Hello! There is any possibility to include to Sysmon Event id 22 the name of the owner of the parent process who generates DNS Query?
Hello! There is any possibility to include to Sysmon Event id 22 the name of the owner of the parent process who generates DNS Query?
Hi,
Just want to confirm the current situations.
Please feel free to let us know if you need further assistance.
Best Regards,
Sunny
Hi,
Thanks for posting in Q&A platform.
I have tested in my lab and get the Event 22 in Sysmon-Operational with detailed information as the following attached screenshot:


If these information include the information is what you need, please try to following detailed steps to configure Sysmon:
A. Please go to this link https://github.com/SwiftOnSecurity/sysmon-config , click sysmonconfig-export.xml
Please Note: Since the websites are not hosted by Microsoft, the links may change without notice. Microsoft does not guarantee the accuracy of this information.

B. Click Raw, in the new window, right click the content and select Save as to save this file on your desktop.



C. Then please run the following command separately in a CMD windows with admin privilege (please kindly note that I saved files related sysmon on my desktop) :
cd desktop
cd sysmon
sysmon -c ..\sysmonconfig-export.xml

D. Then you could go to Event viewer to check the details in Event 22.
Best Regards,
Sunny
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
4 people are following this question.