FireEye released a very interesting article regarding a third-party compromise of Solarwinds, the detections that are possible with Sysmon are listed below
index=windows sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=7 ParentImage="C:\\Windows\System32\\svchost.exe" and ImageLoaded="*NetSetupSvc.dll"index=windows sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
MD5 in ("b91ce2fa41029f6955bff20079468448","02af7cec58b9a5da1c542b5a32151ba1","2c4a910a1299cdae2a4e55988a2f102e","846e27a652a5e1bfbd0ddd38a16dc865","4f2eb62fa529c0283b28d05ddd311fae","56ceb6d0011d87b6e4d7023d7ef85676") index=windows sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=22
QueryName in ("panhardware.com","databasegalore.com","avsvmcloud.com","freescanonline.com","thedoccloud.com","deftsecurity.com")index=windows sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1 ParentImage="*\\solarwinds.businesslayerhost.exe" NOT
(Image in ("*\\SolarWinds\\Orion\\ExportToPDFCmd.Exe","*\\SolarWinds.Credentials\\SolarWinds.Credentials.Orion.WebApi.exe","*\\SolarWinds\Orion\\Topology\\SolarWinds.Orion.Topology.Calculator.exe","*\\SolarWinds\\Orion\\Database-Maint.exe","*\\SolarWinds.Orion.ApiPoller.Service\\SolarWinds.Orion.ApiPoller.Service.exe","*\\Windows\\SysWOW64\\WerFault.exe"))index=windows sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11
Image="*\\solarwinds.businesslayerhost.exe"
TargetFilename in ("*exe","*ps1","*jpg","*png","*dll")```