Splunk® Supported Add-ons

Splunk Add-on for Sysmon

Configure your Microsoft Sysmon deployment to collect data

Sysmon events are stored in Applications and Services Logs/Microsoft/Windows/Sysmon/Operational or on the WEC server, if using WEC, and collected by the Splunk software.

Prepare your Sysmon configuration file based on your security team or SOC needs. The best practice is to start preparing the configuration with the template SwiftOnSecurity/sysmon-config and adjust filtering rules of each event type according to your environment needs, instead of running Sysmon without a custom configuration file. Otherwise, Sysmon will monitor a predefined small subset of events and event types or flood the eventlog and your Splunk platform deployment with unnecessary events.

To learn more about configuration file preparation and adjustment, see:

WEF/WEC support

Splunk Add-on for Sysmon can be used for Sysmon events forwarded and collected with use of Windows Event Forwarding (https://docs.microsoft.com/en-us/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection) and Windows Event Collector (https://docs.microsoft.com/en-us/windows/win32/wec/windows-event-collector) or WEF/WEC for short. WEF/WEC architecture requires careful tuning to work reliably. Use a dedicated collector channel for Sysmon events and name the channel is WEC-Sysmon or something similar.

Hashes generation configuration

Choose one hashing algorithm in Sysmon's general configuration for process and file hash generation. Select the hash type used by your threat intelligence solution, so that processing cycles aren't wasted by checking for the presence of a specific MD5 hash in a field containing a SHA256 hash.

Using * or multiple types of hashes in the hash declaration is not recommended due to performance implications and the possibility of false negatives caused by labels in the hash field.

Last modified on 21 June, 2024
Installation and configuration overview for the Splunk Add-on for Sysmon   Install the Splunk Add-on for Sysmon

This documentation applies to the following versions of Splunk® Supported Add-ons: released, released

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters