anywhere98
commented
5 years ago I found that the logs are send from sysmon but the fields has been change from "SchemaVersion" to "Version". I just change the current extraction and then it worked.
Closed anywhere98 closed 5 years ago
anywhere98
commented
5 years ago I found that the logs are send from sysmon but the fields has been change from "SchemaVersion" to "Version". I just change the current extraction and then it worked.
I just started to run a fresh installation and see that the sysmon schema version is not collected as one of your searches are not grabbing that , fields name "sysmon_schema_version".
I seems then that the sysmon TA on the client side need to ingest the data before the field extraction can take please?