Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading Add-on for Microsoft Sysmon
MD5 checksum (add-on-for-microsoft-sysmon_600.tgz) 59ab20998a7d5f3e9d204f666b25c96d MD5 checksum (add-on-for-microsoft-sysmon_500.tgz) c5f7049f2e69d7dc7cd63f36b845e240 MD5 checksum (add-on-for-microsoft-sysmon_400.tgz) 43221ce0d73de266e0024fd55cc5b297 MD5 checksum (add-on-for-microsoft-sysmon_323.tgz) c4c2400726f511302dc651306872d35b MD5 checksum (add-on-for-microsoft-sysmon_322.tgz) b1227b1078cc8472cfc461b671c0ea4c MD5 checksum (add-on-for-microsoft-sysmon_321.tgz) 8eeb7477ea7e6cc45d504ef43dee08e5 MD5 checksum (add-on-for-microsoft-sysmon_311.tgz) 7203d8b739bf3ff4db20fe4ad6cebaab MD5 checksum (add-on-for-microsoft-sysmon_031.tgz) e6674b0bffb3b60398c87e33f8a70668 MD5 checksum (add-on-for-microsoft-sysmon_011.tgz) c52a04c3104ff11c331f854afd3493f8 MD5 checksum (add-on-for-microsoft-sysmon_010.tgz) 429c3ab2b699221ae778710bdd881a0c
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate

Add-on for Microsoft Sysmon

Provides a data input and CIM-compliant field extractions for Microsoft Sysmon. The Microsoft Sysmon utility provides data on process creation (including parent process ID), network connections, and much more.

This add-on was originally created by Adrian Hall. We appreciate Adrian's contribution and his willingness to turn over control to the current team for ongoing maintenance and development.

TA-Microsoft-Sysmon v6.0.0

Original Author: Adrian Hall
Current maintainers: Jim Apger, Dave Herrald, James Brosdsky 
Version/Date: 6.0.0 3/12/2016
Sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Has index-time ops: false
Input Requirements: Sysmon 3.1 or later installed with Splunk Universal Forwarder for Windows

Update History

Updates to support sysmon V6
Special thanks to David Staulcup ( for ongoing assistance and contributions

Updates to support sysmon V5
Note the sample configuration included below was modified to exclued the ImageLoad section which was found to be causing BSOD on some Windows 7 test systems.
Special thanks to David Staulcup ( for ongoing assistance and contributions

Minor updates to support Sysmon V4 and optimize the hash field extraction. 

Minor updates to add workflow actions via pull request and subsequent fine tuning.

Minor updates to extract various hash values into individual fields for convenience:

Minor updates to align with sysmon version 3.21. For details see:

Major modification of the version to better align with SplunkBase.
Fixed typos in eventtypes.conf and props.conf

Lookup table added to support Sysmon 3.1
Additional CIM compliance added
Example config added
Revved to version 0.3.1 to match current Sysmon version

Using this TA

Configuration: Install TA via GUI on all search heads, install
via your preferred method (manual or Deployment Server) on
forwarders running on Windows that have Sysmon 3.1 or greater

Ensure that you have at least version 6.2.0 universal forwarders.
This is because of the Windows XML event log format.

Sysmon ProcessCreate events may pick up passwords in CommandLine
and ParentCommandLine fields. Depending on organizational policy you 
may be required to mask passwords either at search time or prior to
indexing. SEDCMD entries can be added to props.conf files on 
search heads or indexers to mask data in known positions of passwords.

    SEDCMD-pwd_rule1 = s/ -pw ([^\s\<])+/ -pw ***MASK***/g

For additional info on Sysmon see:


This is a community supported TA. As such, post to
and reference it. Someone should be with you shortly.

Pull requests via github are welcome!

Release Notes

Version 6.0.0
March 13, 2017

Version 5.0.0
Nov. 22, 2016

Updated lookups to support Sysmon V5.

Version 4.0.0
Oct. 1, 2016

Version 3.2.3
May 31, 2016

Version 3.2.2
May 28, 2016

Now extracts various hash values into convenient fields. See

Version 3.2.1
April 26, 2016

Several minor bugfixes and enhancements. Tested with Microsoft Sysmon version 3.21

Version 3.1.1
Sept. 29, 2015

Major modification of the version to better align with SplunkBase.
Fixed typos in eventtypes.conf and props.conf

Version 0.3.1
Sept. 29, 2015

Version 0.3.1 was contributed by James Brodsky.

-Confirmed to work with Sysmon 3.1
-Some more CIM work
-new README file
-example Sysmon config (in readme)
-Lookup file to map event codes to event descriptions

Version 0.1.1
Dec. 1, 2014

Added CIM compliance for process events

Version 0.1.0
Nov. 24, 2014

Initial CIM-compliant Release


Subscribe Share

Splunk Certification Program

Splunk's App Certification program uses a specific set of criteria to evaluate the level of quality, usability and security your app offers to its users. In addition, we evaluate the documentation and support you offer to your app's users.

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 50GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
© 2005-2017 Splunk Inc. All rights reserved.
Splunk®, Splunk>®, Listen to Your Data®, The Engine for Machine Data®, Hunk®, Splunk Cloud™, Splunk Light™, SPL™ and Splunk MINT™ are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners.