixes for folder renaming issues.

This update represents a significant step forward in making advanced telemetry standard on Windows endpoints, giving defenders a native advantage against sophisticated threat actors.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.