Sysmon /operational is not in Event table

Hi Team, Need to create usecase base on Sysmon /operational and with Event ID = 1. But Sysmon is not configured. Usecase is based on process. It is github usecase. Need to create with the help of...

KQL

G_Wilson3468
Nov 25, 2024
I mapped the fields to the corresponding Defender table. Hopefully this helps. Please mark "Solved" if this works.

G.

DeviceProcessEvents | where EventID == 1 | extend Image = tostring(parse_json(AdditionalFields).Image) | where OriginalFileName has_any (procList) and not (Image has_any (procList)) | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, DeviceName, InitiatingProcessAccountName, InitiatingProcessParentFileName, InitiatingProcessParentId, InitiatingProcessCommandLine, InitiatingProcessAccountDomain, FileName, ProcessId, ProcessCommandLine, FileDescription, FileName, FolderPath, SHA1 | extend HostName = iif(DeviceName has '.',substring(DeviceName,0,indexof(DeviceName,'.')),DeviceName), DnsDomain = iif(DeviceName has '.',substring(DeviceName,indexof(DeviceName,'.')+1),'')

Forum Discussion

Sysmon /operational is not in Event table

Resources