This section contains information about log sources for Microsoft Sysmon. To implement LSO, you must use the new log source type MS Windows Event Logging XML - Sysmon and apply the LogRhythm Default v2.0 log processing policy. For information on supported log messages and parsing, see the configuration guide:

The subsequent LSO documentation contains detailed information on parsing changes and new log processing settings. The EVID pages show the differences between the old log processing policy (LogRhythm Default) and the new policy to be used with LSO (LogRhythm Default v2.0). Use these pages for reference as you migrate from the old log source type and LogRhythm Default policy to MS Windows Event Logging XML - Sysmon and LogRhythm Default v2.0 policy.