In your poc is sysmon still outputting events to the eventlo

Question

In your poc is sysmon still outputting events to the eventlog Your poc just allows us to more easily manipulate the sysmon data without having to use the `windows events` table to ship the sysmon logs

manu · Answer

yes sysmon still outputs it s log via it s own trace session we create a new trace session to receive the events and fwd accordingly If you notice there are 2 trace sessions one that we create from event publisher

manu · Answer

< defensivedepth> yeah `windows events` being generic over diff channels and sources can t be projected generically The data manipulation and types of queries that one create with such tables at endpoint itself opens a new set of opportunity