Hi there,
Just wanted to confirm whether the reported issue is acknowledged and observed in multiple environment (already seen some posts related to the same issue).
I am testing various sysmon configurations and I observe the following pattern with rules definitions and groupRelation set to "and".
For example I have applied a config file which only have the following content:

However this configuration seems to generate all kind of events that are not even close to matching the defined behavior.
Example is below:

What I have seen so far is that such type of rule definitions including several conditions work well for exclusions but for some reason they match all kind of stuff when used in Include clauses.
Is it a known issue and is there a fix for that?
Cheers