locked
sysmon - v12.02 - RegistryEvent - partial information logged RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote

    Hello,

    I might have stumbled across something looking like a bug.

    Using the following configuration:

    <Sysmon schemaversion="4.40">
  <!-- Capture all hashes -->
  <HashAlgorithms>*</HashAlgorithms>
  <EventFiltering>
    <RegistryEvent onmatch="exclude">
	</RegistryEvent>
  </EventFiltering>
</Sysmon>

    The expected behavior based on the documentation is to see events for various registry operation (12,13,14). I can only see 14.

    Downgrading the service to sysmon v11.11, schema version 4.32, I see those events I expected to see.

    Question: is this a known problem with v12.02 and is there some workaround besides using older sysmon versions?

    Thank you,

    Bogdan

    Monday, November 16, 2020 10:39 AM

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote

    for us all 12,13 stopped with v12.02 so yes we have seen the same issue.

    Monday, November 16, 2020 2:17 PM
  • Question
    Sign in to vote
    1
    Sign in to vote
    Thank you for reporting, also noticed this behavior, the fix is incoming with the next release.
    • Edited by alexm(msft) Monday, November 16, 2020 3:44 PM
    Monday, November 16, 2020 3:43 PM