Sysmon product comparisons

The following sections describe the differences between versions 10.6.2 of the Splunk Add-on for Microsoft Sysmon and 1.0.1 of the Splunk Add-on for Sysmon:

Field mapping comparison for versions 10.6.2 of the Splunk Add-on for Microsoft Sysmon and 1.0.1 of the Splunk Add-on for Sysmon

Version 1.0.1 of the Splunk Add-on for Sysmon introduces field mapping changes to the XmlWinEventLog sourcetype. See the following table for information in field changes between version 10.6.2 of the Splunk Add-on for Microsoft Sysmon and 1.0.1 of the Splunk Add-on for Sysmon

Source type	EventCode	Fields added	Fields modified	Fields removed	10.6.2 extractions	1.0.1 extractions
`XmlWinEventLog`	1	`original_file_name` `os`	`signature` `EventDescription`	`app` `cmdline` `direction` `dvc` `hashes` `session_id` `user_id`	Process Create, Process Create	Process creation, Process creation
`XmlWinEventLog`	2	`action` `dest` `file_modify_time`	`signature` `EventDescription` `tag::eventtype` `tag`	`app` `direction` `dvc` `session_id` `user_id`	File Create Time, File Create Time, change endpoint filesystem, change endpoint filesystem	A process changed a file creation time, A process changed a file creation time, endpoint filesystem, endpoint filesystem
`XmlWinEventLog`	3	`action` `dvc_ip` `protocol_version` `transport_dest_port`	`signature` `protocol` `dest` `state` `EventDescription` `tag` `tag::eventtype`	`dest_host` `process_path` `session_id` `user_id`	Network Connect, https, -, listening, Network Connect, listening port communicate network, listening port communicate network	Network connection, ip, 52.46.216.120, estabished, Network connection, communicate network, communicate network
`XmlWinEventLog`	4	`description` `dest` `eventtype` `service` `service_name` `status` `tag` `tag::eventtype`	`signature` `EventDescription`	`direction` `dvc` `parent_process_exec` `parent_process_name` `process_exec` `process_name` `user_id`	Sysmon Start, Sysmon Start	Sysmon service state changed, Sysmon service state changed
`XmlWinEventLog`	5	`action` `dest` `os` `process`	`signature` `EventDescription`	`app` `direction` `dvc` `session_id` `user_id`	Process Terminate, Process Terminate	Process terminated, Process terminated
`XmlWinEventLog`	6	`action` `dest` `os` `process_path` `service_signature_exists` `service_signature_verified`	`signature`	`direction` `dvc` `hashes` `parent_process_exec` `parent_process_name` `process_exec` `process_name` `user_id`	Driver Load	Driver loaded
`XmlWinEventLog`	7	`action` `dest` `eventtype` `os` `parent_process_exec` `parent_process_guid` `parent_process_id` `parent_process_name` `parent_process_path` `service_dll_signature_exists` `service_dll_signature_verified` `tag` `tag::action` `tag::eventtype`	`signature` `process_exec` `EventDescription` `process_path` `process_name`	`app` `direction` `dvc` `hashes` `process_guid` `process_id` `session_id` `user_id`	Image Load, unsecapp.exe, Image Load, C:\Windows\System32\wbem\unsecapp.exe, unsecapp.exe	Image loaded, oleaut32.dll, Image loaded, C:\Windows\System32\oleaut32.dll, oleaut32.dll
`XmlWinEventLog`	8	`action` `dest` `os` `parent_process_guid` `parent_process_id` `parent_process_path` `process_guid` `process_id` `process_path` `src_address` `src_function` `src_module`	`signature` `process_name` `parent_process_name` `EventDescription` `parent_process_exec` `process_exec`	`direction` `dvc` `user_id`	Create Remote Thread, csrss.exe, , Create Remote Thread, csrss.exe	CreateRemoteThread, splunkd.exe, csrss.exe, CreateRemoteThread, csrss.exe, splunkd.exe
`XmlWinEventLog`	9	`action` `dest` `os`	`signature` `EventDescription`	`app` `direction` `dvc` `session_id` `user_id`	Raw Access Read, Raw Access Read	RawAccessRead, RawAccessRead
