Closed clong closed 3 years ago
clong
commented
3 years ago Oh man, found a huge issue while working through this. The sourcetype for sysmon events actually included double quotes in the actual field value which was causing all sorts of issues. Fix incoming.
clong
commented
3 years ago Screenshot after the latest commit:
Marking this fixed now. There's still some improvements to be made (adding whitelists, etc), but the bulk of the problems have been solved.
Figure out why events aren't populating correctly