props.conf added config for non-XML parsed Sysmon

olafhartong / ThreatHunting

A Splunk app mapped to MITRE ATT&CK to guide your threat hunts

MIT License

1.13k stars 177 forks source link

props.conf added config for non-XML parsed Sysmon #2

Closed fryguy04 closed 5 years ago

fryguy04 commented 5 years ago

This App wasn't working in my Splunk ... noticed my Sysmon was [WinEventLog:Microsoft-Windows-Sysmon/Operational] vs original [XmlWinEventLog:Microsoft-Windows-Sysmon/Operational] ... Maybe due to Sysmon Splunk TA installed? Added above to cover both cases