KQL looking for Sysmon

Brass Contributor

I'm trying to get a list of boxes that have sysmon running on them. 

 

Any reason this won't work? 

 

DeviceFileEvents
| where FolderPath contains @"\Windows\System32\winevt\Logs"
| where FileName contains @"Sysmon"
| project DeviceName, FolderPath
| limit 100

 

 

 

Thanks!

1 Reply
In case anyone else is looking for this, this seems to give me what I need...

Count for Sysmon on Devices
DeviceProcessEvents
| where FileName =~ "Sysmon.exe" or FileName =~ "Sysmon64.exe"
//| project DeviceName,FileName,InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessFolderPath, InitiatingProcessCommandLine
| count

List of Sysmon Devices
DeviceProcessEvents
| where FileName =~ "Sysmon.exe" or FileName =~ "Sysmon64.exe"
| project DeviceName,FileName,InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessFolderPath, InitiatingProcessCommandLine
| top 10 by DeviceName