docs/audit_policies/windows/sysmon_eventid1_process_creation.md

# Sysmon Event ID 1: Process Creation

## Setup

**Caution:** Collecting Sysmon events without a tailored configuration for your environment will cause high data volume. These setup instructions would need significant tuning in order to be production-ready. For more specific configurations, we recommend you to explore the following resources:
 - https://github.com/trustedsec/SysmonCommunityGuide
 - https://github.com/olafhartong/sysmon-modular
 - https://github.com/Neo23x0/sysmon-config

Some detection rules support the use of Sysmon Event ID 1 (Process Creation) events to detect malicious and suspicious process execution activity.

To collect these logs, use the [Windows Integration](https://www.elastic.co/docs/current/integrations/windows) and select the `Sysmon Operational` channel on the integration setup page.

## Configuration Example

The following snippet demonstrates the minimal configuration required to enable Event ID 1 (Process Creation). While this will turn on the event logging, it lacks the necessary filtering for a production environment and will generate significant noise. It should be used as a reference and integrated into a more robust configuration, such as those provided in the resources above.

```xml
<Sysmon schemaversion="4.90">
    <HashAlgorithms>md5,sha256</HashAlgorithms>
    <EventFiltering>
        <!-- Log all process creation events -->
        <ProcessCreate onmatch="exclude"></ProcessCreate>
    </EventFiltering>
</Sysmon>
```

## Related Rules

Use the following GitHub search to identify rules that use the events generated by this configuration:

[Elastic Detection Rules Github Repo Search](https://github.com/search?q=repo%3Aelastic%2Fdetection-rules+%22Data+Source%3A+Sysmon%22+AND+%28%22process+where%22+OR+%22event.category%3Aprocess%22+OR+%22process.command_line%22%29++language%3ATOML+AND+NOT+%28%22event.code+%3D%3D+%5C%2210%5C%22%22%29&type=code)
[Security Content] Windows Setup Guides - WinEventLog & Sysmon (#5162 ) 2025-11-14 14:22:31 -03:00			`# Sysmon Event ID 1: Process Creation`

			`## Setup`

			`Caution: Collecting Sysmon events without a tailored configuration for your environment will cause high data volume. These setup instructions would need significant tuning in order to be production-ready. For more specific configurations, we recommend you to explore the following resources:`
			`- https://github.com/trustedsec/SysmonCommunityGuide`
			`- https://github.com/olafhartong/sysmon-modular`
			`- https://github.com/Neo23x0/sysmon-config`

			`Some detection rules support the use of Sysmon Event ID 1 (Process Creation) events to detect malicious and suspicious process execution activity.`

			To collect these logs, use the [Windows Integration](https://www.elastic.co/docs/current/integrations/windows) and select the `Sysmon Operational` channel on the integration setup page.

			`## Configuration Example`

			`The following snippet demonstrates the minimal configuration required to enable Event ID 1 (Process Creation). While this will turn on the event logging, it lacks the necessary filtering for a production environment and will generate significant noise. It should be used as a reference and integrated into a more robust configuration, such as those provided in the resources above.`

			```xml
			`<Sysmon schemaversion="4.90">`
			`<HashAlgorithms>md5,sha256</HashAlgorithms>`
			`<EventFiltering>`
			`<!-- Log all process creation events -->`
			`<ProcessCreate onmatch="exclude"></ProcessCreate>`
			`</EventFiltering>`
			`</Sysmon>`
			```

			`## Related Rules`

			`Use the following GitHub search to identify rules that use the events generated by this configuration:`

			`[Elastic Detection Rules Github Repo Search](https://github.com/search?q=repo%3Aelastic%2Fdetection-rules+%22Data+Source%3A+Sysmon%22+AND+%28%22process+where%22+OR+%22event.category%3Aprocess%22+OR+%22process.command_line%22%29++language%3ATOML+AND+NOT+%28%22event.code+%3D%3D+%5C%2210%5C%22%22%29&type=code)`