Forum Discussion
mathurin68
Nov 03, 2021Brass Contributor
KQL looking for Sysmon
I'm trying to get a list of boxes that have sysmon running on them. Any reason this won't work? DeviceFileEvents | where FolderPath contains @"\Windows\System32\winevt\Logs" | where FileN...
mathurin68
Nov 04, 2021Brass Contributor
In case anyone else is looking for this, this seems to give me what I need...
Count for Sysmon on Devices
DeviceProcessEvents
| where FileName =~ "Sysmon.exe" or FileName =~ "Sysmon64.exe"
//| project DeviceName,FileName,InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessFolderPath, InitiatingProcessCommandLine
| count
List of Sysmon Devices
DeviceProcessEvents
| where FileName =~ "Sysmon.exe" or FileName =~ "Sysmon64.exe"
| project DeviceName,FileName,InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessFolderPath, InitiatingProcessCommandLine
| top 10 by DeviceName
Count for Sysmon on Devices
DeviceProcessEvents
| where FileName =~ "Sysmon.exe" or FileName =~ "Sysmon64.exe"
//| project DeviceName,FileName,InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessFolderPath, InitiatingProcessCommandLine
| count
List of Sysmon Devices
DeviceProcessEvents
| where FileName =~ "Sysmon.exe" or FileName =~ "Sysmon64.exe"
| project DeviceName,FileName,InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessFolderPath, InitiatingProcessCommandLine
| top 10 by DeviceName