Started logging events and modifying config. All these events are Sysmon event IDs. Is there proper configuration to use to include Windows actual Event IDs instead of Sysmon? My use cases for SIEM search are trigger alerts based on Windows Event IDs not Sysmon's own version of Eevent ID like 1, 2, 3, 4, 5,11... etc. I'm in need of collecting actual events that are windows generated Event IDs.
Am I the only one asking this or has there been a thread about this?
Started logging events and modifying config. All these events are Sysmon event IDs. Is there proper configuration to use to include Windows actual Event IDs instead of Sysmon? My use cases for SIEM search are trigger alerts based on Windows Event IDs not Sysmon's own version of Eevent ID like 1, 2, 3, 4, 5,11... etc. I'm in need of collecting actual events that are windows generated Event IDs.
Am I the only one asking this or has there been a thread about this?