none
Different filtering capabilities in ProcessCreate vs ProcessTerminate

    Question

  • I am trying to filter a few processes based on CommandLine and ParentCommandLine. Noticed a strange behavior where this is supported in the ProcessCreate config blob, but when copy/pasting the same two statements into ProcessTerminate I get the following error:
    Loading configuration file with schema version 4.00
    Error: Incorrect XML configuration: c:\temp\Sysmon.xml
    Reason: Element 'CommandLine' is unexpected according to content model of parent element 'ProcessTerminate'.
    Expecting: UtcTime, ProcessGuid, ProcessId, Image.

    Is there a reason for this

    Monday, April 1, 2019 3:24 PM

All replies

  • Hello

    You can see the list of fields for each event either by looking at an event in the event log or by dumping the schema using the sysmon -s command. For Process Terminate this returns

         <event name="SYSMON_PROCESS_TERMINATE" value="5" level="Informational" template="Process terminated" rulename="ProcessTerminate" ruledefault="include" version="3">
          <data name="RuleName" inType="win:UnicodeString" outType="xs:string" />
          <data name="UtcTime" inType="win:UnicodeString" outType="xs:string" />
          <data name="ProcessGuid" inType="win:GUID" />
          <data name="ProcessId" inType="win:UInt32" outType="win:PID" />
          <data name="Image" inType="win:UnicodeString" outType="xs:string" />
        </event>

    So neither CommandLine nor ParentCommandLine are valid in this context.

    If you want to correlate the ProcessTerminate events with ProcessCreate you could use the ProcessGUID as a correlation ID (you could potentially use the ProcessId too but these can be and are reused)

    MarkC (MSFT)

    Thursday, April 4, 2019 9:14 AM
  • Sorry Mark, just seeing your reply. I guess my thought was that if we are filtering a process for ProcessCreate event based on some set of criteria, it'd be nice to be able to filter that same process for ProcessTerminate based on the same criteria.
    Friday, April 12, 2019 4:14 PM