Hello All,
We upgraded the TA for sysmon to support version 10 (precisely the latest version 10.41) this week. Actually TA for v10 is supported from June 2019.
https://github.com/splunk/TA-microsoft-sysmon
After the upgrade, we noticed inconsistency with field mapping. For instance, file_hash is unknown for file create events which basically indiates not compliant with Endpoint datamodel, etc. There was no issue with previous TA, worked well with sysmon v9 and fully compliant with Endpoint DM. Due to the issue with field mapping, All correlation Endpoint DM related correlation searches stopped working. Can someone help on this please? OR do I have to fix anything to make it work. Your early is very much appreciated. Thanks
Splunk CIM is up-to-date with verison 4.14.0
https://splunkbase.splunk.com/app/1621/#/details
Enterprise Security version Version: 5.3.1
I would not hold your breath waiting on improvements in TA-microsoft-sysmon to be published to Splunkbase. Instead I'd recommend forking the project (in github) and tuning it as needed for implementation in your environment. It would be nice to see innovations submitted as pull requests but I think that baseline is frozen for the foreseeable future.
If I recall correctly, the last merge made TA-microsoft-sysmon dependent on "breaking" versions of TA-microsoft-windows. Upgrading to TA-microsoft-windows v5+ requires a tedious transition of references to sourcetype in saved searches and dashboards. Defaulting of all windows inputs to render as XML further delays search time field extraction processing which may result in increased hosting costs to compensate.