Sysinternals
Advanced system utilities to manage, troubleshoot, and diagnose Windows and Linux systems and applications.
1,082 questions
Inquiry about nesting Sysmon rule groups
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(44.800000000000004, 74%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKB%3C/text%3E%3C/svg%3E)
Kevin Branch
1
Reputation point
This is in reference to your comment on the above topic at the below link about possible support for nesting of Sysmon rule groups:
https://github.com/MicrosoftDocs/sysinternals/issues/222
My particular use case is to exclude multiple classes of events that each exhibit a compound set of criteria, such as these NetworkConnect exclusions:
- Image = jave.exe and DestinationPort = 8080
- Protocol = udp and DestinationPort = 53
so the above bulleted exclusion items would be in an OR relationship with each other but in each line the criteria elements would be in an AND relationship with each other.
I find myself needing to exclude certain very high noise patterns at the Sysmon level that to be properly identified for exclusion need 2-3 criteria items to all match together. I see no way to do that at present when multiple compound exclusion patterns are needed for a given Sysmon eveny type. If this is possible and I've just not landed on the right article yet, please enlighten me.
Let me personally thank you for your great work on Sysmon. You have really been taking it to the next level in the past year, and I am increasingly leaning on it for cybersecurity instrumentation. Those DNS audit records are sweet!
Kevin
Sysinternals
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 35%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ED%3C/text%3E%3C/svg%3E)
dstaulcu 351 Reputation points2020-12-06T18:17:37.363+00:00 Here's how I would implement what I think you are trying to accomplish...
<!-- NetworkConnect EXCLUDE rules -->
<RuleGroup name="" groupRelation="or">
<NetworkConnect onmatch="exclude">
<Rule groupRelation="and" name="">
<Image condition="image">Java.exe</Image>
<Initiated condition="is">True</Initiated>
<DestinationPort condition="is">8080</DestinationPort>
</Rule>
<Rule groupRelation="and" name="">
<Initiated condition="is">True</Initiated>
<Protocol condition="contains">UDP</Protocol>
<DestinationPort condition="is">53</DestinationPort>
</Rule>
</NetworkConnect>
</RuleGroup>
Sign in to comment