Forum Discussion
KQL looking for Sysmon
I'm trying to get a list of boxes that have sysmon running on them.
Any reason this won't work?
DeviceFileEvents
| where FolderPath contains @"\Windows\System32\winevt\Logs"
| where FileName contains @"Sysmon"
| project DeviceName, FolderPath
| limit 100
Thanks!
1 Reply
- In case anyone else is looking for this, this seems to give me what I need...
Count for Sysmon on Devices
DeviceProcessEvents
| where FileName =~ "Sysmon.exe" or FileName =~ "Sysmon64.exe"
//| project DeviceName,FileName,InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessFolderPath, InitiatingProcessCommandLine
| count
List of Sysmon Devices
DeviceProcessEvents
| where FileName =~ "Sysmon.exe" or FileName =~ "Sysmon64.exe"
| project DeviceName,FileName,InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessFolderPath, InitiatingProcessCommandLine
| top 10 by DeviceName
