Sysmon Event ID 22

THAN VAN TRONG 40 Reputation points
2023-02-15T09:57:13.8766667+00:00

Hello,

I'm using newest version of sysmon with config i get from https://github.com/SwiftOnSecurity/sysmon-config/blob/master/sysmonconfig-export.xml

I have a problem with Event 22 DNS query. It doesn`t generate the events with the domains I am accessing. Tried from edge, chrome, I dont get Event 22 for them in Event Viewer (Sysmon/Operational).

With command or using Firefox it works, I can see Event 22 in Event Viewer, but from browser Edge/Chrome processes it won't work.

Event ID 22 with QueryName:wpad is unique with Image from Chrome.

I tried everything (I think) :

  • updating the configuration with -c command
  • uninstall and reinstall sysmon
  • other sysmon configurations\
  • reboot
  • searched all over the internet but nothing found about this kind of issue.

Did anyone encounter this issue? What else can I do in order to work ? Every help/suggestion is appreciated.

Thank you

Microsoft Edge
Microsoft Edge
A Microsoft cross-platform web browser that provides privacy, learning, and accessibility tools.
2,447 questions
Sysinternals
Sysinternals
Advanced system utilities to manage, troubleshoot, and diagnose Windows and Linux systems and applications.
1,197 questions
0 comments No comments
{count} votes

Accepted answer
  1. Stefan Vater 75 Reputation points
    2023-03-07T09:16:42.1966667+00:00

    ah yes... forgot to post the Answer here.
    These Policies solved the Problem - which is basically the same as you did via Registry.
    User's image

    Thanks!


4 additional answers

Sort by: Most helpful
  1. THAN VAN TRONG 40 Reputation points
    2023-02-17T08:33:36.5266667+00:00

    Hi ShiJieLi,

    I solved my problem.

    Thanks for your help.

    Best Regards,

    1 person found this answer helpful.

  2. ShiJieLi-MSFT 11,351 Reputation points Microsoft Vendor
    2023-02-16T07:53:55.65+00:00

    Hi @THAN VAN TRONG ,

    According to sysmonconfig-export.xml:

    Chrome and Firefox prefetch DNS lookups, or use alternate DNS lookup methods Sysmon won't capture. You need to turn these off. Search for Group Policy for these browsers to configure this.

    So, you may need to turn off network prediction on both Edge and Chrome to generate Event 22. Configure the following 2 policies:

    1. (Edge) Enable network prediction. Enable this policy and choose "Don't predict network actions on any network connection".
    2. (Chrome) Enable network prediction. Enable this policy and choose "Don't predict network actions on any network connection".

    You should be able to have Event 22 after these configurations.


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    Best Regards,

    Shijie Li

    0 comments No comments

  3. Stefan Vater 75 Reputation points
    2023-02-22T08:39:22.4+00:00

    Hi all,

    currently I'm running into the same behaivor. The NetworkPredictionOptions -> 2 policy doesn't fix it for me.
    Curriosly i can reproduze this on a newly installed Windows 10 22H2, but on Windows 11 22H2 it is working...

    Also it is working in Windows 10 21H2.

    any other Ideas?

    Thanks,

    BR


  4. THAN VAN TRONG 40 Reputation points
    2023-03-07T09:09:17.51+00:00

    Hi @Stefan Vater

    Sorry for late answer.

    I don't know you solved your problem or not.

    In my situation, i add value to BuiltInDnsClientEnabled registry to 0.

    User's image

    It worked for me, you can try this.

    User's image

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.