Thanks for the reports. Tracking it for an upcoming release.
Sysmon help: I’m unable to filter on EID 13, data name ‘Details’
McGahan, Timothy@CIO
86
Reputation points
Seems I’m able to log ‘Details’ with an exclude nothing/include everything but can’t filter what I log.
Keep getting a config update error of:
“Element ‘Details’ is unexpected according to content model of parent element ‘RegistryEvent’.”
Am I missing something here???
Any help would be GREATLY appreciated :)
Accepted answer
1 additional answer
Sort by: Most helpful
-
McGahan, Timothy@CIO 86 Reputation points
2021-05-21T19:58:35.627+00:00 I just attempted to update my conf with:
<Sysmon schemaversion="4.30"> <EventFiltering> <RuleGroup name="" groupRelation="or"> <RegistryEvent onmatch="include"> <TargetObject name="technique_id=AO.TA0003.T1547.001.003,technique_name=Suspicious RUN Key from Download" condition="end with">\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run</TargetObject> <Details name="technique_id=AO.TA0003.T1547.001.003,technique_name=Suspicious RUN Key from Download" condition="contains">C:\Windows\Temp\</Details> <Details name="technique_id=AO.TA0003.T1547.001.003,technique_name=Suspicious RUN Key from Download" condition="contains">C:\ProgramData\</Details> <Details name="technique_id=AO.TA0003.T1547.001.003,technique_name=Suspicious RUN Key from Download" condition="contains">\AppData\</Details> <Details name="technique_id=AO.TA0003.T1547.001.003,technique_name=Suspicious RUN Key from Download" condition="contains">C:\$Recycle.bin\</Details> <Details name="technique_id=AO.TA0003.T1547.001.003,technique_name=Suspicious RUN Key from Download" condition="contains">C:\Temp\</Details> <Details name="technique_id=AO.TA0003.T1547.001.003,technique_name=Suspicious RUN Key from Download" condition="contains">C:\Users\Public\</Details> <Details name="technique_id=AO.TA0003.T1547.001.003,technique_name=Suspicious RUN Key from Download" condition="contains">C:\Users\Default\</Details> </RegistryEvent> </RuleGroup> </EventFiltering> </Sysmon>
Still getting:
System Monitor v13.10 - System activity monitor Copyright (C) 2014-2021 Mark Russinovich and Thomas Garnier Using libxml2. libxml2 is Copyright (C) 1998-2012 Daniel Veillard. All Rights Reserved. Sysinternals - www.sysinternals.com Loading configuration file with schema version 4.50 Sysmon schema version: 4.60 Incorrect field Details Error: Failed to convert EventFiltering nodes: AttackRangeSysmon.xml