Splunk® Supported Add-ons

Splunk Add-on for Sysmon

Sysmon product comparisons

The following sections describe the differences between versions 10.6.2 of the Splunk Add-on for Microsoft Sysmon and 1.0.1 of the Splunk Add-on for Sysmon:

Field mapping comparison for versions 10.6.2 of the Splunk Add-on for Microsoft Sysmon and 1.0.1 of the Splunk Add-on for Sysmon

Version 1.0.1 of the Splunk Add-on for Sysmon introduces field mapping changes to the XmlWinEventLog sourcetype. See the following table for information in field changes between version 10.6.2 of the Splunk Add-on for Microsoft Sysmon and 1.0.1 of the Splunk Add-on for Sysmon

Source type EventCode Fields added Fields modified Fields removed 10.6.2 extractions 1.0.1 extractions
XmlWinEventLog 1 original_file_name

os

signature

EventDescription

app

cmdline direction dvc hashes session_id user_id

Process Create, Process Create Process creation, Process creation
XmlWinEventLog 2 action

dest file_modify_time

signature

EventDescription tag::eventtype tag

app

direction dvc session_id user_id

File Create Time, File Create Time, change endpoint filesystem, change endpoint filesystem A process changed a file creation time, A process changed a file creation time, endpoint filesystem, endpoint filesystem
XmlWinEventLog 3 action

dvc_ip protocol_version transport_dest_port

signature

protocol dest state EventDescription tag tag::eventtype

dest_host

process_path session_id user_id

Network Connect, https, -, listening, Network Connect, listening port communicate network, listening port communicate network Network connection, ip, 52.46.216.120, estabished, Network connection, communicate network, communicate network
XmlWinEventLog 4 description

dest eventtype service service_name status tag tag::eventtype

signature

EventDescription

direction

dvc parent_process_exec parent_process_name process_exec process_name user_id

Sysmon Start, Sysmon Start Sysmon service state changed, Sysmon service state changed
XmlWinEventLog 5 action

dest os process

signature

EventDescription

app

direction dvc session_id user_id

Process Terminate, Process Terminate Process terminated, Process terminated
XmlWinEventLog 6 action

dest os process_path service_signature_exists service_signature_verified

signature direction

dvc hashes parent_process_exec parent_process_name process_exec process_name user_id

Driver Load Driver loaded
XmlWinEventLog 7 action

dest eventtype os parent_process_exec parent_process_guid parent_process_id parent_process_name parent_process_path service_dll_signature_exists service_dll_signature_verified tag tag::action tag::eventtype

signature

process_exec EventDescription process_path process_name

app

direction dvc hashes process_guid process_id session_id user_id

Image Load, unsecapp.exe, Image Load, C:\Windows\System32\wbem\unsecapp.exe, unsecapp.exe Image loaded, oleaut32.dll, Image loaded, C:\Windows\System32\oleaut32.dll, oleaut32.dll
XmlWinEventLog 8 action

dest os parent_process_guid parent_process_id parent_process_path process_guid process_id process_path src_address src_function src_module

signature

process_name parent_process_name EventDescription parent_process_exec process_exec

direction

dvc user_id

Create Remote Thread, csrss.exe, , Create Remote Thread, csrss.exe CreateRemoteThread, splunkd.exe, csrss.exe, CreateRemoteThread, csrss.exe, splunkd.exe
XmlWinEventLog 9 action

dest os

signature

EventDescription

app

direction dvc session_id user_id

Raw Access Read, Raw Access Read RawAccessRead, RawAccessRead
XmlWinEventLog 10 action

dest granted_access os parent_process_guid parent_process_id parent_process_path process_guid process_id process_path

process_exec

parent_process_exec EventDescription parent_process_name process_name signature

direction

user_id

svchost.exe,, Process Access,, svchost.exe, Process Access MsMpEng.exe, svchost.exe, ProcessAccess, svchost.exe, MsMpEng.exe, ProcessAccess
XmlWinEventLog 11 action tag::eventtype

tag EventDescription signature

app

direction dvc session_id user_id

change endpoint filesystem, change endpoint filesystem, File Created, File Created endpoint filesystem, endpoint filesystem, FileCreate, FileCreate
XmlWinEventLog 12 registry_hive

status

tag::eventtype

tag,registry_key_name EventDescription signature

app

direction dvc object session_id user_id

change endpoint registry, change endpoint registry, Parameters, Registry object added or deleted, Registry object added or deleted endpoint registry, endpoint registry, HKLM\System\CurrentControlSet\Services\Tcpip\Parameters, RegistryEvent (Object create and delete), RegistryEvent (Object create and delete)
XmlWinEventLog 13 RegistryValueData

registry_hive registry_value_data registry_value_type status

tag::eventtype

tag registry_key_name EventDescription registry_value_name signature

app

direction object session_id user_id

change endpoint registry, change endpoint registry, SecureTimeHigh, Registry value set, QWORD (0x01d76449-0xb4beb640), Registry value set endpoint registry, endpoint registry, HKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits, RegistryEvent (Value Set), SecureTimeHigh, RegistryEvent (Value Set)
XmlWinEventLog 14 action

registry_hive status

tag::eventtype

tag registry_key_name EventDescription signature

app

direction dvc object session_id user_id

change endpoint registry, change endpoint registry, test1, Registry object renamed, Registry object renamed endpoint registry, endpoint registry, HKU\S-1-5-21-2763475848-2734699699-1333640867-1011\test1, RegistryEvent (Key and Value Rename). RegistryEvent (Key and Value Rename)
XmlWinEventLog 15 action

