timo92700

Hello, thank you for your answer. We are using WinEventLog and not XMLWinEventLog sourcetype ( rederXML is at false in the inputs.conf ) for sysmon collect. It may explain why...

Ok thanks ! Maybe warn the users in the README / Documentation of ThreatHunting app that the xml sourcetype for sysmon collect is preferable for it to work correctly.

Hello, Same issue here, on RHEL8.6 : Still no ETA on a possible fix ?