Sysmon product comparisons¶
The following sections describe the differences between versions 10.6.2 of the Splunk Add-on for Microsoft Sysmon and 1.0.1 of the Splunk Add-on for Sysmon:
Field mapping comparison for versions 10.6.2 of the Splunk Add-on for Microsoft Sysmon and 1.0.1 of the Splunk Add-on for Sysmon¶
Version 1.0.1 of the Splunk Add-on for Sysmon introduces field mapping changes to the XmlWinEventLog sourcetype. See the following table for information in field changes between version 10.6.2 of the Splunk Add-on for Microsoft Sysmon and 1.0.1 of the Splunk Add-on for Sysmon
| Source type | EventCode | Fields added | Fields modified | Fields removed | 10.6.2 extractions | 1.0.1 extractions |
|---|---|---|---|---|---|---|
XmlWinEventLog |
1 | original_file_name os |
signature EventDescription |
app cmdline direction dvc hashes session_id user_id |
Process Create, Process Create | Process creation, Process creation |
XmlWinEventLog |
2 | action dest file_modify_time |
signature EventDescription tag::eventtype tag |
app direction dvc session_id user_id |
File Create Time, File Create Time, change endpoint filesystem, change endpoint filesystem | A process changed a file creation time, A process changed a file creation time, endpoint filesystem, endpoint filesystem |
XmlWinEventLog |
3 | action dvc_ip protocol_version transport_dest_port |
signature protocol dest state EventDescription tag tag::eventtype |
dest_host process_path session_id user_id |
Network Connect, https, -, listening, Network Connect, listening port communicate network, listening port communicate network | Network connection, ip, 52.46.216.120, estabished, Network connection, communicate network, communicate network |
XmlWinEventLog |
4 | description dest eventtype service service_name status tag tag::eventtype |
signature EventDescription |
direction dvc parent_process_exec parent_process_name process_exec process_name user_id |
Sysmon Start, Sysmon Start | Sysmon service state changed, Sysmon service state changed |
XmlWinEventLog |
5 | action dest os process |
signature EventDescription |
app direction dvc session_id user_id |
Process Terminate, Process Terminate | Process terminated, Process terminated |
XmlWinEventLog |
6 | action dest os process_path service_signature_exists service_signature_verified |
signature |
direction dvc hashes parent_process_exec parent_process_name process_exec process_name user_id |
Driver Load | Driver loaded |
XmlWinEventLog |
7 | action dest eventtype os parent_process_exec parent_process_guid parent_process_id parent_process_name parent_process_path service_dll_signature_exists service_dll_signature_verified tag tag::action tag::eventtype |
signature process_exec EventDescription process_path process_name |
app direction dvc hashes process_guid process_id session_id user_id |
Image Load, unsecapp.exe, Image Load, C:\Windows\System32\wbem\unsecapp.exe, unsecapp.exe | Image loaded, oleaut32.dll, Image loaded, C:\Windows\System32\oleaut32.dll, oleaut32.dll |
XmlWinEventLog |
8 | action dest os parent_process_guid parent_process_id parent_process_path process_guid process_id process_path src_address src_function src_module |
signature process_name parent_process_name EventDescription parent_process_exec process_exec |
direction dvc user_id |
Create Remote Thread, csrss.exe, , Create Remote Thread, csrss.exe | CreateRemoteThread, splunkd.exe, csrss.exe, CreateRemoteThread, csrss.exe, splunkd.exe |
XmlWinEventLog |
9 | action dest os |
signature EventDescription |
app direction dvc session_id user_id |
Raw Access Read, Raw Access Read | RawAccessRead, RawAccessRead |
XmlWinEventLog |
10 | action dest granted_access os parent_process_guid parent_process_id parent_process_path process_guid process_id process_path |
process_exec parent_process_exec EventDescription parent_process_name process_name signature |
direction user_id |
svchost.exe,, Process Access,, svchost.exe, Process Access | MsMpEng.exe, svchost.exe, ProcessAccess, svchost.exe, MsMpEng.exe, ProcessAccess |
XmlWinEventLog |
11 | action |
tag::eventtype tag EventDescription signature |
app direction dvc session_id user_id |
change endpoint filesystem, change endpoint filesystem, File Created, File Created | endpoint filesystem, endpoint filesystem, FileCreate, FileCreate |
XmlWinEventLog |
12 | registry_hive status |
tag::eventtype tag,registry_key_name EventDescription signature |
app direction dvc object session_id user_id |
change endpoint registry, change endpoint registry, Parameters, Registry object added or deleted, Registry object added or deleted | endpoint registry, endpoint registry, HKLM\System\CurrentControlSet\Services\Tcpip\Parameters, RegistryEvent (Object create and delete), RegistryEvent (Object create and delete) |
XmlWinEventLog |
13 | RegistryValueData registry_hive registry_value_data registry_value_type status |
tag::eventtype tag registry_key_name EventDescription registry_value_name signature |
app direction object session_id user_id |
change endpoint registry, change endpoint registry, SecureTimeHigh, Registry value set, QWORD (0x01d76449-0xb4beb640), Registry value set | endpoint registry, endpoint registry, HKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits, RegistryEvent (Value Set), SecureTimeHigh, RegistryEvent (Value Set) |
XmlWinEventLog |
