question

KevinBranch-3761 avatar image
0 Votes"
KevinBranch-3761 asked dstaulcu edited

Inquiry about nesting Sysmon rule groups

This is in reference to your comment on the above topic at the below link about possible support for nesting of Sysmon rule groups:
https://github.com/MicrosoftDocs/sysinternals/issues/222

My particular use case is to exclude multiple classes of events that each exhibit a compound set of criteria, such as these NetworkConnect exclusions:

  • Image = jave.exe and DestinationPort = 8080

  • Protocol = udp and DestinationPort = 53

so the above bulleted exclusion items would be in an OR relationship with each other but in each line the criteria elements would be in an AND relationship with each other.

I find myself needing to exclude certain very high noise patterns at the Sysmon level that to be properly identified for exclusion need 2-3 criteria items to all match together. I see no way to do that at present when multiple compound exclusion patterns are needed for a given Sysmon eveny type. If this is possible and I've just not landed on the right article yet, please enlighten me.

Let me personally thank you for your great work on Sysmon. You have really been taking it to the next level in the past year, and I am increasingly leaning on it for cybersecurity instrumentation. Those DNS audit records are sweet!

Kevin

windows-sysinternals-sysmon
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Here's how I would implement what I think you are trying to accomplish...

<!-- NetworkConnect EXCLUDE rules -->
<RuleGroup name="" groupRelation="or">
<NetworkConnect onmatch="exclude">
<Rule groupRelation="and" name="">
<Image condition="image">Java.exe</Image>
<Initiated condition="is">True</Initiated>
<DestinationPort condition="is">8080</DestinationPort>
</Rule>
<Rule groupRelation="and" name="">
<Initiated condition="is">True</Initiated>
<Protocol condition="contains">UDP</Protocol>
<DestinationPort condition="is">53</DestinationPort>
</Rule>
</NetworkConnect>
</RuleGroup>

0 Votes 0 ·

0 Answers