none
Sysmon v10.1 exclude/include precedence not being honored RRS feed

  • Question

  • Upgraded hosts to Sysmon v10.1 and I'm seeing a case where an exclude rule is being overridden by an include rule although the docs say it should be vice versa. Was working properly with v8.00.

    Relevant configs:

    <!--SYSMON EVENT ID 3 : NETWORK CONNECTION INITIATED [NetworkConnect]-->
    <RuleGroup name="" groupRelation="or">
            <NetworkConnect onmatch="include">	
                    <DestinationPort name="Technique=Commonly Used Port,Tactic=Command and Control,MitreRef=1043" condition="is">443</DestinationPort>
            </NetworkConnect>
            <NetworkConnect onmatch="exclude">
                     <DestinationIp condition="is">1.1.1.1</DestinationIp> <!--Whitelisted IP-->
    	</NetworkConnect>
    </RuleGroup>

    Thursday, June 27, 2019 1:08 PM

All replies