Wondering if there is an explanation for this and if not, maybe it'll help someone down the line.
I was working on creating exclusions for Event ID 3 on a server that sent/received a ton of UDP traffic using java. It's part of an internally developed product and we have a way to simulate high load (more traffic). With an exclusion that looked like this:
<Image condition="is">C:\path\to\java.exe</Image>
even though the excluded events weren't being logged, sysmon was utilizing upwards of 30% CPU when the java app was under heavy load. I was ready to give up on it and turn off network connection monitoring when we changed the "is" to "image":
<Image condition="image">C:\path\to\java.exe</Image>
And suddenly under identical and even higher load, sysmon never went above 5%.
I suspect the reason it was so high initially was because while it knew not to log the event, it still had to analyze each event against a set of exclusions and somehow using "image" vs "is" is much more efficient, but would love an official explanation because I could not find anything documented.
