question

McGahanTimothyCIO-5151 avatar image
1 Vote"
McGahanTimothyCIO-5151 asked McGahanTimothyCIO-5151 commented

Sysmon help: I’m unable to filter on EID 13, data name ‘Details’

Seems I’m able to log ‘Details’ with an exclude nothing/include everything but can’t filter what I log.

Keep getting a config update error of:

“Element ‘Details’ is unexpected according to content model of parent element ‘RegistryEvent’.”

Am I missing something here???

Any help would be GREATLY appreciated :)

windows-sysinternals-sysmon
· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I agree that this would be very useful. Good news that the feature is 'in progress'...

1 Vote 1 ·

I think you might have found a bug. Seems as if the "details" field is not supported in v13.02 and schema 4.5 in compound rule. This is how I would express it. The XML simply doesn't meet validation. I've sent an email notifying developers of this thread via syssite@microsoft.com.

         <RuleGroup name="" groupRelation="or">
             <RegistryEvent onmatch="include">
                 <Rule groupRelation="and" name="">
                     <EventType condition="contains">SomeValue</EventType>
                     <Details condition="contains">SomeValue</Details>                    
                 </Rule>            
             </RegistryEvent>
         </RuleGroup>
0 Votes 0 ·

Update. Just did some scope testing. The same problem exists for the following fields:
- RegistryEvent.RegistryValueSet.Details
- WmiEvent.WmiEventFilter.EventNamespace
- WmiEvent.WmiEventFilter.Name
- WmiEvent.WmiEventFilter.Query
- WmiEvent.WmiEventConsumer.Name
- WmiEvent.WmiEventConsumer.Type
- WmiEvent.WmiEventConsumer.Destination

0 Votes 0 ·
foxmsft avatar image
0 Votes"
foxmsft answered McGahanTimothyCIO-5151 commented

Thanks for the reports. Tracking it for an upcoming release.

· 5
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@foxmsft


Just updated my conf after update (13.21/4.70) and "Details" didn't cause any problem.

However, it seems we still can't filter on 'Details'. Is that correct? (According to Swift on Security and Sysmon Modular anyways).

I'm testing my conf with a trigger right now and that's what i'm finding; nothing.

Thanks again!

0 Votes 0 ·

Ok, I got it. Not sure what I was doing wrong earlier today, but here's my proof.

103572-image.png


0 Votes 0 ·
image.png (499.8 KiB)
dstaulcu avatar image dstaulcu McGahanTimothyCIO-5151 ·

I don't have an answer or a me too for you but as another operator of sysmon I wanted to say I appreciate you @McGahanTimothyCIO-5151 for your communication and problem source identification efforts!

0 Votes 0 ·

Absolutely! Thanks!

0 Votes 0 ·
McGahanTimothyCIO-5151 avatar image
0 Votes"
McGahanTimothyCIO-5151 answered

I just attempted to update my conf with:

 <Sysmon schemaversion="4.30">
    <EventFiltering>
  <RuleGroup name="" groupRelation="or">
       <RegistryEvent onmatch="include">
           <TargetObject name="technique_id=AO.TA0003.T1547.001.003,technique_name=Suspicious RUN Key from Download" condition="end with">\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run</TargetObject> 
           <Details name="technique_id=AO.TA0003.T1547.001.003,technique_name=Suspicious RUN Key from Download" condition="contains">C:\Windows\Temp\</Details> 
           <Details name="technique_id=AO.TA0003.T1547.001.003,technique_name=Suspicious RUN Key from Download" condition="contains">C:\ProgramData\</Details> 
           <Details name="technique_id=AO.TA0003.T1547.001.003,technique_name=Suspicious RUN Key from Download" condition="contains">\AppData\</Details> 
           <Details name="technique_id=AO.TA0003.T1547.001.003,technique_name=Suspicious RUN Key from Download" condition="contains">C:\$Recycle.bin\</Details> 
           <Details name="technique_id=AO.TA0003.T1547.001.003,technique_name=Suspicious RUN Key from Download" condition="contains">C:\Temp\</Details> 
           <Details name="technique_id=AO.TA0003.T1547.001.003,technique_name=Suspicious RUN Key from Download" condition="contains">C:\Users\Public\</Details> 
           <Details name="technique_id=AO.TA0003.T1547.001.003,technique_name=Suspicious RUN Key from Download" condition="contains">C:\Users\Default\</Details> 
       </RegistryEvent>
 </RuleGroup>
 </EventFiltering>
 </Sysmon>


Still getting:

 System Monitor v13.10 - System activity monitor
 Copyright (C) 2014-2021 Mark Russinovich and Thomas Garnier
 Using libxml2. libxml2 is Copyright (C) 1998-2012 Daniel Veillard. All Rights Reserved.
 Sysinternals - www.sysinternals.com
    
 Loading configuration file with schema version 4.50
 Sysmon schema version: 4.60
 Incorrect field Details
 Error: Failed to convert EventFiltering nodes: AttackRangeSysmon.xml
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.