We are forwarding sysmon events from the clients with a splunk forwarder. The format is xml (wineventlog). My expectation was, that the app is doing field extractions (or aliases) like file_hashes or process_hashes for the endpoint data model. Is my expectaion or something with my implementation wrong?
Check on the github (https://github.com/splunk/TA-microsoft-sysmon). They have a more updated version especially for the CIM endpoints.
Download the zip, unzip, remove the '-master', re-zip and upgrade the app.