This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(32, 25%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJD%3C/text%3E%3C/svg%3E)
Hello,
Since Sysmon 12.03 we have the issue, that the config file can't be parsed by Sysmon 12.03. Even with the latest version 13.00 this issue still exists. The same config file is parseable with Sysmon 12.01.
Seems that somebody else has also this issue: https://github.com/MicrosoftDocs/sysinternals/issues/331
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(153.6, 78%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
Report that as a bug with the steps to repro and the config file to SysSite@microsoft.com
HTH
-mario
Hey,
I've figured out what's the issue:
Until Sysmon v12.02 your config can look like this:
<Sysmon schemaversion="4.50">
<DnsLookup>False</DnsLookup>
<HashAlgorithms>*</HashAlgorithms>
<EventFiltering>
<RuleGroup name="" groupRelation="or">
<ProcessCreate onmatch="exclude"/>
<ProcessCreate onmatch="include"/>
</RuleGroup>
</EventFiltering>
</Sysmon>
Since v12.03 you have to add RuleGroups around each include / exclude:
<Sysmon schemaversion="4.50">
<DnsLookup>False</DnsLookup>
<HashAlgorithms>*</HashAlgorithms>
<EventFiltering>
<RuleGroup name="" groupRelation="or">
<ProcessCreate onmatch="exclude"/>
</RuleGroup>
<RuleGroup name="" groupRelation="or">
<ProcessCreate onmatch="include"/>
</RuleGroup>
</EventFiltering>
</Sysmon>