Paul Masek

icon location https://twitter.com/paul_masek https://www.linkedin.com/in/paul-masek/

Results 7 comments of Paul Masek

The description for Event ID 1 from source Microsoft-Windows-Sysmon cannot be found

Had this same issue while testing out different ways to deploy Sysmon and an internally customized version of @SwiftOnSecurity 's config. Just restart Event Viewer. "Event Viewer was not restarted...

Event IDs with both Include and Exclude Filters

There could just be a sysmon -c view issue that's preventing the excludes in those two Event IDs from being displayed. The main issue I have though is that I...

Event IDs with both Include and Exclude Filters

I've spoken with another colleague who also wasn't able to get additional exclusions working for Event ID 3 in z-AlphaVersion.xml. He came to this finding completely separate from me.

Event IDs with both Include and Exclude Filters

@grokdesigns I'm on 10.2 now as well. I made your recommended change of breaking out inclusions/exclusions for the same event types into different rule groups. That fixed it for me...

Ruleset update to support new Sysmon 10 capabilities

Thanks for creating it so quickly after Sysmon v10 was released. I'll be sure to try out rules made here once you start developing them.

Ruleset update to support new Sysmon 10 capabilities

What about additions to the decoder? For example should there be an entry in https://github.com/wazuh/wazuh-ruleset/blob/master/decoders/0380-windows_decoders.xml for the new Event ID 22: DNSEvent (DNS query)?

Ruleset update to support new Sysmon 10 capabilities

We're on the latest version, 3.9.2. Thanks for your work on this invaluable feature!