dest file_hash http_referrer http_referrer_domain os uri_path url url_domain

file_path

EventDescription file_name signature

app

direction dvc session_id user_id

C:\Users\splunker\Downloads\Sublime Text Build 3211 x64 Setup.exe:Zone.Identifier, File stream created, Sublime Text Build 3211 x64 Setup.exe:Zone.Identifier, File stream created C:\Users\splunker\Downloads\Sublime Text Build 3211 x64 Setup.exe, FileCreateStreamHash, Sublime Text Build 3211 x64 Setup.exe, FileCreateStreamHash
XmlWinEventLog 16 description

dest eventtype process_id service service_name status tag tag::eventtype

EventDescription

signature

direction

dvc parent_process_exec parent_process_name process_exec process_name user_id

Sysmon Configuration Changed, Sysmon Configuration Changed ServiceConfigurationChange, ServiceConfigurationChange
XmlWinEventLog 17 action

dest os pipe_name

EventDescription

signature

app

direction dvc session_id user_id

Pipe Created, Pipe Created PipeEvent (Pipe Created), PipeEvent (Pipe Created)
XmlWinEventLog 18 action

dest os pipe_name

EventDescription

signature

app

direction dvc session_id user_id

Pipe Connected, Pipe Connected PipeEvent (Pipe Connected), PipeEvent (Pipe Connected)
XmlWinEventLog 19 action

change_type dest result src status user_name

EventDescription

signature

direction

parent_process_exec parent_process_name process_exec process_name user_id

WmiEventFilter activity detected, WmiEventFilter activity detected WmiEvent (WmiEventFilter activity detected), WmiEvent (WmiEventFilter activity detected)
XmlWinEventLog 20 action

change_type dest object object_path src status user_name

EventDescription

signature

direction

parent_process_exec parent_process_name process_exec process_name user_id

WmiEventConsumer activity detected, WmiEventConsumer activity detected WmiEvent (WmiEventConsumer activity detected), WmiEvent (WmiEventConsumer activity detected)
XmlWinEventLog 21 action

change_type dest object object_attrs object_path result src status user_name

EventDescription

signature

direction

parent_process_exec parent_process_name process_exec process_name user_id

WmiEventConsumerToFilter activity detected, WmiEventConsumerToFilter activity detected WmiEvent (WmiEventConsumerToFilter activity detected),WmiEvent (WmiEventConsumerToFilter activity detected)
XmlWinEventLog 22 answer_count

query_count src

EventDescription

signature

app

direction dvc parent_process_exec parent_process_name process_id process_path record session_id user_id

DNS Query, DNS Query DNSEvent (DNS query), DNSEvent (DNS query)
XmlWinEventLog 23 action

dest eventtype file_hash file_modify_time object_category tag tag::eventtype tag::object_category

process_exec

EventDescription process_name signature

app

direction dvc hashes parent_process_exec parent_process_name process_hash session_id user_id

,Unknown,, Unknown splunk-winevtlog.exe, FileDelete (File Delete archived), splunk-winevtlog.exe, FileDelete (File Delete archived)
XmlWinEventLog 24 SrcHost

action dest eventtype os src_host tag tag::eventtype user

process_exec

EventDescription process_name signature

app

direction hashes parent_process_exec parent_process_name session_id user_id

,Unknown,, Unknown rdpclip.exe, ClipboardChange (New content in the clipboard), rdpclip.exe, ClipboardChange (New content in the clipboard)
XmlWinEventLog 25 action

dest eventtype os result tag tag::eventtype

EventDescription

signature

app

direction dvc parent_process_exec parent_process_name process_exec process_name session_id user_id

Unknown, Unknown ProcessTampering (Process image change), ProcessTampering (Process image change)
XmlWinEventLog 26 action

dest eventtype file_access_time file_hash file_modify_time object_category tag tag::eventtype tag::object_category

process_exec

EventDescription process_name signature

app

direction hashes parent_process_exec parent_process_name process_hash session_id user_id

, Unknown,, Unknown chrome.exe, FileDeleteDetected (File Delete logged), chrome.exe, FileDeleteDetected (File Delete logged)
XmlWinEventLog 255 description

dest process_id result service service_name status

tag::eventtype

eventtype tag

direction

parent_process_exec parent_process_name process_exec process_name user_id

service report, ms-sysmon-service, service report

CIM model comparison for versions 10.6.2 of the Splunk Add-on for Microsoft Sysmon and 1.0.1 of the Splunk Add-on for Sysmon

Source EventID Previous CIM model New CIM model
XmlWinEventLog 1, 10, 15, 17, 18, 19, 20, 21, 22, 5, 6, 8, 9
XmlWinEventLog 11, 12, 13, 14, 2 Change
XmlWinEventLog 3 Endpoint
XmlWinEventLog 16, 255, 4 Endpoint
XmlWinEventLog 23, 26 Endpoint
XmlWinEventLog 24, 25, 7 Endpoint
Last modified on 21 June, 2024
Lookups for the Splunk Add-on for Sysmon   Source types for the Splunk Add-on for Sysmon

This documentation applies to the following versions of Splunk® Supported Add-ons: released


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters