Deploy the Sysmon-TA
Download and deploy this app to your Splunk Search Head.
A macro is used for all saved searches, you will need to modify it for your environment to ensure the proper Sysmon sourcetype/index is searched.
Macros: Settings --> Advanced Search --> Search Macros. Edit to your environment
Default - sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
Thats it.
Run with administrator rights
sysmon.exe -accepteula -i sysmonconfig-export.xml
Run with administrator rights
sysmon.exe -c sysmonconfig-export.xml
Upon installation, Sysmon will begin logging events to the operational event log “C:\Windows\System32\ winevt\Logs\Microsoft-Windows-Sysmon%4Operational.evtx”.
I recommend going with @SwiftOnSecurity latest config located here:
https://github.com/SwiftOnSecurity/sysmon-config
Additionally, other example Sysmon configs may be found here
PLEASE CONTRIBUTE AND SHARE!
@SwiftOnSecurity @c_APT_ure