Release notes for the Splunk Add-on for Sysmon
Version 3.0.0 of the Splunk Add-on for Sysmon was released on May 30, 2022.
Version 3.0.0 of the Splunk Add-on for Sysmon is compatible with the following software, CIM versions, and platforms:
|Splunk platform versions||8.1, 8.2 and later|
|CIM||5.0 and later|
|Supported OS for data collection||Platform independent|
|Vendor products||Microsoft Sysmon version 13.33|
Splunk Add-on for Sysmon field mapping changes
See the following sections for information on the differences between versions 2.0.0 of the Splunk Add-on for Microsoft Sysmon and 3.0.0 of the Splunk Add-on for Sysmon
|Source-type||EventID||Fields added||Fields removed|
||8, 25, 22, 5, 15, 14, 11, 4, 2, 1, 7, 16, 6, 18, 23, 9, 12, 17||dvc|
The dvc field is now defined for all Sysmon events. The field value shows where an event was generated The host field is mapped at search time to show the machine that generated the event. This is consistent with the Windows TA.
Version 3.0.0 of the Splunk Add-on for Sysmon contains the following new and changed features: Support for WEF/WEC architectureWEF/WEC events can be found by adding to search string: _sourcetype=XmlWinEventLog:WEC-Sysmon If direct Sysmon events have to be found, the following search string can be used: _sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Version 3.0.0 of the Splunk Add-on for Sysmon fixes the following, if any, issues.
Version 3.0.0 of the Splunk Add-on for Sysmon has the following, if any, known issues.
Third-party software attributions
Version 3.0.0 of the Splunk Add-on for Sysmon does not incorporate any third-party software or libraries.
Source types for the Splunk Add-on for Sysmon
Release history for the Splunk Add-on for Sysmon
This documentation applies to the following versions of Splunk® Supported Add-ons: released