Blog Post

Sysinternals Blog
2 MIN READ

Sysmon 10.4 Rule Enhancements

Mark_Cook's avatar
Mark_Cook
Icon for Microsoft rankMicrosoft
Sep 06, 2019

When we first released the RuleGroup feature described in Sysmon - The rules about rules many of you contacted us to see if we might consider extending the AND/OR combiner to individual rules rather than to all rules for an event type.  You asked and we listened and are pleased to announce that from 10.4 onwards this is now supported.

 

As with RuleGroups, these are completely optional and your existing configuration files should continue to work as they do now. If you do want to take advantage of the new features though you will need to increment the schema version to 4.22 and you'll be ready to go..

 

The basic building block is the new <Rule> element. As with <RuleGroup> this can optionally have name and groupRelation attributes and like RuleGroup the default groupRelation is "AND". An example schema is shown below

 

<Sysmon schemaversion="4.22">

   <EventFiltering>

      <RuleGroup name="group 1" groupRelation="or">

          <ProcessCreate onmatch="include">

              <CommandLine condition="contains">timeout</CommandLine>

              <CommandLine condition="contains all">net;view</CommandLine>

              <Rule groupRelation="and" name="pinging microsoft">

                    <Image condition="contains">ping</Image>

                    <CommandLine condition="contains">microsoft</CommandLine>

              </Rule>

              <Rule groupRelation="and">

                   <Image condition="end with">powershell.exe</Image>

                   <ParentImage condition="end with">cmd.exe</ParentImage>

            </Rule>

        </ProcessCreate>

     </RuleGroup>

   </EventFiltering>

</Sysmon>

 

 

Sysmon power users may have noticed something unusual with the following line

 

        <CommandLine condition="contains all">net;view</CommandLine>

 

This brings me to another change for 10.4 which introduces the "contains any" and "contains all" conditions that can be used for local (field level) OR/AND conditions respectively. These attempt to match a ';' separated list of fields so in this example a match will be made for "net view" but not "net use". "contains any" is a similar condition but for "OR' operations.  A rule for browsers for example might be

 

        <Image condition="contains any">firefox.exe;chrome.exe;iexplore.exe</Image>

 

 

Happy hunting and as always if you have any questions or suggestions, please feel free to contact us at syssite@microsoft.com

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Updated Sep 06, 2019
Version 1.0
Rules
sysmon
  • dstaulcu's avatar
    dstaulcu
    Copper Contributor
    Nov 29, 2020

    I realize I am late to the party but these rule enhancements are game changing.  Thank you for implementing and describing the feature!