Original Author: Adrian Hall Current maintainers: Jim Apger, Dave Herrald, James Brodsky Contributors: https://github.com/dstaulcu https://github.com/MikeKemmerer https://github.com/trogdorsey Version/Date: 6.0.7 / Nov 22, 2017 Sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational Has index-time ops: false
6.0.7 Nov 24, 2017 -------- Tested with Sysmon version 6.20 https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon 6.0.6 Nov 22, 2017 -------- Added FIELDALIAS for EventID/EventCode for compatibility with Sigma rules. https://github.com/Neo23x0/sigma 6.0.5 Sep 12, 2017 -------- Support for new features of Sysmon v6.10 6.0.4 Sep 9, 2017 -------- Prep for Splunk certification. 6.0.3 -------- Typo corrected. Special thanks to David Dorsey (https://github.com/trogdorsey) for this contribution. 6.0.2 -------- Field extractions added including but not limited to cmdline, parent_process, and parent_process_id. Special thanks to David Dorsey (https://github.com/trogdorsey) for this contribution. 6.0.1 -------- Field extractions for MD5, SHA1, SHA256, IMPHASH Special thanks to David Staulcup (https://github.com/dstaulcu) for ongoing assistance and contributions 6.0.0 -------- Updates to support sysmon V6 Special thanks to David Staulcup (https://github.com/dstaulcu) for ongoing assistance and contributions 5.0.0 -------- Updates to support sysmon V5 Note the sample configuration included below was modified to exclued the ImageLoad section which was found to be causing BSOD on some Windows 7 test systems. Special thanks to David Staulcup (https://github.com/dstaulcu) for ongoing assistance and contributions 4.0.0 -------- Minor updates to support Sysmon V4 and optimize the hash field extraction. See: https://github.com/splunk/TA-microsoft-sysmon/pull/8 See: https://github.com/splunk/TA-microsoft-sysmon/pull/9 See: https://github.com/splunk/TA-microsoft-sysmon/pull/10 See: https://github.com/splunk/TA-microsoft-sysmon/pull/11 3.2.3 -------- Minor updates to add workflow actions via pull request and subsequent fine tuning. See: https://github.com/splunk/TA-microsoft-sysmon/pull/5 See: https://github.com/splunk/TA-microsoft-sysmon/pull/6 3.2.2 -------- Minor updates to extract various hash values into individual fields for convenience: https://github.com/splunk/TA-microsoft-sysmon/issues/4 3.2.1 -------- Minor updates to align with sysmon version 3.21. For details see: https://github.com/splunk/TA-microsoft-sysmon/issues/1 https://github.com/splunk/TA-microsoft-sysmon/issues/2 https://github.com/splunk/TA-microsoft-sysmon/issues/3 3.1.1 ------- Major modification of the version to better align with SplunkBase. Fixed typos in eventtypes.conf and props.conf 0.3.1 ----- Lookup table added to support Sysmon 3.1 Additional CIM compliance added Example config added Revved to version 0.3.1 to match current Sysmon version
Configuration: Install TA via GUI on all search heads, install via your preferred method (manual or Deployment Server) on forwarders running on Windows that have Sysmon 3.1 or greater installed Ensure that you have at least version 6.2.0 universal forwarders. This is because of the Windows XML event log format. http://blogs.splunk.com/2014/11/04/splunk-6-2-feature-overview-xml-event-logs/
Updated lookups to support Sysmon V5.
Now extracts various hash values into convenient fields. See https://github.com/splunk/TA-microsoft-sysmon/issues
Several minor bugfixes and enhancements. Tested with Microsoft Sysmon version 3.21
Major modification of the version to better align with SplunkBase.
Fixed typos in eventtypes.conf and props.conf
Version 0.3.1 was contributed by James Brodsky.
-Confirmed to work with Sysmon 3.1
-Some more CIM work
-new README file
-example Sysmon config (in readme)
-Lookup file to map event codes to event descriptions
Added CIM compliance for process events
Initial CIM-compliant Release
Splunk's App Certification program uses a specific set of criteria to evaluate the level of quality, usability and security your app offers to its users. In addition, we evaluate the documentation and support you offer to your app's users.
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 50GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.