Winlogbeat Sysmon Configuration Registry fields seems to map the wrong value of the registry

willemdh · July 5, 2021, 7:45pm

Hello,

Second try.. (Winlogbeat Sysmon Configuration Registry fields seems to map the wrong value of the registry)

Just noticed something weird with Sysmon configuration in 7.11 (registry events)

As you can see, the actual value of the registry key is in winlog.event_data.Details while imho this should be in registry.value ? or at least the part within paranthese..

In a Sysmon event this is set under details:

Registry value set:
RuleName: Suspicious,ImageBeginWithBackslash
EventType: SetValue
UtcTime: 2021-05-22 14:00:07.137
ProcessGuid: {afbc1ce0-0e67-60a9-b709-00000000c900}
ProcessId: 13248
Image: C:\WINDOWS\regedit.exe
TargetObject: HKLM\SOFTWARE\Digipolis\BeheerCredProv\LinkCaption
Details: Wachtwoord vergeten of account geblokkeerd?

In the above example registry.value should be Wachtwoord vergeten of account geblokkeerd? ?

But in 7.11 registry.value is set to LinkCaption ..

Best regards,

Willem

system · August 2, 2021, 9:46pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.