Splunk® Supported Add-ons

Splunk Add-on for Sysmon

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Release notes for the Splunk Add-on for Sysmon

Version 3.1.0 of the Splunk Add-on for Sysmon was released on January 2023.

Compatibility

Version 3.1.0 of the Splunk Add-on for Sysmon is compatible with the following software, CIM versions, and platforms:

Splunk platform versions 8.1, 8.2 and later
CIM 5.0 and later
Supported OS for data collection Platform independent
Vendor products Microsoft Sysmon version 13.33


Splunk Add-on for Sysmon field mapping changes

See the following sections for information on the differences between versions 2.0.0 of the Splunk Add-on for Microsoft Sysmon and 3.0.0 of the Splunk Add-on for Sysmon

Source-type EventID Fields added Fields removed 3.0.0 extractions 3.1.0 extractions Comments
['xmlwineventlog'] 7,8 loaded_file A new CIM field 'loaded_file' maps the file or module loaded by the process for events 7 and 8.
['xmlwineventlog'] 27, 28
process_id
process_path
process_exec
eventtype
process
os
action
tag::eventtype
process_hash
process_guid
dest
process_name
user
vendor_product
['xmlwineventlog'] src='-' In 3.0.0, if src extracts to '-', then the extraction is visible. In 3.1.0, we are ignoring this extraction if src only extracts '-'.
['xmlwineventlog'] 3, 24 src_host='-' In 3.0.0, if user_host extracts to '-', then the extraction is visible. In 3.1.0, we are ignoring this extraction if user_host only extracts '-'.
['xmlwineventlog'] user = '-' In 3.0.0, if user extracts to '-', then the extraction is visible. In 3.1.0, we are ignoring this extraction if user only extracts '-'.

The dvc field is now defined for all Sysmon events. The field value shows where an event was generated The host field is mapped at search time to show the machine that generated the event. This is consistent with the Windows TA.

New features

Version 3.1.0 of the Splunk Add-on for Sysmon contains the following new and changed features:

  • Sysmon could only log system action before Sysmon version 14. Version 14 introduced the following two new events:
    • Event ID 27: FileBlockExecutable. This event is generated when Sysmon detects and blocks the creation of executable files. Define rules in the Sysmon config file so Sysmon can match blocks with the activity action. This feature can be used to block certain programs the crease malicious disk files. Test the configuration files intensively before using it in Production Systems.
    • Event ID 28: FileBlockShredding. This event is generated when Sysmon detects and blocks file shredding from tools such as SDelete. Event 28 is also a block event, so some of the rules might cause issues on their System. Testing the configuration files should be performed intensively before deploying it in Production Systems.

See the following table for CIM model mapping of the new events:

Source EventID CIM model
XmlWinEventLog 27 Endpoint
XmlWinEventLog 28 Endpoint

Fixed issues

Version 3.1.0 of the Splunk Add-on for Sysmon fixes the following, if any, issues.


Known issues

Version 3.1.0 of the Splunk Add-on for Sysmon has the following, if any, known issues.

Date filed Issue number Description
2022-11-16 ADDON-58325 Correction of CIM mapping: New Sysmon TA does not map EventCode 7 Correctly
2022-11-16 ADDON-58323 Correction of CIM mapping: New Sysmon TA does not map EventCode 8 Correctly

Third-party software attributions

Version 3.1.0 of the Splunk Add-on for Sysmon does not incorporate any third-party software or libraries.

Last modified on 03 February, 2023
PREVIOUS
Source types for the Splunk Add-on for Sysmon
  NEXT
Release history for the Splunk Add-on for Sysmon

This documentation applies to the following versions of Splunk® Supported Add-ons: released


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters