Add Sysmon to your existing Windows event sources

You can use an update script to configure agents to collect Sysmon events.

To collect Sysmon events along with your System, Application, and Security events, add the following update script to your patches directory:
<?xml version="1.0" encoding="UTF-8"?>
<WinCollectScript version="10.0.0" >
    <AddTo objPath="LocalSources(Name=Local)" >
        <Source Name="Sysmon" Channel="XPath" Type="MSEVEN6" >
            <Parameter name="Query">
                <QueryList>
                    <Query Id="0" Path="Microsoft-Windows-Sysmon/Operational">
                        <Select Path="Microsoft-Windows-Sysmon/Operational">*</Select>
                    </Query>
                </QueryList>
            </Parameter>
        </Source>
    </AddTo>
</WinCollectScript>

This script adds Sysmon to your Local sources.