Lookups for the Splunk Add-on for Sysmon¶
The Splunk Add-on for Sysmon has the following lookups that map fields
from Sysmon to Common Information Model (CIM)-compliant values in the
Splunk software. The lookup files are located in
$SPLUNK_HOME\etc\apps\Splunk_TA_microsoft-sysmon/lookups.
| Filename | Description |
|---|---|
microsoft_sysmon_eventcode.csv |
Maps EventCode to EventDescription. For more information, see the Microsoft Sysmon documentation. |
microsoft_sysmon_record_type.csv |
Maps record_type to record_type_name (DNS resource record type [RFC6895] [RFC1035]). |