Home

How to add 'Microsoft-Windows-Sysmon' events to table 'SysmonEvent'?

%3CLINGO-SUB%20id%3D%22lingo-sub-369070%22%20slang%3D%22en-US%22%3EHow%20to%20add%20'Microsoft-Windows-Sysmon'%20events%20to%20table%20'SysmonEvent'%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-369070%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20everyone.%3C%2FP%3E%3CP%3EHow%20to%20add%20'%3CSPAN%3EMicrosoft-Windows-Sysmon'%20events%20to%20table%20'SysmonEvent'%3F%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EI've%20try%20to%20setup%20it%20in%20my%20env%20w%2F%20Win10%2C%20but%20Sysmon%20logs%20collected%20to%20'Events'%20table%20only.%3C%2FP%3E%3CP%3EWhat%20I%20did%20wrong%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%3EEnvironment%3A%3CBR%20%2F%3E-%20Azure%20Sentinel%20instance%3CBR%20%2F%3E-%20Data%20collector%20Security%20Events%20-%20Minimal.%3CBR%20%2F%3E-%26nbsp%3B%3CSPAN%3EAdvanced%20settings%3A%26nbsp%3B%3C%2FSPAN%3E%3CBR%20%2F%3E%26nbsp%3B%20%26nbsp%3B%20*%20Connected%20Sources%26nbsp%3BWindows%20Agent%20(64%20bit)%20installed%20on%20Win10%3CBR%20%2F%3E%26nbsp%3B%20%26nbsp%3B%20*%20Data%20Windows%20events%20'%3CSPAN%3EMicrosoft-Windows-Sysmon%2FOperational'%3C%2FSPAN%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-391930%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20add%20'Microsoft-Windows-Sysmon'%20events%20to%20table%20'SysmonEvent'%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-391930%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F302813%22%20target%3D%22_blank%22%3E%40PeterSchawacker%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F293879%22%20target%3D%22_blank%22%3E%40Ofer_Shezaf%3C%2FA%3E%3A%20Is%20this%20something%20you%20can%20speak%20to%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-391643%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20add%20'Microsoft-Windows-Sysmon'%20events%20to%20table%20'SysmonEvent'%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-391643%22%20slang%3D%22en-US%22%3E%3CP%3EI%20would%20like%20to%20get%20them%20here%20in%20SysmonEvents%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20149px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F100734i5835630517DD8A14%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22SysmonEvents.PNG%22%20title%3D%22SysmonEvents.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-391466%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20add%20'Microsoft-Windows-Sysmon'%20events%20to%20table%20'SysmonEvent'%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-391466%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F300561%22%20target%3D%22_blank%22%3E%40m0l0ch%3C%2FA%3EI'm%20having%20a%20similar%20problem.%20I%20think%20I%20got%20a%20little%20farther%20than%20you%20might%20have%2C%20but%20now%20I'm%20seeing%20Sysmon%20events%20in%20the%20wrong%20table%2C%20or%20at%20least%20I%20think%20it's%20the%20wrong%20table.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EInstead%20of%20appearing%20in%20the%20Security%2FSysmon%20table%2C%20I%20get%20them%20in%20the%20Log%20Management%2FEvent%20table.%20Maybe%20I%20configured%20the%20Data%20settings%20incorrectly%20(see%20below)%2C%20but...%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F100681i6220418F0F2C0C81%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22sysmon_in_event_table.png%22%20title%3D%22sysmon_in_event_table.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EWhere%20I%20expected%20to%20see%20Sysmon%20events%2C%20but%20don't...%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F100684i476CFC45F01F6441%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22NotInSysmonEventTable.png%22%20title%3D%22NotInSysmonEventTable.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20Windows%20Event%20Logs%20Data%20settings...%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F100683iE98B7A2BAFF0A393%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22dataconfig.png%22%20title%3D%22dataconfig.png%22%20%2F%3E%3C%2FSPAN%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-369803%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20add%20'Microsoft-Windows-Sysmon'%20events%20to%20table%20'SysmonEvent'%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-369803%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F222671%22%20target%3D%22_blank%22%3E%40Eliav%20Levi%3C%2FA%3E%3A%20%3CSPAN%20style%3D%22display%3A%20inline%20!important%3B%20float%3A%20none%3B%20background-color%3A%20%23ffffff%3B%20color%3A%20%23333333%3B%20font-family%3A%20'SegoeUI'%2C'Lato'%2C'Helvetica%20Neue'%2CHelvetica%2CArial%2Csans-serif%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3EIs%20this%20something%20you%20can%20speak%20to%3F%3C%2FSPAN%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
m0l0ch
New Contributor

Hi everyone.

How to add 'Microsoft-Windows-Sysmon' events to table 'SysmonEvent'?

I've try to setup it in my env w/ Win10, but Sysmon logs collected to 'Events' table only.

What I did wrong?

 

Environment:
- Azure Sentinel instance
- Data collector Security Events - Minimal.
Advanced settings: 
    * Connected Sources Windows Agent (64 bit) installed on Win10
    * Data Windows events 'Microsoft-Windows-Sysmon/Operational'

 

4 Replies

@Eliav Levi: Is this something you can speak to? 

@m0l0chI'm having a similar problem. I think I got a little farther than you might have, but now I'm seeing Sysmon events in the wrong table, or at least I think it's the wrong table. 

 

Instead of appearing in the Security/Sysmon table, I get them in the Log Management/Event table. Maybe I configured the Data settings incorrectly (see below), but...  

sysmon_in_event_table.png

Where I expected to see Sysmon events, but don't...

NotInSysmonEventTable.png

 

My Windows Event Logs Data settings...

dataconfig.png 

 

I would like to get them here in SysmonEvents

 

SysmonEvents.PNG

 

@PeterSchawacker 

 

@Ofer_Shezaf: Is this something you can speak to? 

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
46 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
13 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
29 Replies