Splunk® Supported Add-ons

Splunk Add-on for Sysmon

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Release notes for the Splunk Add-on for Sysmon

Version 4.0.0 of the Splunk Add-on for Sysmon was released on November 17, 2023.

Compatibility

Version 4.0.0 of the Splunk Add-on for Sysmon is compatible with the following software, CIM versions, and platforms:

Splunk platform versions 8.2, 9.1 and later
CIM 5.2 and later
Supported OS for data collection Platform independent
Vendor products Microsoft Sysmon version 15.0


Splunk Add-on for Sysmon field mapping changes

See the following sections for information on the differences between versions 3.1.0 of the Splunk Add-on for Sysmon and 4.0.0 of the Splunk Add-on for Sysmon

Source-type EventID Fields added Fields removed 3.1.0 extractions 4.0.0 extractions Comments
['xmlwineventlog'] 4
process_guid
process_id
['xmlwineventlog'] 7
loaded_file_path A new field 'loaded_file_path' maps the original path of the file or module loaded by the process for events 7
original_file_name A new CIM field 'original_file_name' maps the original name of the file, not including path, for event 7.
process_id
process_guid
parent_process_exec
parent_process_id
parent_process_guid
parent_process_name
parent_process_path
['xmlwineventlog'] 16 file_path
['xmlwineventlog'] 27, 28
file_access_time
file_hash
file_modify_time
file_name
file_path
['xmlwineventlog'] 29
action
dest
file_access_time
file_create_time
file_hash
file_name
file_path
process_guid
process_id
user
vendor_product
dvc
signature
signature_id

The dvc field is defined for all Sysmon events. The field value shows where an event was generated. The host field is mapped at search time to show the machine that generated the event. This is consistent with the Windows TA.

New features

Version 4.0.0 of the Splunk Add-on for Sysmon contains the following new and changed features:

  • Event ID 29: FileExecutableDetected. This event is generated when Sysmon detects the creation of a new executable file (PE format).

See the following table for CIM model mapping of the new events:

Source EventID CIM model
XmlWinEventLog 29 Endpoint:Filesystem

Fixed issues

Version 4.0.0 of the Splunk Add-on for Sysmon fixes the following, if any, issues.


Date filed Issue number Description
2022-11-16 ADDON-58325 Correction of CIM mapping: New Sysmon TA does not map EventCode 7 Correctly
2022-07-25 ADDON-63579 Splunk Add-on for Sysmon DestinationHostname field extraction problem
2022-07-19 ADDON-63507 Splunk Add-on for Sysmon Rule field extraction problem
2022-11-15 ADDON-58175 Update sysmon event IDs 7 and 8
2022-08-24 ADDON-55193 Fix action field on event ID 12 of windows sysmon
2022-08-24 ADDON-55192 Add non DM field for file path on windows sysmon

Known issues

Version 4.0.0 of the Splunk Add-on for Sysmon has the following, if any, known issues.


Third-party software attributions

Version 4.0.0 of the Splunk Add-on for Sysmon does not incorporate any third-party software or libraries.

Last modified on 04 December, 2023
PREVIOUS
Source types for the Splunk Add-on for Sysmon
  NEXT
Release history for the Splunk Add-on for Sysmon

This documentation applies to the following versions of Splunk® Supported Add-ons: released


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters