Is anyone else trying to wrap their heads around on how to analyze sysmon logs?
It would be nice if fields from different log sources where named and mapped the same… 
Any tips for sysmon logs would be greatly appreciated. Maybe a dashboard or just explain how are you analyzing and using sysmon logs. 
Hi,
one thing to start with is the different event types, see here for a high level
For each type of event there are different keys specific to that event, as well as common keys such as hostname and r7_hostId which can be used to groupby or calculate(unique:hostname) for example
David