Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Sysmon v7 requires schema version update. #45

Closed
kyhwana opened this issue Jan 3, 2018 · 1 comment · Fixed by DefenseStorm/sysmon-config#2
Closed

Sysmon v7 requires schema version update. #45

kyhwana opened this issue Jan 3, 2018 · 1 comment · Fixed by DefenseStorm/sysmon-config#2

Comments

@kyhwana
Copy link

kyhwana commented Jan 3, 2018

Looks like sysmon v7 doesn't accept setting the config with a v3.30 schema. Updating the schema version to 4.0 seems to fix this.
I havn't found any documentation on what's changed between 3.30 and 4.0, but the 3.30 file with an updated schema version seems to still work?
@MHaggis MHaggis mentioned this issue Jan 4, 2018
Closed
cxxr added a commit to cxxr/sysmon-config that referenced this issue Jan 9, 2018
@cxxr
Update to Sysmon 7.x schema version
9b6e69d 
Should close SwiftOnSecurity#45, and it works on my machine. I couldn't find any good docs on what's actually different, though.
@cxxr cxxr mentioned this issue Jan 9, 2018
Merged
cxxr added a commit to cxxr/sysmon-config that referenced this issue Jan 9, 2018
@cxxr
Update to Sysmon 7.x schema version
e4b51cb 
Should close SwiftOnSecurity#45, and it works on my machine. I couldn't find any good docs on what's actually different, though.
@cxxr cxxr mentioned this issue Jan 9, 2018
Closed
@johnmccash
Copy link

Be aware that the rules for combining rule conditions have changed in 7.01:

From Sysmon 6.1:

  • You can use both include and exclude rules for the same tag, where exclude rules override include rules. Within a rule, filter conditions on the same field have OR behavior, whereas conditions on different fields have AND behavior. In the sample configuration shown earlier, the networking filter
    uses both an include and exclude rule to capture activity to port 80 and 443 by all processes except those that have iexplore.exe in their name.

From Sysmon 7.01:

  • You can use both include and exclude rules for the same tag, where exclude rules override include rules. Within a rule, filter conditions have OR behavior, In the sample configuration shown earlier, the networking filter uses both an include and exclude rule to capture activity to port 80 and 443
    by all processes except those that have iexplore.exe in their name.

Regards
John

cxxr added a commit to DefenseStorm/sysmon-config that referenced this issue Jan 23, 2018
@cxxr
Update to Sysmon 7.x schema version
2bdacf3 
Should close SwiftOnSecurity#45, and it works on my machine. I couldn't find any good docs on what's actually different, though.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
3 participants
@kyhwana @johnmccash @SwiftOnSecurity