Splunk Enterprise Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

TA-microsoft-sysmon for version 10 support

cpaul8
New Member
‎11-25-2019 12:15 AM

Hello All,

We upgraded the TA for sysmon to support version 10 (precisely the latest version 10.41) this week. Actually TA for v10 is supported from June 2019.

https://github.com/splunk/TA-microsoft-sysmon

After the upgrade, we noticed inconsistency with field mapping. For instance, file_hash is unknown for file create events which basically indiates not compliant with Endpoint datamodel, etc. There was no issue with previous TA, worked well with sysmon v9 and fully compliant with Endpoint DM. Due to the issue with field mapping, All correlation Endpoint DM related correlation searches stopped working. Can someone help on this please? OR do I have to fix anything to make it work. Your early is very much appreciated. Thanks

Splunk CIM is up-to-date with verison 4.14.0
https://splunkbase.splunk.com/app/1621/#/details

Enterprise Security version Version: 5.3.1

0 Karma
Reply

dstaulcu
Builder
‎12-14-2019 08:05 AM

I would not hold your breath waiting on improvements in TA-microsoft-sysmon to be published to Splunkbase. Instead I'd recommend forking the project (in github) and tuning it as needed for implementation in your environment. It would be nice to see innovations submitted as pull requests but I think that baseline is frozen for the foreseeable future.

If I recall correctly, the last merge made TA-microsoft-sysmon dependent on "breaking" versions of TA-microsoft-windows. Upgrading to TA-microsoft-windows v5+ requires a tedious transition of references to sourcetype in saved searches and dashboards. Defaulting of all windows inputs to render as XML further delays search time field extraction processing which may result in increased hosting costs to compensate.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...