Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

TA-microsoft-sysmon for version 10 support

cpaul8
New Member
‎11-25-2019 12:15 AM

Hello All,

We upgraded the TA for sysmon to support version 10 (precisely the latest version 10.41) this week. Actually TA for v10 is supported from June 2019.

https://github.com/splunk/TA-microsoft-sysmon

After the upgrade, we noticed inconsistency with field mapping. For instance, file_hash is unknown for file create events which basically indiates not compliant with Endpoint datamodel, etc. There was no issue with previous TA, worked well with sysmon v9 and fully compliant with Endpoint DM. Due to the issue with field mapping, All correlation Endpoint DM related correlation searches stopped working. Can someone help on this please? OR do I have to fix anything to make it work. Your early is very much appreciated. Thanks

Splunk CIM is up-to-date with verison 4.14.0
https://splunkbase.splunk.com/app/1621/#/details

Enterprise Security version Version: 5.3.1

0 Karma
Reply

dstaulcu
Builder
‎12-14-2019 08:05 AM

I would not hold your breath waiting on improvements in TA-microsoft-sysmon to be published to Splunkbase. Instead I'd recommend forking the project (in github) and tuning it as needed for implementation in your environment. It would be nice to see innovations submitted as pull requests but I think that baseline is frozen for the foreseeable future.

If I recall correctly, the last merge made TA-microsoft-sysmon dependent on "breaking" versions of TA-microsoft-windows. Upgrading to TA-microsoft-windows v5+ requires a tedious transition of references to sourcetype in saved searches and dashboards. Defaulting of all windows inputs to render as XML further delays search time field extraction processing which may result in increased hosting costs to compensate.

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...