diff --git a/tools/config/hawk.yml b/tools/config/hawk.yml
index 583e4421c..b640d833b 100644
--- a/tools/config/hawk.yml
+++ b/tools/config/hawk.yml
@@ -174,6 +174,12 @@ logsources:
    conditions:
      product_name: "Sysmon"
      vendor_id: "23"
+ windows-file-event:
+   product: windows
+   category: file_event
+   conditions:
+     product_name: "Sysmon"
+     vendor_id: 11
  windows-wmi-sysmon:
    product: windows
    category: wmi_event