Chris Bisnett One of the bigger ones is SYSMON event ID 11 . This captures when new files are created. As there have been multiple occasions where Defender has caught something and quarantined it. Which is good however because of that I often cant figure out when the file was created and makes it harder to figure out where it came from. SYSMON event ID 1 could help with this as it captures when new files are created. Though understandably it does create a lot of noise around 16,000 events an hour. Though on say a file server I imagine this would be much higher than that.

Another would be SYSMON even ID 1. This captures when new processes are created. Similar to event ID 4688 but has a lot of extra details. However it appears that 4688 might be filtered now. Makes sense as EDR captures this information. However I feel it could be helpful to organizations who only want the SIEM and not EDR.

Chris Bisnett Having the ability to query ingested Sysmon for powershell and cmd commands that are executed, and the ability to more closely monitor network connections (IP's and ports); that would be huge. Then having the ability to alert on it would invaluable. It could also be useful for new processes that are spawned and created.

Overall - being able to use the verbosity of Sysmon opens up the door for easy to query information with the potential to set up triggers and alerts from the SIEM.