none
Sysmon filtering changes in 8.02

    Question

  • The Sysmon documentation states the following:

    Rules that specify a condition for the same field name behave as OR conditions, and ones that specify different field name behave as AND conditions

    As several users have pointed out, this was not always working correctly in 8.00 and earlier versions. This has been resolved for 8.02.

    In a small number of cases this has broken existing configurations because the AND condition means that you must have a matching rule for ALL fields that you filter. If you include ProcessCreate rules on Image, CommandLine and ParentImage for example these must ALL match. Otherwise the event will be excluded.

    If you experience any difficulties with this or have any further questions please email sysmonsupport@microsoft.com and we will do our best to help.

    MarkC (MSFT)

    Wednesday, December 12, 2018 6:59 PM

All replies

  • MarkC,

    The clause you reference in the sysmon documentation was revised in sysmon 6.20, to read as follows (this wording is taken from the new sysmon 8.02):

    "You can use both include and exclude rules for the same tag, where exclude rules override include rules. Within a
    rule, filter conditions have OR behavior,  In the sample configuration shown earlier, the networking filter uses both
    an include and exclude rule to capture activity to port 80 and 443 by all processes except those that have
    iexplore.exe in their name."

    The previous wording, which you reference above, was as follows (text taken from sysmon 6.10):

    "You can use both include and exclude rules for the same tag, where exclude rules override include rules. Within a
    rule, filter conditions on the same field have OR behavior, whereas conditions on different fields have AND behavior.
    In the sample configuration shown earlier, the networking filter uses both an include and exclude rule to capture
    activity to port 80 and 443 by all processes except those that have iexplore.exe in their name."

    At this moment, I'm still trying to determine exactly what was changed from 8.0 to 8.02, but, since the quoted line in the embedded documentation hasn't changed from 6.20 to 8.02, I'm assuming it's NOT what you're stating above.

    Can you please clarify this?

    Thanks

    John McCash



    • Edited by John McCash Monday, December 17, 2018 2:04 PM
    Monday, December 17, 2018 1:43 PM
  • Hi John

    Actually I just reverted this change for the 8.04 release. We were planning on extending the schema to make this configurable but Mark wants to revisit filtering in more depth so stay tuned. In the meantime I'd recommend the 8.04 release to anybody logging ImageLoad events on Windows 7/Server 2008 as the big change for the 8.02 release was actually a massive performance boost on these platforms.

    Regards

    Mark

    Tuesday, December 18, 2018 11:28 PM
  • Hi,

    I am a bit confused, performance issues for ImageLoad were fixed in release 8.02, do we expect more fixes in 8.04? Should we wait with deployment on Windows 7/Server 2008?

    Thanks,

    Boaz

    Wednesday, December 19, 2018 9:49 AM
  • Sorry for the confusion. You are correct the performance updates were in 8.02 but several users were reluctant to deploy this because of the filtering changes. For these users I would recommend the 8.04 release
    Wednesday, December 19, 2018 5:10 PM
  • I just redownloaded, and realized that the version that's up there now IS 8.04.

    John

    Wednesday, December 19, 2018 7:52 PM
  • Hello MarkC,

    Just tried to E-mail to the mentioned address, but it seems to be inexistent. Is there another address or way to reach the team?

    Kind regards,

    Jeffrey 

    Wednesday, February 13, 2019 1:50 PM