Other windows rules stop firing.

[strengthnotes]

Josh, Been playing with variations of this for Sysmon3 when I write my decoder similar to yours with parent and type as windows, OSSEC stops alerting on other windows events. Have you notices this type of behaviour?

[defensivedepth]

I am deploying Sysmonv3 in my test environment Thursday.. I will let you know what I find by the end of this week...

[strengthnotes]

Yeah I have not worked much with custom parsers/rules so may be doing something wrong but Brian Kellogg mentioned having the same issue here.

https://groups.google.com/forum/#!topic/security-onion/hBmJ2q5NuaY

[defensivedepth]

Just an update on this issue... I am currently tweaking the ELSA & OSSEC parsers for Sysmon v3, and hope to have them done & tested within the next week or two.

[strengthnotes]

Sounds good let me know if I can assist in any way.

[defensivedepth]

I just posted the v3 decoder, as well as an updated version of the v1 decoder. Try removing the tag and see if that helps as well....

https://github.com/defensivedepth/Sysmon_OSSEC/blob/master/Sysmon_OSSEC-Decoders.xml

[strengthnotes]

Thanks Josh I will check it out sometime this week or next. What do you mean by "try removing the tag"

[defensivedepth]

Sorry, left out a word... On the v1 decoder, I removed the tag, which should not have been in there...

[defensivedepth]

Side note, are you running the decoder + rules in a SO distributed environment?

[strengthnotes]

Not currently just single SO standalone.