A major upgrade has been announced to enhance capabilities for cybersecurity defenders and threat hunters in the Windows ecosystem.
With the release of Windows 11 Insider Preview Build 26300.7733 (KB5074178) to the Dev Channel. The company is integrating the popular System Monitor (Sysmon) tool directly into the operating system.
Previously available only as a standalone tool within the Sysinternals suite, this move simplifies how security teams deploy advanced logging capabilities to monitor for malware and malicious activity.
Native Threat Detection Capabilities
For years, Sysmon has been a critical tool for Incident Response (IR) teams and Security Operations Centers (SOCs).
It provides detailed information about process creations, network connections, and changes to file creation time.
By integrating this natively, Microsoft ensures that granular event logging is more accessible without requiring external downloads. The native version retains the core functionality that security professionals rely on.
It captures specific system events useful for threat detection and writes them directly to the Windows Event Log.
This integration ensures seamless compatibility with existing Security Information and Event Management (SIEM) solutions and other security applications.
Users can still use custom XML configuration files to filter events, ensuring that defenders capture only relevant data and avoid log noise.
Microsoft has adopted a “secure by default” approach; as a result, the built-in Sysmon feature is disabled by default. Administrators must explicitly enable it.
| Method | Approach | Steps |
|---|---|---|
| Method 1 | Windows Settings (GUI) | Go to Settings > System > Optional features > More Windows features, then check “Sysmon” |
| Method 2 | PowerShell / Command Prompt | Use DISM for script-based or enterprise deployment |
To enable the feature, run the following command:
powershellDism /Online /Enable-Feature /FeatureName:SysmonOnce the feature is enabled, the service must be installed to begin capturing events:
sysmon -i
Security teams currently running the standalone version of Sysmon (downloaded from the Sysinternals website) must take caution.
Microsoft has stated that the legacy version must be uninstalled before enabling the built-in Windows version to avoid conflicts.
Beyond security enhancements, this build addresses several stability issues. Microsoft fixed a critical bug that caused applications to freeze when interacting with files on OneDrive or Dropbox.
Additionally, improvements were made to File Explorer, including better keyboard navigation and fixes for folder renaming issues.
This update represents a significant step forward in making advanced telemetry standard on Windows endpoints, giving defenders a native advantage against sophisticated threat actors.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
