willemdh
August 16, 2021, 9:30am
1
Third attempt to escalate this...
Hello,
Just noticed something weird with Sysmon configuration in 7.11 (registry events)
[image]
As you can see, the actual value of the registry key is in winlog.event_data.Details while imho this should be in registry.value? or at least the part within paranthese..
In a Sysmon event this is set under details:
Registry value set:
RuleName: Suspicious,ImageBeginWithBackslash
EventType: SetValue
UtcTime: 2021-05-22 14:00:07.137
ProcessGuid: {afbc1ce0-0e67-60a9-b709-00000000c900}
ProcessId: 1…
Can someone please verify and confirm this bug? Same issue in 7.13.1..
Willem
andrewkroh
August 16, 2021, 11:56am
2
That looks like a bug to me. Please open a bug for it. The test data for the module looks wrong. IIUC the value should be 0x00000004.
"value": "Key 1"
},
"winlog": {
"api": "wineventlog",
"channel": "Microsoft-Windows-Sysmon/Operational",
"computer_name": "vagrant",
"event_data": {
"Details": "DWORD (0x00000004)",
willemdh
August 16, 2021, 7:42pm
3
Thanks for confirming @andrewkroh
opened 07:42PM - 16 Aug 21 UTC
- Version: 7.13.1
- Operating System: Red Hat 8 / All Windows Versions
- Discu… ss Forum URL:
- https://discuss.elastic.co/t/winlogbeat-sysmon-configuration-registry-fields-seems-to-map-the-wrong-value-of-the-registry/281521
- https://discuss.elastic.co/t/winlogbeat-sysmon-configuration-registry-fields-seems-to-map-the-wrong-value-of-the-registry/273733
- https://discuss.elastic.co/t/winlogbeat-sysmon-configuration-registry-fields-seems-to-map-the-wrong-value-of-the-registry/277879
- Steps to Reproduce: Enable Sysmon registry events and index them with Winlogbeat Sysmon module
https://github.com/elastic/beats/blob/ee5ed90dec9e1c8091f7cddf88ba50198668714b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-11-registry.evtx.golden.json#L39-L46