When is it an AND and when is it an OR ? #27
Comments
|
All the testing I've done has shown that the "AND" isn't working as documented and everything is just a big "OR". According to the docs:
|
|
@gwsales Thank you ! I was wondering if I was the only person who was seeing that (I certainly know I'm not, but then why does the developer say that the AND condition works in the official Sysmon download page.) Tons of infosec people are using Sysmon, and this config is called out everywhere as a reference guide. Requesting the author (or any of the experienced community leaders) to please help clarify this one seemingly simple & basic question. Here is another place I've asked the same question & got no response back: |
Please keep just a simple snippet in the README (or in the inline comments), to understand when are the conditions being OR-ed & when are the conditions being AND-ed.
Example: https://pastebin.com/MdR8KGcs
(the text in the angle brackets were not showing up, so pasted the query at pastebin - simple ascii)
I did some testing, but can't get this to work:
If I want to log only network connection events when the destination port is 80 or 443 and the originating process is chrome.exe, how do I do that ?
The text was updated successfully, but these errors were encountered: