Hi there

We use Enterprise Security and one of our most valuable data sources is Sysmon. We rely on it primarily for process start and network/dns events. We previously used the index to write correlation searches for our security use cases. Of course it makes much more sense to instead use the data models which is what we are now trying to do.

If we look at the https://docs.splunk.com/Documentation/CIM/5.0.2/User/Endpoint data model for processes and the fields available there, it seems obvious that this is meant for "process start" events. The "action" field refers to default values such as allowed, blocked, and deferred and there is no other field to differentiate process events of different types. How would I make a distinction between process termination and process execution for example? It seems you can't.

As mentioned in the subject we use the official Splunk Add-on for Sysmon and are frankly a bit confused by how the SysMon events have been mapped. The app is mapping the SysmonID's 1, 5, 6, 7, 8, 9, 10, 15, 17, 18, 24, 25 into the processes. This includes among others "FileCreateStreamHash", "PipeEvent" and "ClipboardChange". Now sure, these are actions executed by processes but what isn't? These and many other event ID's in the list are not only thematically questionable but also miss most of the fields available in the data model. Writing a search based on that data model mapping to find Sysmon process start events is impossible.

It also has other issues. We have the "CreateRemoteThread" event which maps the "SourceImage" into "process_path" AND "parent_process_path" which is just plain wrong. The parent process in that case was, as expected, another process entirely. That's one example among many.

So, do you use this App and if so how do you deal with these issues? We either have to manipulate the app to work in a way that makes sense or just ignore it and map everything ourselves.