• Install Sysmon
    • Add SwiftOnSecurity config
  • Install addon
  • Settings

    • C:\Program Files\Splunk\etc\system\local\inputs.conf

      [WinEventLog://Microsoft-Windows-Sysmon/Operational]
disabled = false
renderXml = true