question

cavell-3456 avatar image
0 Votes"
cavell-3456 asked MichaelN-3711 answered

Sysmon 13.10 parsing wrong events

Hi there,

Just wanted to confirm whether the reported issue is acknowledged and observed in multiple environment (already seen some posts related to the same issue).
I am testing various sysmon configurations and I observe the following pattern with rules definitions and groupRelation set to "and".
For example I have applied a config file which only have the following content:

92099-image.png


However this configuration seems to generate all kind of events that are not even close to matching the defined behavior.
Example is below:

92100-image.png

What I have seen so far is that such type of rule definitions including several conditions work well for exclusions but for some reason they match all kind of stuff when used in Include clauses.


Is it a known issue and is there a fix for that?

Cheers

windows-sysinternals-sysmon
image.png (68.3 KiB)
image.png (121.5 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MichaelN-3711 avatar image
0 Votes"
MichaelN-3711 answered

Interesting. So in addition to file creation events and registry events discussed in this thread, there are similar problems with process access events.

This looks more and more like this is a major logic bug (or bugs). Pinging the dev guys at MS through @foxmsft to make sure they have this new info.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MichaelN-3711 avatar image
0 Votes"
MichaelN-3711 answered

@cavell-3456, if you haven't seen it already, I believe this bug is fixed in Sysmon v13.20 released on May 25th.

I had similar issues and they were fixed in this version!

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.