`XmlWinEventLog`	10	`action` `dest` `granted_access` `os` `parent_process_guid` `parent_process_id` `parent_process_path` `process_guid` `process_id` `process_path`	`process_exec` `parent_process_exec` `EventDescription` `parent_process_name` `process_name` `signature`	`direction` `user_id`	svchost.exe,, Process Access,, svchost.exe, Process Access	MsMpEng.exe, svchost.exe, ProcessAccess, svchost.exe, MsMpEng.exe, ProcessAccess
`XmlWinEventLog`	11	`action`	`tag::eventtype` `tag` `EventDescription` `signature`	`app` `direction` `dvc` `session_id` `user_id`	change endpoint filesystem, change endpoint filesystem, File Created, File Created	endpoint filesystem, endpoint filesystem, FileCreate, FileCreate
`XmlWinEventLog`	12	`registry_hive` `status`	`tag::eventtype` `tag,registry_key_name` `EventDescription` `signature`	`app` `direction` `dvc` `object` `session_id` `user_id`	change endpoint registry, change endpoint registry, Parameters, Registry object added or deleted, Registry object added or deleted	endpoint registry, endpoint registry, HKLM\System\CurrentControlSet\Services\Tcpip\Parameters, RegistryEvent (Object create and delete), RegistryEvent (Object create and delete)
`XmlWinEventLog`	13	`RegistryValueData` `registry_hive` `registry_value_data` `registry_value_type` `status`	`tag::eventtype` `tag` `registry_key_name` `EventDescription` `registry_value_name` `signature`	`app` `direction` `object` `session_id` `user_id`	change endpoint registry, change endpoint registry, SecureTimeHigh, Registry value set, QWORD (0x01d76449-0xb4beb640), Registry value set	endpoint registry, endpoint registry, HKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits, RegistryEvent (Value Set), SecureTimeHigh, RegistryEvent (Value Set)
`XmlWinEventLog`	14	`action` `registry_hive` `status`	`tag::eventtype` `tag` `registry_key_name` `EventDescription` `signature`	`app` `direction` `dvc` `object` `session_id` `user_id`	change endpoint registry, change endpoint registry, test1, Registry object renamed, Registry object renamed	endpoint registry, endpoint registry, HKU\S-1-5-21-2763475848-2734699699-1333640867-1011\test1, RegistryEvent (Key and Value Rename). RegistryEvent (Key and Value Rename)
`XmlWinEventLog`	15	`action` `dest` `file_hash` `http_referrer` `http_referrer_domain` `os` `uri_path` `url` `url_domain`	`file_path` `EventDescription` `file_name` `signature`	`app` `direction` `dvc` `session_id` `user_id`	C:\Users\splunker\Downloads\Sublime Text Build 3211 x64 Setup.exe:Zone.Identifier, File stream created, Sublime Text Build 3211 x64 Setup.exe:Zone.Identifier, File stream created	C:\Users\splunker\Downloads\Sublime Text Build 3211 x64 Setup.exe, FileCreateStreamHash, Sublime Text Build 3211 x64 Setup.exe, FileCreateStreamHash
`XmlWinEventLog`	16	`description` `dest` `eventtype` `process_id` `service` `service_name` `status` `tag` `tag::eventtype`	`EventDescription` `signature`	`direction` `dvc` `parent_process_exec` `parent_process_name` `process_exec` `process_name` `user_id`	Sysmon Configuration Changed, Sysmon Configuration Changed	ServiceConfigurationChange, ServiceConfigurationChange
`XmlWinEventLog`	17	`action` `dest` `os` `pipe_name`	`EventDescription` `signature`	`app` `direction` `dvc` `session_id` `user_id`	Pipe Created, Pipe Created	PipeEvent (Pipe Created), PipeEvent (Pipe Created)
`XmlWinEventLog`	18	`action` `dest` `os` `pipe_name`	`EventDescription` `signature`	`app` `direction` `dvc` `session_id` `user_id`	Pipe Connected, Pipe Connected	PipeEvent (Pipe Connected), PipeEvent (Pipe Connected)
`XmlWinEventLog`	19	`action` `change_type` `dest` `result` `src` `status` `user_name`	`EventDescription` `signature`	`direction` `parent_process_exec` `parent_process_name` `process_exec` `process_name` `user_id`	WmiEventFilter activity detected, WmiEventFilter activity detected	WmiEvent (WmiEventFilter activity detected), WmiEvent (WmiEventFilter activity detected)
