foxmsft
commented
3 months ago Interesting suggestion. Would adding an extra field to each event be suitable?
Open Vilv3 opened 3 months ago
foxmsft
commented
3 months ago Interesting suggestion. Would adding an extra field to each event be suitable?
Vilv3
commented
3 months ago Hey,
I think so. Not quite sure I understand your question correctly, but as long as the current version number could be parsed out of a raw log (some event created by Sysmon), then this would solve the "issue". :)
Thanks.
NWiBGRsK
commented
1 week ago Actually the "Version" of the executable and the "SchemaVersion" are present in "Event ID 4: Sysmon service state changed". Therefore you should be able to get a current value with every reboot (checked with version 14.16 and 15.15).
Vilv3
commented
1 week ago @NWiBGRsK Hi, yes, and therein lies the issue, only being able to see the running version on a state change event. Particularly on servers that don't get rebooted often this is unideal from a monitoring/upkeep perspective, although not a major problem.
Hi,
In an environment where many endpoints are being monitored via Sysmon, it's currently quite difficult to keep track of version numbers, since the only event where current version numbers are reported is the "Sysmon state change" event which is usually generated after an upgrade or fresh install.
Would it be possible to add a version number to all events created by Sysmon? Or at least more than the one that exists currently. This would mean that one could only check the latest event and see which version is in use on said endpoint.
Thanks!