Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading Add-on for Microsoft Sysmon
MD5 checksum (add-on-for-microsoft-sysmon_605.tgz) 862da34dd264c0d29910344618448f92 MD5 checksum (add-on-for-microsoft-sysmon_604.tgz) 44993d46d20d1895e02e3f991acc0a3c MD5 checksum (add-on-for-microsoft-sysmon_603.tgz) 4b384c78bfa8e8d4283fa664bbbc3cf7 MD5 checksum (add-on-for-microsoft-sysmon_602.tgz) 0c22a8588e883892b093bfc2ce486942 MD5 checksum (add-on-for-microsoft-sysmon_600.tgz) 59ab20998a7d5f3e9d204f666b25c96d MD5 checksum (add-on-for-microsoft-sysmon_500.tgz) c5f7049f2e69d7dc7cd63f36b845e240 MD5 checksum (add-on-for-microsoft-sysmon_400.tgz) 43221ce0d73de266e0024fd55cc5b297 MD5 checksum (add-on-for-microsoft-sysmon_323.tgz) c4c2400726f511302dc651306872d35b MD5 checksum (add-on-for-microsoft-sysmon_322.tgz) b1227b1078cc8472cfc461b671c0ea4c MD5 checksum (add-on-for-microsoft-sysmon_321.tgz) 8eeb7477ea7e6cc45d504ef43dee08e5 MD5 checksum (add-on-for-microsoft-sysmon_311.tgz) 7203d8b739bf3ff4db20fe4ad6cebaab MD5 checksum (add-on-for-microsoft-sysmon_031.tgz) e6674b0bffb3b60398c87e33f8a70668 MD5 checksum (add-on-for-microsoft-sysmon_011.tgz) c52a04c3104ff11c331f854afd3493f8 MD5 checksum (add-on-for-microsoft-sysmon_010.tgz) 429c3ab2b699221ae778710bdd881a0c
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate

Add-on for Microsoft Sysmon

Provides a data input and CIM-compliant field extractions for Microsoft Sysmon. The Microsoft Sysmon utility provides data on process creation (including parent process ID), network connections, and much more.

This add-on was originally created by Adrian Hall. We appreciate Adrian's contribution and his willingness to turn over control to the current team for ongoing maintenance and development.

TA-Microsoft-Sysmon v6.0.4

   Original Author: Adrian Hall
   Current maintainers: Jim Apger, Dave Herrald, James Brodsky 
   Version/Date: 6.0.4 / Sep 9, 2017
   Sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
   Has index-time ops: false

Update History

   6.0.4 Sep 9, 207
   Prep for Splunk certification.

   Typo corrected.
   Special thanks to David Dorsey ( for this contribution.

   Field extractions added including but not limited to cmdline, parent_process, 
   and parent_process_id.
   Special thanks to David Dorsey ( for this contribution.

   Field extractions for MD5, SHA1, SHA256, IMPHASH
   Special thanks to David Staulcup ( for ongoing 
   assistance and contributions

   Updates to support sysmon V6
   Special thanks to David Staulcup ( for ongoing 
   assistance and contributions

   Updates to support sysmon V5
   Note the sample configuration included below was modified to exclued the 
   ImageLoad section which was found to be causing BSOD on some Windows 7 test 
   systems. Special thanks to David Staulcup 
   ( for ongoing assistance and contributions

   Minor updates to support Sysmon V4 and optimize the hash field extraction. 

   Minor updates to add workflow actions via pull request and subsequent fine 

   Minor updates to extract various hash values into individual fields for convenience:

   Minor updates to align with sysmon version 3.21. For details see:

   Major modification of the version to better align with SplunkBase.
   Fixed typos in eventtypes.conf and props.conf

   Lookup table added to support Sysmon 3.1
   Additional CIM compliance added
   Example config added
   Revved to version 0.3.1 to match current Sysmon version

Using this TA

   Configuration: Install TA via GUI on all search heads, install
   via your preferred method (manual or Deployment Server) on
   forwarders running on Windows that have Sysmon 3.1 or greater

   Ensure that you have at least version 6.2.0 universal forwarders.
   This is because of the Windows XML event log format.

   For additional info on Sysmon see:


   This is a community supported TA. As such, post to
   and reference it. Someone should be with you shortly.

   Pull requests via github are welcome!

Recommended Configuration

   We strongly recommend that you use the popular Sysmon configuration shared by SwiftOnSecurity 
   as your starting point:

Previously Recommended Configuration

   3/16/2017 - The following configuration guidance was inlcuded historically
   but should now be considered deprecated. We suggest instead that you use the SwiftOnSecurity
   configuration as a starting point, and tune it to meet your needs. You may choose to
   use elements of the legacy configuration below, particularly if you are interested
   in exluding common Splunk image/file names from creating Sysmon events. 
   NOTE: If you choose to excude certain events based on file name, please be aware 
   that this could potentially be abused by an attacker to hide malicious activity by 
   choosing an excluded name for their malware. If you are not willing to accept this 
   risk, do not use the configuration below.

   Sysmon is capable of delivering a large amount of events into your
   Splunk instance. The following configuration, loaded into each
   system running Sysmon 3.1 or greater, will reduce the amount of data considerably.
   Special thanks go to Jeff Walzer from the University of Pittsburgh for
   originally helping to test this (

   Load this via sysmon -c (filename) from an admin-level command prompt.
   (after you have placed it in a text file). You may get some 
   unusual errors - these are benign and can be ignored. Check the
   filtering via a "sysmon -c" with no argument.

   For additional Sysmon filtering, remove the entire ImageLoad 

Release Notes

Version 6.0.5
Nov. 4, 2017

Version 6.0.4
Sept. 9, 2017

Version 6.0.3
Sept. 9, 2017

Version 6.0.2
Sept. 6, 2017

Version 6.0.0
March 13, 2017

Version 5.0.0
Nov. 22, 2016

Updated lookups to support Sysmon V5.

Version 4.0.0
Oct. 1, 2016

Version 3.2.3
May 31, 2016

Version 3.2.2
May 28, 2016

Now extracts various hash values into convenient fields. See

Version 3.2.1
April 26, 2016

Several minor bugfixes and enhancements. Tested with Microsoft Sysmon version 3.21

Version 3.1.1
Sept. 29, 2015

Major modification of the version to better align with SplunkBase.
Fixed typos in eventtypes.conf and props.conf

Version 0.3.1
Sept. 29, 2015

Version 0.3.1 was contributed by James Brodsky.

-Confirmed to work with Sysmon 3.1
-Some more CIM work
-new README file
-example Sysmon config (in readme)
-Lookup file to map event codes to event descriptions

Version 0.1.1
Dec. 1, 2014

Added CIM compliance for process events

Version 0.1.0
Nov. 24, 2014

Initial CIM-compliant Release


Subscribe Share

Splunk Certification Program

Splunk's App Certification program uses a specific set of criteria to evaluate the level of quality, usability and security your app offers to its users. In addition, we evaluate the documentation and support you offer to your app's users.

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 50GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
© 2005-2017 Splunk Inc. All rights reserved.
Splunk®, Splunk>®, Listen to Your Data®, The Engine for Machine Data®, Hunk®, Splunk Cloud™, Splunk Light™, SPL™ and Splunk MINT™ are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners.