With that config:
- Sysmon is monitoring all NetworkConnect transactions because you have one or more rules associated with either include or exclude rule groups. Sysmon has to monitor all NetworkConnect activity in order to determine if any of your rules apply.
- For NetworkConnect events, Sysmon is only logging events whose DestinationPort is 25 and whose Image path is not c:\Windows\System32\cmd.exe
Regarding performance:
- With NetworkConnect monitoring, your sysadmin colleagues should be mostly worried about the impact to DNS servers if the DnsLookup configuration entry is not defined or set to True. When DnsLookup is enabled, Sysmon performs DnsLookups of IP addresses associated with new NetworkConnect events in order to populate the DestinationHostName and SourceHostName fields. Otherwise the performance cost of monitoring is inconsequential.
- With NetworkConnect logging, impact to local host is inconsequential. If the logs from the host are forwarded to an upstream system you need to consider the network transmission, server storage, and log search computation costs due to the volume of events resulting from your sysmon configs.