Share via

sysmon EID 12,13,14 'Incorrect field Details'

McGahan, Timothy@CIO 86 Reputation points
2021-12-30T19:14:32.23+00:00

What's this about?

161532-image.png

161423-image.png

Sysinternals
Sysinternals
Advanced system utilities to manage, troubleshoot, and diagnose Windows and Linux systems and applications.
1,260 questions
0 comments
Accepted answer
  1. Joe Doe 156 Reputation points
    2022-01-05T14:52:49.887+00:00

    I guess it's because only EID13 has a "Details" field, but EID 12 and 14 are also handled with "RegistryEvent"

    <event name="SYSMONEVENT_REG_KEY" value="12" level="Informational" template="Registry object added or deleted" rulename="RegistryEvent" ruledefault="exclude" version="2">
    <data name="RuleName" inType="win:UnicodeString" outType="xs:string" />
    <data name="EventType" inType="win:UnicodeString" outType="xs:string" />
    <data name="UtcTime" inType="win:UnicodeString" outType="xs:string" />
    <data name="ProcessGuid" inType="win:GUID" />
    <data name="ProcessId" inType="win:UInt32" outType="win:PID" />
    <data name="Image" inType="win:UnicodeString" outType="xs:string" />
    <data name="TargetObject" inType="win:UnicodeString" outType="xs:string" />
    <data name="User" inType="win:UnicodeString" outType="xs:string" />
    </event>
    <event name="SYSMONEVENT_REG_SETVALUE" value="13" level="Informational" template="Registry value set" rulename="RegistryEvent" ruledefault="exclude" version="2">
    <data name="RuleName" inType="win:UnicodeString" outType="xs:string" />
    <data name="EventType" inType="win:UnicodeString" outType="xs:string" />
    <data name="UtcTime" inType="win:UnicodeString" outType="xs:string" />
    <data name="ProcessGuid" inType="win:GUID" />
    <data name="ProcessId" inType="win:UInt32" outType="win:PID" />
    <data name="Image" inType="win:UnicodeString" outType="xs:string" />
    <data name="TargetObject" inType="win:UnicodeString" outType="xs:string" />
    <data name="Details" inType="win:UnicodeString" outType="xs:string" />
    <data name="User" inType="win:UnicodeString" outType="xs:string" />
    </event>
    <event name="SYSMONEVENT_REG_NAME" value="14" level="Informational" template="Registry object renamed" rulename="RegistryEvent" ruledefault="exclude" version="2">
    <data name="RuleName" inType="win:UnicodeString" outType="xs:string" />
    <data name="EventType" inType="win:UnicodeString" outType="xs:string" />
    <data name="UtcTime" inType="win:UnicodeString" outType="xs:string" />
    <data name="ProcessGuid" inType="win:GUID" />
    <data name="ProcessId" inType="win:UInt32" outType="win:PID" />
    <data name="Image" inType="win:UnicodeString" outType="xs:string" />
    <data name="TargetObject" inType="win:UnicodeString" outType="xs:string" />
    <data name="NewName" inType="win:UnicodeString" outType="xs:string" />
    <data name="User" inType="win:UnicodeString" outType="xs:string" />
    </event>

    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. McGahan, Timothy@CIO 86 Reputation points
    2022-01-05T16:50:22.69+00:00

    Well, it works if I remove the combination of data name "NewName" and "Details" but leave "TargetObject" and "Details"....

    162530-image.png

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.