Sysmon Service

Summary

Monitors Sysmon service on 32-bit Windows machines and generates a ticket if the service is found to be stopped.

Dependencies

Solution - Sysmon Solution

Target

This monitor should target the group Machines with Sysmon as shown below:

Monitor Creation

Step 1

Navigate to ENDPOINTS ➞ Alerts ➞ Monitors
Step1

Step 2

Locate the Create Monitor button on the right-hand side of the screen and click on it.
Step2

This page will appear after clicking on the Create Monitor button:
Step3

Step 3

Fill in the mandatory columns on the left side

Name: Sysmon Service
Description: Monitors Sysmon Service on 32-bit Windows machines.
Type: Service
Severity: Critical Non-Impact Alerts
Family: Windows Services

Step 4

Click the Select Target button to choose the endpoints for running the monitor set.
Step4

Search and Select Machines with Sysmon device group.

Step 5

Conditions :

Select Sysmon from the Service dropdown.
Comparor = Stopped
Deselect Ignore services in disabled state
Enable Automatically start Sysmon when stopped button

Ticket Resolution :

Ensure the Automatically resolve when Sysmon is running toggle is enabled.

Monitor Output :

Select Generate Ticket from the Output Drop-down Menu

Completed Monitor

Changelog

2026-03-26

Initial version of the document

Summary​

Dependencies​

Target​

Monitor Creation​

Step 1​

Step 2​

Step 3​

Step 4​

Step 5​

Conditions :​

Ticket Resolution :​

Monitor Output :​

Completed Monitor​

Changelog​

2026-03-26​