Related Answers
Download topic as PDF
Release notes for the Splunk Add-on for Sysmon
Version 3.1.0 of the Splunk Add-on for Sysmon was released on January 2023.
Compatibility
Version 3.1.0 of the Splunk Add-on for Sysmon is compatible with the following software, CIM versions, and platforms:
| Splunk platform versions | 8.1, 8.2 and later |
| CIM | 5.0 and later |
| Supported OS for data collection | Platform independent |
| Vendor products | Microsoft Sysmon version 13.33 |
Splunk Add-on for Sysmon field mapping changes
See the following sections for information on the differences between versions 2.0.0 of the Splunk Add-on for Microsoft Sysmon and 3.0.0 of the Splunk Add-on for Sysmon
| Source-type | EventID | Fields added | Fields removed | 3.0.0 extractions | 3.1.0 extractions | Comments |
|---|---|---|---|---|---|---|
['xmlwineventlog']
|
7,8 | loaded_file | A new CIM field 'loaded_file' maps the file or module loaded by the process for events 7 and 8. | |||
['xmlwineventlog']
|
27, 28 | |||||
process_id
|
||||||
process_path
|
||||||
process_exec
|
||||||
eventtype
|
||||||
process
|
||||||
os
|
||||||
action
|
||||||
tag::eventtype
|
||||||
process_hash
|
||||||
process_guid
|
||||||
dest
|
||||||
process_name
|
||||||
user
|
||||||
vendor_product
|
||||||
['xmlwineventlog']
|
src='-' | In 3.0.0, if src extracts to '-', then the extraction is visible. In 3.1.0, we are ignoring this extraction if src only extracts '-'. | ||||
['xmlwineventlog']
|
3, 24 | src_host='-' | In 3.0.0, if user_host extracts to '-', then the extraction is visible. In 3.1.0, we are ignoring this extraction if user_host only extracts '-'. | |||
['xmlwineventlog']
|
user = '-' | In 3.0.0, if user extracts to '-', then the extraction is visible. In 3.1.0, we are ignoring this extraction if user only extracts '-'. |
The dvc field is now defined for all Sysmon events. The field value shows where an event was generated The host field is mapped at search time to show the machine that generated the event. This is consistent with the Windows TA.
New features
Version 3.1.0 of the Splunk Add-on for Sysmon contains the following new and changed features:
- Sysmon could only log system action before Sysmon version 14. Version 14 introduced the following two new events:
- Event ID 27: FileBlockExecutable. This event is generated when Sysmon detects and blocks the creation of executable files. Define rules in the Sysmon config file so Sysmon can match blocks with the activity action. This feature can be used to block certain programs the crease malicious disk files. Test the configuration files intensively before using it in Production Systems.
- Event ID 28: FileBlockShredding. This event is generated when Sysmon detects and blocks file shredding from tools such as SDelete. Event 28 is also a block event, so some of the rules might cause issues on their System. Testing the configuration files should be performed intensively before deploying it in Production Systems.
See the following table for CIM model mapping of the new events:
| Source | EventID | CIM model |
|---|---|---|
| XmlWinEventLog | 27 | Endpoint |
| XmlWinEventLog | 28 | Endpoint |
Fixed issues
Version 3.1.0 of the Splunk Add-on for Sysmon fixes the following, if any, issues.
Known issues
Version 3.1.0 of the Splunk Add-on for Sysmon has the following, if any, known issues.
| Date filed | Issue number | Description |
|---|---|---|
| 2022-11-16 | ADDON-58325 | Correction of CIM mapping: New Sysmon TA does not map EventCode 7 Correctly |
| 2022-11-16 | ADDON-58323 | Correction of CIM mapping: New Sysmon TA does not map EventCode 8 Correctly |
Third-party software attributions
Version 3.1.0 of the Splunk Add-on for Sysmon does not incorporate any third-party software or libraries.
|
PREVIOUS Source types for the Splunk Add-on for Sysmon |
NEXT Release history for the Splunk Add-on for Sysmon |
This documentation applies to the following versions of Splunk® Supported Add-ons: released
Feedback submitted, thanks!