How to add 'Microsoft-Windows-Sysmon' events to table 'SysmonEvent'?

%3CLINGO-SUB%20id%3D%22lingo-sub-369070%22%20slang%3D%22en-US%22%3EHow%20to%20add%20'Microsoft-Windows-Sysmon'%20events%20to%20table%20'SysmonEvent'%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-369070%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20everyone.%3C%2FP%3E%3CP%3EHow%20to%20add%20'%3CSPAN%3EMicrosoft-Windows-Sysmon'%20events%20to%20table%20'SysmonEvent'%3F%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EI've%20try%20to%20setup%20it%20in%20my%20env%20w%2F%20Win10%2C%20but%20Sysmon%20logs%20collected%20to%20'Events'%20table%20only.%3C%2FP%3E%3CP%3EWhat%20I%20did%20wrong%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%3EEnvironment%3A%3CBR%20%2F%3E-%20Azure%20Sentinel%20instance%3CBR%20%2F%3E-%20Data%20collector%20Security%20Events%20-%20Minimal.%3CBR%20%2F%3E-%26nbsp%3B%3CSPAN%3EAdvanced%20settings%3A%26nbsp%3B%3C%2FSPAN%3E%3CBR%20%2F%3E%26nbsp%3B%20%26nbsp%3B%20*%20Connected%20Sources%26nbsp%3BWindows%20Agent%20(64%20bit)%20installed%20on%20Win10%3CBR%20%2F%3E%26nbsp%3B%20%26nbsp%3B%20*%20Data%20Windows%20events%20'%3CSPAN%3EMicrosoft-Windows-Sysmon%2FOperational'%3C%2FSPAN%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-391930%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20add%20'Microsoft-Windows-Sysmon'%20events%20to%20table%20'SysmonEvent'%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-391930%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F302813%22%20target%3D%22_blank%22%3E%40PeterSchawacker%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F293879%22%20target%3D%22_blank%22%3E%40Ofer_Shezaf%3C%2FA%3E%3A%20Is%20this%20something%20you%20can%20speak%20to%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-391643%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20add%20'Microsoft-Windows-Sysmon'%20events%20to%20table%20'SysmonEvent'%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-391643%22%20slang%3D%22en-US%22%3E%3CP%3EI%20would%20like%20to%20get%20them%20here%20in%20SysmonEvents%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20149px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F100734i5835630517DD8A14%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22SysmonEvents.PNG%22%20title%3D%22SysmonEvents.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-391466%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20add%20'Microsoft-Windows-Sysmon'%20events%20to%20table%20'SysmonEvent'%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-391466%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F300561%22%20target%3D%22_blank%22%3E%40m0l0ch%3C%2FA%3EI'm%20having%20a%20similar%20problem.%20I%20think%20I%20got%20a%20little%20farther%20than%20you%20might%20have%2C%20but%20now%20I'm%20seeing%20Sysmon%20events%20in%20the%20wrong%20table%2C%20or%20at%20least%20I%20think%20it's%20the%20wrong%20table.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EInstead%20of%20appearing%20in%20the%20Security%2FSysmon%20table%2C%20I%20get%20them%20in%20the%20Log%20Management%2FEvent%20table.%20Maybe%20I%20configured%20the%20Data%20settings%20incorrectly%20(see%20below)%2C%20but...%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F100681i6220418F0F2C0C81%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22sysmon_in_event_table.png%22%20title%3D%22sysmon_in_event_table.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EWhere%20I%20expected%20to%20see%20Sysmon%20events%2C%20but%20don't...%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F100684i476CFC45F01F6441%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22NotInSysmonEventTable.png%22%20title%3D%22NotInSysmonEventTable.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20Windows%20Event%20Logs%20Data%20settings...%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F100683iE98B7A2BAFF0A393%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22dataconfig.png%22%20title%3D%22dataconfig.png%22%20%2F%3E%3C%2FSPAN%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-369803%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20add%20'Microsoft-Windows-Sysmon'%20events%20to%20table%20'SysmonEvent'%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-369803%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F222671%22%20target%3D%22_blank%22%3E%40Eliav%20Levi%3C%2FA%3E%3A%20%3CSPAN%20style%3D%22display%3A%20inline%20!important%3B%20float%3A%20none%3B%20background-color%3A%20%23ffffff%3B%20color%3A%20%23333333%3B%20font-family%3A%20'SegoeUI'%2C'Lato'%2C'Helvetica%20Neue'%2CHelvetica%2CArial%2Csans-serif%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3EIs%20this%20something%20you%20can%20speak%20to%3F%3C%2FSPAN%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

Hi everyone.

How to add 'Microsoft-Windows-Sysmon' events to table 'SysmonEvent'?

I've try to setup it in my env w/ Win10, but Sysmon logs collected to 'Events' table only.

What I did wrong?

 

Environment:
- Azure Sentinel instance
- Data collector Security Events - Minimal.
Advanced settings: 
    * Connected Sources Windows Agent (64 bit) installed on Win10
    * Data Windows events 'Microsoft-Windows-Sysmon/Operational'

 

4 Replies

@Eliav Levi: Is this something you can speak to? 

@m0l0chI'm having a similar problem. I think I got a little farther than you might have, but now I'm seeing Sysmon events in the wrong table, or at least I think it's the wrong table. 

 

Instead of appearing in the Security/Sysmon table, I get them in the Log Management/Event table. Maybe I configured the Data settings incorrectly (see below), but...  

sysmon_in_event_table.png

Where I expected to see Sysmon events, but don't...

NotInSysmonEventTable.png

 

My Windows Event Logs Data settings...

dataconfig.png 

 

I would like to get them here in SysmonEvents

 

SysmonEvents.PNG

 

@PeterSchawacker 

 

@Ofer_Shezaf: Is this something you can speak to? 

We support Ukraine and condemn war. Push Russian government to act against war. Be brave, vocal and show your support to Ukraine. Follow the latest news HERE