Winlogbeat Sysmon Configuration Registry fields seems to map the wrong value of the registry

willemdh · May 22, 2021, 5:26pm

Hello,

Just noticed something weird with Sysmon configuration in 7.11 (registry events)

As you can see, the actual value of the registry key is in winlog.event_data.Details while imho this should be in registry.value? or at least the part within paranthese..

In a Sysmon event this is set under details:

Registry value set:
RuleName: Suspicious,ImageBeginWithBackslash
EventType: SetValue
UtcTime: 2021-05-22 14:00:07.137
ProcessGuid: {afbc1ce0-0e67-60a9-b709-00000000c900}
ProcessId: 13248
Image: C:\WINDOWS\regedit.exe
TargetObject: HKLM\SOFTWARE\Digipolis\BeheerCredProv\LinkCaption
Details: Wachtwoord vergeten of account geblokkeerd?

In the above example registry.value should be Wachtwoord vergeten of account geblokkeerd? ?

But in 7.11 registry.value is set to LinkCaption..

Best regards,

Willem

willemdh · May 31, 2021, 9:17am

Anyone?

system · June 28, 2021, 11:18am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Winlogbeat Sysmon Configuration Registry fields seems to map the wrong value of the registry Beats winlogbeat	1	440	August 2, 2021
Winlogbeat Sysmon Configuration Registry fields seems to map the wrong value of the registry Beats winlogbeat	3	737	September 13, 2021
Winlogbeat Sysmon Registry events missing event.category Beats ecs-elastic-common-schema , winlogbeat	2	619	November 5, 2020
Winlogbeat 6.0.0 Registry File Beats winlogbeat	5	1183	December 26, 2017
Custom index filter Beats winlogbeat	2	249	May 18, 2021

Winlogbeat Sysmon Configuration Registry fields seems to map the wrong value of the registry

Related topics