Embedded Files
Sysmon Versions Checkup
Sysmon Versions Checkup
The Goal: Ensure accurate threat detection and unified log analysis.
How to Track it: Get information about the Sysmon versions in your environment.
The Value: Using the same Sysmon version ensures consistent logs, reliable alerts, and no blind spots.
Quick Guide
Quick Guide
Sysmon Versions - Customer report
Sysmon Versions - Platform query
Detailed Guide
Detailed Guide
Overview
Overview
Sysmon (System Monitor) is a powerful Windows system service and device driver that logs system activity to the Windows event log. It's often used for threat detection and advanced auditing in SOC environments.
Different versions of Sysmon offer different features. Keeping all machines updated to the same version is important to ensure consistent logging and detection.
Why Check Sysmon Versions?
Inconsistent Logging: Different versions may break detection rules or leave information missing in the log, and the exclusions may not work properly.
SIEM Issues: Correlation rules in SIEMs can fail if some computers send outdated or differently formatted logs.
Actions
Actions
ESM
ESM
Follow the path to access the "Sysmon Versions—Customer report" and "Sysmon Versions—Platform query" to see the different versions of Sysmon on your entities. This will help you easily find and fix the gaps.
- Sysmon Versions - Customer report
In the “Navigator” window under the “Resources” tab, select “Reports”
Follow the path:
/All Reports/Mobula/Products/Microsoft/Sysmon@Microsoft/Sysmon Versions - Customer
Right-click on the “Sysmon Versions - Customer” report, select “run” and then “Report”
In the next window, select the customer to get his report. You can also change the file format if you desire.
Click OK to open and inspect the report.
- Sysmon Versions - Platform Query
It is a query viewer that will show you all the customers on your platform and their Sysmon versions.
In the “Navigator” window under the “Resources” tab, select “Query Viewers”
Follow the Path:
/All Query Viewers/Mobula/Products/Microsoft/Sysmon@Microsoft/Sysmon Versions - Platform
Double click on Sysmon Versions - Platform.
In the “Viewer” window, you will see a list of your customers and their sysmon Versions, schema versions, Config HASH, and computer counts.
This query helps you better understand how many computers with which Sysmon version are running on every customer.
Whenever you see different Sysmon versions, please contact the MobulaSupport team by:
Email - mobulasupport@cyray.io
Best Practices
Best Practices
Once a month, check the Sysmon Versions—Platform query to see if there are different Sysmon versions, and try to stay on the latest version.
Objectives
Objectives
Understand the importance of using a unified Sysmon version across all endpoints.
Learn how to locate Sysmon version differences using built-in reports and queries.
Identify gaps and take corrective actions to improve detection reliability.
Adopt a routine version check to maintain visibility and consistency across environments.
Page updated
Report abuse