Add Sysmon to your existing Windows event sources
You can use an update script to configure agents to collect Sysmon events.
To collect Sysmon events along with your System, Application, and Security events, add the
following update script to your patches directory:
<?xml version="1.0" encoding="UTF-8"?>
<WinCollectScript version="10.0.0" >
<AddTo objPath="LocalSources(Name=Local)" >
<Source Name="Sysmon" Channel="XPath" Type="MSEVEN6" >
<Parameter name="Query">
<QueryList>
<Query Id="0" Path="Microsoft-Windows-Sysmon/Operational">
<Select Path="Microsoft-Windows-Sysmon/Operational">*</Select>
</Query>
</QueryList>
</Parameter>
</Source>
</AddTo>
</WinCollectScript>This script adds Sysmon to your Local sources.