`XmlWinEventLog`	20	`action` `change_type` `dest` `object` `object_path` `src` `status` `user_name`	`EventDescription` `signature`	`direction` `parent_process_exec` `parent_process_name` `process_exec` `process_name` `user_id`	WmiEventConsumer activity detected, WmiEventConsumer activity detected	WmiEvent (WmiEventConsumer activity detected), WmiEvent (WmiEventConsumer activity detected)
`XmlWinEventLog`	21	`action` `change_type` `dest` `object` `object_attrs` `object_path` `result` `src` `status` `user_name`	`EventDescription` `signature`	`direction` `parent_process_exec` `parent_process_name` `process_exec` `process_name` `user_id`	WmiEventConsumerToFilter activity detected, WmiEventConsumerToFilter activity detected	WmiEvent (WmiEventConsumerToFilter activity detected),WmiEvent (WmiEventConsumerToFilter activity detected)
`XmlWinEventLog`	22	`answer_count` `query_count` `src`	`EventDescription` `signature`	`app` `direction` `dvc` `parent_process_exec` `parent_process_name` `process_id` `process_path` `record` `session_id` `user_id`	DNS Query, DNS Query	DNSEvent (DNS query), DNSEvent (DNS query)
`XmlWinEventLog`	23	`action` `dest` `eventtype` `file_hash` `file_modify_time` `object_category` `tag` `tag::eventtype` `tag::object_category`	`process_exec` `EventDescription` `process_name` `signature`	`app` `direction` `dvc` `hashes` `parent_process_exec` `parent_process_name` `process_hash` `session_id` `user_id`	,Unknown,, Unknown	splunk-winevtlog.exe, FileDelete (File Delete archived), splunk-winevtlog.exe, FileDelete (File Delete archived)
`XmlWinEventLog`	24	`SrcHost` `action` `dest` `eventtype` `os` `src_host` `tag` `tag::eventtype` `user`	`process_exec` `EventDescription` `process_name` `signature`	`app` `direction` `hashes` `parent_process_exec` `parent_process_name` `session_id` `user_id`	,Unknown,, Unknown	rdpclip.exe, ClipboardChange (New content in the clipboard), rdpclip.exe, ClipboardChange (New content in the clipboard)
`XmlWinEventLog`	25	`action` `dest` `eventtype` `os` `result` `tag` `tag::eventtype`	`EventDescription` `signature`	`app` `direction` `dvc` `parent_process_exec` `parent_process_name` `process_exec` `process_name` `session_id` `user_id`	Unknown, Unknown	ProcessTampering (Process image change), ProcessTampering (Process image change)
`XmlWinEventLog`	26	`action` `dest` `eventtype` `file_access_time` `file_hash` `file_modify_time` `object_category` `tag` `tag::eventtype` `tag::object_category`	`process_exec` `EventDescription` `process_name` `signature`	`app` `direction` `hashes` `parent_process_exec` `parent_process_name` `process_hash` `session_id` `user_id`	, Unknown,, Unknown	chrome.exe, FileDeleteDetected (File Delete logged), chrome.exe, FileDeleteDetected (File Delete logged)
`XmlWinEventLog`	255	`description` `dest` `process_id` `result` `service` `service_name` `status`	`tag::eventtype` `eventtype` `tag`	`direction` `parent_process_exec` `parent_process_name` `process_exec` `process_name` `user_id`		service report, ms-sysmon-service, service report

CIM model comparison for versions 10.6.2 of the Splunk Add-on for Microsoft Sysmon and 1.0.1 of the Splunk Add-on for Sysmon

Source	EventID	Previous CIM model	New CIM model
`XmlWinEventLog`	1, 10, 15, 17, 18, 19, 20, 21, 22, 5, 6, 8, 9
`XmlWinEventLog`	11, 12, 13, 14, 2	Change
`XmlWinEventLog`	3	Endpoint
`XmlWinEventLog`	16, 255, 4		Endpoint
`XmlWinEventLog`	23, 26		Endpoint
`XmlWinEventLog`	24, 25, 7		Endpoint

Related answers from Splunk Community

Sysmon product comparisons

Field mapping comparison for versions 10.6.2 of the Splunk Add-on for Microsoft Sysmon and 1.0.1 of the Splunk Add-on for Sysmon

CIM model comparison for versions 10.6.2 of the Splunk Add-on for Microsoft Sysmon and 1.0.1 of the Splunk Add-on for Sysmon

Comments

Sysmon product comparisons

Was this topic useful?