Seems that somebody else has also this issue: https://github.com/MicrosoftDocs/sysinternals/issues/331
Sysmon 12.03 and Sysmon 13.00: RuleEngine Error: Multiple rule filters of the same type
Hello,
Since Sysmon 12.03 we have the issue, that the config file can't be parsed by Sysmon 12.03. Even with the latest version 13.00 this issue still exists. The same config file is parseable with Sysmon 12.01.
3 answers
Sort by: Most helpful
-
-
mariora 376 Reputation points
2021-01-11T20:20:38.347+00:00 Report that as a bug with the steps to repro and the config file to SysSite@microsoft.com
HTH
-mario -
Joe Doe 156 Reputation points
2021-01-13T14:11:03.253+00:00 Hey,
I've figured out what's the issue:
Until Sysmon v12.02 your config can look like this:
<Sysmon schemaversion="4.50">
<DnsLookup>False</DnsLookup>
<HashAlgorithms>*</HashAlgorithms>
<EventFiltering>
<RuleGroup name="" groupRelation="or">
<ProcessCreate onmatch="exclude"/>
<ProcessCreate onmatch="include"/>
</RuleGroup>
</EventFiltering>
</Sysmon>Since v12.03 you have to add RuleGroups around each include / exclude:
<Sysmon schemaversion="4.50">
<DnsLookup>False</DnsLookup>
<HashAlgorithms>*</HashAlgorithms>
<EventFiltering>
<RuleGroup name="" groupRelation="or">
<ProcessCreate onmatch="exclude"/>
</RuleGroup>
<RuleGroup name="" groupRelation="or">
<ProcessCreate onmatch="include"/>
</RuleGroup>
</EventFiltering>
</Sysmon>