Release notes for the Splunk Add-on for Sysmon
Version 4.0.1 of the Splunk Add-on for Sysmon was released on June 5, 2024.
Compatibility
Version 4.0.0 of the Splunk Add-on for Sysmon is compatible with the following software, CIM versions, and platforms:
| Splunk platform versions | 8.2, 9.1 and later |
| CIM | 5.2 and later |
| Supported OS for data collection | Platform independent |
| Vendor products | Microsoft Sysmon version 15.0 |
Splunk Add-on for Sysmon field mapping changes
See the following sections for information on the differences between versions 3.1.0 of the Splunk Add-on for Sysmon and 4.0.0 and 4.0.1 of the Splunk Add-on for Sysmon
| Source-type | EventID | Fields added | Fields removed | 3.1.0 extractions | 4.0.0 extractions | Comments |
|---|---|---|---|---|---|---|
['xmlwineventlog']
|
4 | |||||
process_guid
|
||||||
process_id
|
||||||
['xmlwineventlog']
|
7 | |||||
loaded_file_path
|
A new field 'loaded_file_path' maps the original path of the file or module loaded by the process for events 7 | |||||
original_file_name
|
A new CIM field 'original_file_name' maps the original name of the file, not including path, for event 7. | |||||
process_id
|
||||||
process_guid
|
||||||
parent_process_exec
|
||||||
parent_process_id
|
||||||
parent_process_guid
|
||||||
parent_process_name
|
||||||
parent_process_path
|
||||||
['xmlwineventlog']
|
16 | file_path
|
||||
['xmlwineventlog']
|
27, 28 | |||||
file_access_time
|
||||||
file_hash
|
||||||
file_modify_time
|
||||||
file_name
|
||||||
file_path
|
||||||
['xmlwineventlog']
|
29 | |||||
action
|
||||||
dest
|
||||||
file_access_time
|
||||||
file_create_time
|
||||||
file_hash
|
||||||
file_name
|
||||||
file_path
|
||||||
process_guid
|
||||||
process_id
|
||||||
user
|
||||||
vendor_product
|
||||||
dvc
|
||||||
signature
|
||||||
signature_id
|
The dvc field is defined for all Sysmon events. The field value shows where an event was generated. The host field is mapped at search time to show the machine that generated the event. This is consistent with the Windows TA.
New features
Version 4.0.1 fixes known issues, See the Known Issues section of this topic for more information.
Fixed issues
Version 4.0.1 of the Splunk Add-on for Sysmon fixes the following, if any, issues.
| Date filed | Issue number | Description |
|---|---|---|
| ADDON-70336 | Automatic lookup applied to incorrect sources. |
Known issues
Version 4.0.1 of the Splunk Add-on for Sysmon has the following, if any, known issues.
Third-party software attributions
Version 4.0.1 of the Splunk Add-on for Sysmon does not incorporate any third-party software or libraries.
| Source types for the Splunk Add-on for Sysmon | Release history for the Splunk Add-on for Sysmon |
This documentation applies to the following versions of Splunk® Supported Add-ons: released
Download manual
Feedback submitted, thanks!