Winlogbeat Sysmon Configuration Registry fields seems to map the wrong value of the registry

willemdh · July 5, 2021, 7:45pm

Hello,

Second try.. (Winlogbeat Sysmon Configuration Registry fields seems to map the wrong value of the registry)

Just noticed something weird with Sysmon configuration in 7.11 (registry events)

As you can see, the actual value of the registry key is in winlog.event_data.Details while imho this should be in registry.value ? or at least the part within paranthese..

In a Sysmon event this is set under details:

Registry value set:
RuleName: Suspicious,ImageBeginWithBackslash
EventType: SetValue
UtcTime: 2021-05-22 14:00:07.137
ProcessGuid: {afbc1ce0-0e67-60a9-b709-00000000c900}
ProcessId: 13248
Image: C:\WINDOWS\regedit.exe
TargetObject: HKLM\SOFTWARE\Digipolis\BeheerCredProv\LinkCaption
Details: Wachtwoord vergeten of account geblokkeerd?

In the above example registry.value should be Wachtwoord vergeten of account geblokkeerd? ?

But in 7.11 registry.value is set to LinkCaption ..

Best regards,

Willem

system · August 2, 2021, 9:46pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Winlogbeat Sysmon Configuration Registry fields seems to map the wrong value of the registry Beats winlogbeat	2	433	June 28, 2021
Winlogbeat Sysmon Configuration Registry fields seems to map the wrong value of the registry Beats winlogbeat	3	737	September 13, 2021
Winlogbeat 6.0.0 Registry File Beats winlogbeat	5	1183	December 26, 2017
Winlogbeat Sysmon Registry events missing event.category Beats ecs-elastic-common-schema , winlogbeat	2	619	November 5, 2020
Custom index filter Beats winlogbeat	2	249	May 18, 2021

Winlogbeat Sysmon Configuration Registry fields seems to map the wrong value of the registry

Related topics