question

slavaNBA-9537 avatar image
0 Votes"
slavaNBA-9537 asked SunnyQi-MSFT commented

Sysmon DNS Query - owner of the parent process

Hello! There is any possibility to include to Sysmon Event id 22 the name of the owner of the parent process who generates DNS Query?

windows-dhcp-dnswindows-sysinternals-sysmon
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,


Just want to confirm the current situations.


Please feel free to let us know if you need further assistance.


Best Regards,
Sunny

0 Votes 0 ·

1 Answer

SunnyQi-MSFT avatar image
0 Votes"
SunnyQi-MSFT answered

Hi,

Thanks for posting in Q&A platform.

I have tested in my lab and get the Event 22 in Sysmon-Operational with detailed information as the following attached screenshot:

87651-image-11.png

87609-image-12.png

If these information include the information is what you need, please try to following detailed steps to configure Sysmon:

A. Please go to this link https://github.com/SwiftOnSecurity/sysmon-config , click sysmonconfig-export.xml
Please Note: Since the websites are not hosted by Microsoft, the links may change without notice. Microsoft does not guarantee the accuracy of this information.

87635-image-13.png

B. Click Raw, in the new window, right click the content and select Save as to save this file on your desktop.

87636-image-14.png

87637-image-17.png

87547-image-15.png

C. Then please run the following command separately in a CMD windows with admin privilege (please kindly note that I saved files related sysmon on my desktop) :

cd desktop
cd sysmon
sysmon -c ..\sysmonconfig-export.xml

87627-image-16.png

D. Then you could go to Event viewer to check the details in Event 22.

Best Regards,
Sunny


If the Answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


image-11.png (180.7 KiB)
image-12.png (9.1 KiB)
image-13.png (20.3 KiB)
image-14.png (48.5 KiB)
image-17.png (46.1 KiB)
image-15.png (40.6 KiB)
image-16.png (113.6 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.