Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

TA-microsoft-sysmon for version 10 support

cpaul8
New Member
‎11-25-2019 12:15 AM

Hello All,

We upgraded the TA for sysmon to support version 10 (precisely the latest version 10.41) this week. Actually TA for v10 is supported from June 2019.

https://github.com/splunk/TA-microsoft-sysmon

After the upgrade, we noticed inconsistency with field mapping. For instance, file_hash is unknown for file create events which basically indiates not compliant with Endpoint datamodel, etc. There was no issue with previous TA, worked well with sysmon v9 and fully compliant with Endpoint DM. Due to the issue with field mapping, All correlation Endpoint DM related correlation searches stopped working. Can someone help on this please? OR do I have to fix anything to make it work. Your early is very much appreciated. Thanks

Splunk CIM is up-to-date with verison 4.14.0
https://splunkbase.splunk.com/app/1621/#/details

Enterprise Security version Version: 5.3.1

0 Karma
Reply

dstaulcu
Builder
‎12-14-2019 08:05 AM

I would not hold your breath waiting on improvements in TA-microsoft-sysmon to be published to Splunkbase. Instead I'd recommend forking the project (in github) and tuning it as needed for implementation in your environment. It would be nice to see innovations submitted as pull requests but I think that baseline is frozen for the foreseeable future.

If I recall correctly, the last merge made TA-microsoft-sysmon dependent on "breaking" versions of TA-microsoft-windows. Upgrading to TA-microsoft-windows v5+ requires a tedious transition of references to sourcetype in saved searches and dashboards. Defaulting of all windows inputs to render as XML further delays search time field extraction processing which may result in increased hosting costs to compensate.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...