14 | action registry_hive status |
tag::eventtype tag registry_key_name EventDescription signature |
app direction dvc object session_id user_id |
change endpoint registry, change endpoint registry, test1, Registry object renamed, Registry object renamed | endpoint registry, endpoint registry, HKU\S-1-5-21-2763475848-2734699699-1333640867-1011\test1, RegistryEvent (Key and Value Rename). RegistryEvent (Key and Value Rename) |
XmlWinEventLog |
15 | action dest file_hash http_referrer http_referrer_domain os uri_path url url_domain |
file_path EventDescription file_name signature |
app direction dvc session_id user_id |
C:\Users\splunker\Downloads\Sublime Text Build 3211 x64 Setup.exe:Zone.Identifier, File stream created, Sublime Text Build 3211 x64 Setup.exe:Zone.Identifier, File stream created | C:\Users\splunker\Downloads\Sublime Text Build 3211 x64 Setup.exe, FileCreateStreamHash, Sublime Text Build 3211 x64 Setup.exe, FileCreateStreamHash |
XmlWinEventLog |
16 | description dest eventtype process_id service service_name status tag tag::eventtype |
EventDescription signature |
direction dvc parent_process_exec parent_process_name process_exec process_name user_id |
Sysmon Configuration Changed, Sysmon Configuration Changed | ServiceConfigurationChange, ServiceConfigurationChange |
XmlWinEventLog |
17 | action dest os pipe_name |
EventDescription signature |
app direction dvc session_id user_id |
Pipe Created, Pipe Created | PipeEvent (Pipe Created), PipeEvent (Pipe Created) |
XmlWinEventLog |
18 | action dest os pipe_name |
EventDescription signature |
app direction dvc session_id user_id |
Pipe Connected, Pipe Connected | PipeEvent (Pipe Connected), PipeEvent (Pipe Connected) |
XmlWinEventLog |
19 | action change_type dest result src status user_name |
EventDescription signature |
direction parent_process_exec parent_process_name process_exec process_name user_id |
WmiEventFilter activity detected, WmiEventFilter activity detected | WmiEvent (WmiEventFilter activity detected), WmiEvent (WmiEventFilter activity detected) |
XmlWinEventLog |
20 | action change_type dest object object_path src status user_name |
EventDescription signature |
direction parent_process_exec parent_process_name process_exec process_name user_id |
WmiEventConsumer activity detected, WmiEventConsumer activity detected | WmiEvent (WmiEventConsumer activity detected), WmiEvent (WmiEventConsumer activity detected) |
XmlWinEventLog |
21 | action change_type dest object object_attrs object_path result src status user_name |
EventDescription signature |
direction parent_process_exec parent_process_name process_exec process_name user_id |
WmiEventConsumerToFilter activity detected, WmiEventConsumerToFilter activity detected | WmiEvent (WmiEventConsumerToFilter activity detected),WmiEvent (WmiEventConsumerToFilter activity detected) |
XmlWinEventLog |
22 | answer_count query_count src |
EventDescription signature |
app direction dvc parent_process_exec parent_process_name process_id process_path record session_id user_id |
DNS Query, DNS Query | DNSEvent (DNS query), DNSEvent (DNS query) |
XmlWinEventLog |
23 | action dest eventtype file_hash file_modify_time object_category tag tag::eventtype tag::object_category |
process_exec EventDescription process_name signature |
app direction dvc hashes parent_process_exec parent_process_name process_hash session_id user_id |
,Unknown,, Unknown | splunk-winevtlog.exe, FileDelete (File Delete archived), splunk-winevtlog.exe, FileDelete (File Delete archived) |
XmlWinEventLog |
24 | SrcHost action dest eventtype os src_host tag tag::eventtype user |
process_exec EventDescription process_name signature |
app direction hashes parent_process_exec parent_process_name session_id user_id |
,Unknown,, Unknown | rdpclip.exe, ClipboardChange (New content in the clipboard), rdpclip.exe, ClipboardChange (New content in the clipboard) |
XmlWinEventLog |
25 | action dest eventtype os result tag tag::eventtype |
EventDescription signature |
app direction dvc parent_process_exec parent_process_name process_exec process_name session_id user_id |
Unknown, Unknown | ProcessTampering (Process image change), ProcessTampering (Process image change) |
XmlWinEventLog |
26 | action dest eventtype file_access_time file_hash file_modify_time object_category tag tag::eventtype tag::object_category |
process_exec EventDescription process_name signature |
app direction hashes parent_process_exec parent_process_name process_hash session_id user_id |
, Unknown,, Unknown | chrome.exe, FileDeleteDetected (File Delete logged), chrome.exe, FileDeleteDetected (File Delete logged) |
XmlWinEventLog |
255 | description dest process_id result service service_name status |
tag::eventtype eventtype tag |
direction parent_process_exec parent_process_name process_exec process_name user_id |
service report, ms-sysmon-service, service report |
CIM model comparison for versions 10.6.2 of the Splunk Add-on for Microsoft Sysmon and 1.0.1 of the Splunk Add-on for Sysmon¶
| Source | EventID | Previous CIM model | New CIM model |
|---|---|---|---|
XmlWinEventLog |
1, 10, 15, 17, 18, 19, 20, 21, 22, 5, 6, 8, 9 | ||
XmlWinEventLog |
11, 12, 13, 14, 2 | Change | |
XmlWinEventLog |
3 | Endpoint | |
XmlWinEventLog |
16, 255, 4 | Endpoint | |
XmlWinEventLog |
23, 26 | Endpoint | |
XmlWinEventLog |
24, 25, 7 | Endpoint |