Details
Content
Dependencies
Version History

System Monitor (Sysmon) is a Windows system service and device driver that, once installed on a system, remains resident across system reboots to monitor and log system activity to the Windows event log.

Microsoft Windows Sysmon

This pack includes Cortex XSIAM content.

XDRC (XDR Collector)

To create or configure the Winlogbeat collector, use the information described here.

You can configure the vendor and product by replacing [vendor]_[product]_raw with microsoft_sysmon_raw.

When configuring the instance, you should use a YML file that configures the vendor and product, as shown in the below configuration for the Windows Sysmon service.

Copy and paste the following in the Winlogbeat Configuration File section (inside the relevant profile under the XDR Collectors Profiles).

Winlogbeat Configuration File

winlogbeat.event_logs:
  - name: Microsoft-Windows-Sysmon/Operational
    processors:
    - add_fields:
        fields:
          vendor: microsoft
          product: sysmon

Name	Description
Microsoft Windows Sysmon Modeling Rule

Name	Description
Microsoft Windows Sysmon Parsing Rule

PUBLISHER

Cortex

PLATFORMS

Cortex XSIAM

INFO

Certification	Certified	Read more
Supported By	Cortex
Created	March 17, 2024
Last Release	March 17, 2024

DISCLAIMER

Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise. For more information, see the Marketplace documentation.

Microsoft Sysmon