diff --git a/tools/config/winlogbeat-modules-enabled.yml b/tools/config/winlogbeat-modules-enabled.yml
index 4009a9bd..1f53db86 100644
--- a/tools/config/winlogbeat-modules-enabled.yml
+++ b/tools/config/winlogbeat-modules-enabled.yml
@@ -29,6 +29,11 @@ logsources:
     service: sysmon
     conditions:
       winlog.channel: 'Microsoft-Windows-Sysmon/Operational'
+  windows-process-creation:
+    product: windows
+    category: process_creation
+    conditions:
+      winlog.event_id: '1'
   windows-dns-server:
     product: windows
     service: dns-server
diff --git a/tools/config/winlogbeat.yml b/tools/config/winlogbeat.yml
index 3bc1824e..39d26cab 100644
--- a/tools/config/winlogbeat.yml
+++ b/tools/config/winlogbeat.yml
@@ -28,6 +28,11 @@ logsources:
     service: sysmon
     conditions:
       winlog.channel: 'Microsoft-Windows-Sysmon/Operational'
+  windows-process-creation:
+    product: windows
+    category: process_creation
+    conditions:
+      winlog.event_id: '1'
   windows-dns-server:
     product: windows
     service: dns-server