cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

How to add 'Microsoft-Windows-Sysmon' events to table 'SysmonEvent'?

m0l0ch
Copper Contributor

‎Mar 13 2019 07:14 PM

‎Mar 13 2019 07:14 PM

How to add 'Microsoft-Windows-Sysmon' events to table 'SysmonEvent'?

Hi everyone.

How to add 'Microsoft-Windows-Sysmon' events to table 'SysmonEvent'?

I've try to setup it in my env w/ Win10, but Sysmon logs collected to 'Events' table only.

What I did wrong?

 

Environment:
- Azure Sentinel instance
- Data collector Security Events - Minimal.
Advanced settings: 
    * Connected Sources Windows Agent (64 bit) installed on Win10
    * Data Windows events 'Microsoft-Windows-Sysmon/Operational'

 

4,215 Views
3 Likes
4 Replies
Reply
4 Replies
Valon_Kolica

‎Mar 14 2019 03:10 PM

‎Mar 14 2019 03:10 PM

Re: How to add 'Microsoft-Windows-Sysmon' events to table 'SysmonEvent'?

@Eliav Levi: Is this something you can speak to? 

0 Likes
Reply
PeterSchawacker

‎Mar 31 2019 09:18 AM

‎Mar 31 2019 09:18 AM

Re: How to add 'Microsoft-Windows-Sysmon' events to table 'SysmonEvent'?

@m0l0chI'm having a similar problem. I think I got a little farther than you might have, but now I'm seeing Sysmon events in the wrong table, or at least I think it's the wrong table. 

 

Instead of appearing in the Security/Sysmon table, I get them in the Log Management/Event table. Maybe I configured the Data settings incorrectly (see below), but...  

sysmon_in_event_table.png

Where I expected to see Sysmon events, but don't...

NotInSysmonEventTable.png

 

My Windows Event Logs Data settings...

dataconfig.png 

 

1 Like
Reply
Rikard Edje

‎Apr 01 2019 01:29 AM

‎Apr 01 2019 01:29 AM

Re: How to add 'Microsoft-Windows-Sysmon' events to table 'SysmonEvent'?

I would like to get them here in SysmonEvents

 

SysmonEvents.PNG

 

1 Like
Reply
Valon_Kolica

‎Apr 01 2019 08:24 AM

‎Apr 01 2019 08:24 AM

Re: How to add 'Microsoft-Windows-Sysmon' events to table 'SysmonEvent'?

@PeterSchawacker 

 

@Ofer_Shezaf: Is this something you can speak to? 

0 Likes
Reply