...
Login to the Snare agent and create a new Audit Policy by going to “Audit Policy” and select “Add”.
Set the “Identify the high level event” option to “Ant event(s)”.
Set the “Source Search Term” to “Microsoft-Windows-Sysmon”.
Check all items in “Identify the event types to be captured”.
...
.
Save the policy.
Select the “Apply Configuration & Restart Service” option on the navigation menu.
...
Sysmon log data will now be forwarded to all configured destinations.
...