This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(140.8, 9%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMT%3C/text%3E%3C/svg%3E)
Seems I’m able to log ‘Details’ with an exclude nothing/include everything but can’t filter what I log.
Keep getting a config update error of:
“Element ‘Details’ is unexpected according to content model of parent element ‘RegistryEvent’.”
Am I missing something here???
Any help would be GREATLY appreciated :)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 35%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ED%3C/text%3E%3C/svg%3E)
I think you might have found a bug. Seems as if the "details" field is not supported in v13.02 and schema 4.5 in compound rule. This is how I would express it. The XML simply doesn't meet validation. I've sent an email notifying developers of this thread via syssite@microsoft.com.
<RuleGroup name="" groupRelation="or">
<RegistryEvent onmatch="include">
<Rule groupRelation="and" name="">
<EventType condition="contains">SomeValue</EventType>
<Details condition="contains">SomeValue</Details>
</Rule>
</RegistryEvent>
</RuleGroup>
Update. Just did some scope testing. The same problem exists for the following fields:
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(60.8, 60%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
I agree that this would be very useful. Good news that the feature is 'in progress'...
Thanks for the reports. Tracking it for an upcoming release.
Thanks, guys!
Just updated my conf after update (13.21/4.70) and "Details" didn't cause any problem.
However, it seems we still can't filter on 'Details'. Is that correct? (According to Swift on Security and Sysmon Modular anyways).
I'm testing my conf with a trigger right now and that's what i'm finding; nothing.
Thanks again!
Ok, I got it. Not sure what I was doing wrong earlier today, but here's my proof.
I don't have an answer or a me too for you but as another operator of sysmon I wanted to say I appreciate you @McGahan, Timothy@CIO for your communication and problem source identification efforts!
Absolutely! Thanks!
I just attempted to update my conf with:
<Sysmon schemaversion="4.30">
<EventFiltering>
<RuleGroup name="" groupRelation="or">
<RegistryEvent onmatch="include">
<TargetObject name="technique_id=AO.TA0003.T1547.001.003,technique_name=Suspicious RUN Key from Download" condition="end with">\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run</TargetObject>
<Details name="technique_id=AO.TA0003.T1547.001.003,technique_name=Suspicious RUN Key from Download" condition="contains">C:\Windows\Temp\</Details>
<Details name="technique_id=AO.TA0003.T1547.001.003,technique_name=Suspicious RUN Key from Download" condition="contains">C:\ProgramData\</Details>
<Details name="technique_id=AO.TA0003.T1547.001.003,technique_name=Suspicious RUN Key from Download" condition="contains">\AppData\</Details>
<Details name="technique_id=AO.TA0003.T1547.001.003,technique_name=Suspicious RUN Key from Download" condition="contains">C:\$Recycle.bin\</Details>
<Details name="technique_id=AO.TA0003.T1547.001.003,technique_name=Suspicious RUN Key from Download" condition="contains">C:\Temp\</Details>
<Details name="technique_id=AO.TA0003.T1547.001.003,technique_name=Suspicious RUN Key from Download" condition="contains">C:\Users\Public\</Details>
<Details name="technique_id=AO.TA0003.T1547.001.003,technique_name=Suspicious RUN Key from Download" condition="contains">C:\Users\Default\</Details>
</RegistryEvent>
</RuleGroup>
</EventFiltering>
</Sysmon>
Still getting:
System Monitor v13.10 - System activity monitor
Copyright (C) 2014-2021 Mark Russinovich and Thomas Garnier
Using libxml2. libxml2 is Copyright (C) 1998-2012 Daniel Veillard. All Rights Reserved.
Sysinternals - www.sysinternals.com
Loading configuration file with schema version 4.50
Sysmon schema version: 4.60
Incorrect field Details
Error: Failed to convert EventFiltering nodes: AttackRangeSysmon.xml