You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I had a problem with missing Registry "SetValue" events in most of the Workbook queries, I would only see CreateKey (EventId 12) results.
Noticed that the data was present in the raw xml, and returned data as expected with something like:
Event
| where Source contains "sysmon"
| where EventID in (13,14)
| extend RenderedDescription = tostring(split(RenderedDescription, ":")[0])
| project TimeGenerated, EventID, RenderedDescription, Computer, UserName, Data=parse_xml(EventData).DataItem.EventData.Data
I then noticed that the sentinel-attack/Sysmon saved Search was missing SysmonEvent13_RegistrySetValue at the end in:
(union isfuzzy=true
SysmonEvent1_ProcessCreate,SysmonEvent2_FileCreateTime,SysmonEvent3_NetworkConnect,SysmonEvent4_ServiceStateChange,SysmonEvent5_ProcessTerminate,
SysmonEvent6_DriverLoad,SysmonEvent7_ImageLoad,SysmonEvent8_CreateRemoteThread,SysmonEvent9_RawAccessRead,SysmonEvent10_ProcessAccess,
SysmonEvent11_FileCreate,SysmonEvent12_RegistryObjectAddDel,SysmonEvent14_RegistryObjectRename,
SysmonEvent15_FileCreateStreamHash,SysmonEvent16_ConfigChange,SysmonEvent17_CreateNamedPipe,SysmonEvent18_ConnectNamedPipe,
SysmonEvent19_WMIEventFilter,SysmonEvent20_WMIEventConsumer,SysmonEvent21_WMIEventConsumerToFilter,SysmonEvent22_DNSEvents)
Adding SysmonEvent13_RegistrySetValue in between SysmonEvent12_RegistryObjectAddDel and SysmonEvent14_RegistryObjectRename fixed it.
I'm just seeing that sentinel-attack\deployment\gallery.azuredeploy.json has the corresponding missing item in this section:
"type": "Microsoft.OperationalInsights/workspaces/savedSearches",
"apiVersion": "2020-03-01-preview",
"name": "[concat(parameters('workspace_name'), '/Sysmon')]",
"dependsOn": [
"[resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace_name'))]"
],
"properties": {
"category": "sentinel-attack",
"displayName": "Sysmon",
...
\r\n(union isfuzzy=true\r\nSysmonEvent1_ProcessCreate,SysmonEvent2_FileCreateTime,SysmonEvent3_NetworkConnect,SysmonEvent4_ServiceStateChange,SysmonEvent5_ProcessTerminate,\r\nSysmonEvent6_DriverLoad,SysmonEvent7_ImageLoad,SysmonEvent8_CreateRemoteThread,SysmonEvent9_RawAccessRead,SysmonEvent10_ProcessAccess,\r\nSysmonEvent11_FileCreate,SysmonEvent12_RegistryObjectAddDel,SysmonEvent14_RegistryObjectRename,\r\nSysmonEvent15_FileCreateStreamHash,SysmonEvent16_ConfigChange,SysmonEvent17_CreateNamedPipe,SysmonEvent18_ConnectNamedPipe,\r\nSysmonEvent19_WMIEventFilter,SysmonEvent20_WMIEventConsumer,SysmonEvent21_WMIEventConsumerToFilter,SysmonEvent22_DNSEvents)\r\n",
"functionAlias": "Sysmon",
"version": 2
}
The text was updated successfully, but these errors were encountered:
I had a problem with missing Registry "SetValue" events in most of the Workbook queries, I would only see CreateKey (EventId 12) results.
Noticed that the data was present in the raw xml, and returned data as expected with something like:
Event
| where Source contains "sysmon"
| where EventID in (13,14)
| extend RenderedDescription = tostring(split(RenderedDescription, ":")[0])
| project TimeGenerated, EventID, RenderedDescription, Computer, UserName, Data=parse_xml(EventData).DataItem.EventData.Data
I then noticed that the sentinel-attack/Sysmon saved Search was missing SysmonEvent13_RegistrySetValue at the end in:
(union isfuzzy=true
SysmonEvent1_ProcessCreate,SysmonEvent2_FileCreateTime,SysmonEvent3_NetworkConnect,SysmonEvent4_ServiceStateChange,SysmonEvent5_ProcessTerminate,
SysmonEvent6_DriverLoad,SysmonEvent7_ImageLoad,SysmonEvent8_CreateRemoteThread,SysmonEvent9_RawAccessRead,SysmonEvent10_ProcessAccess,
SysmonEvent11_FileCreate,SysmonEvent12_RegistryObjectAddDel,SysmonEvent14_RegistryObjectRename,
SysmonEvent15_FileCreateStreamHash,SysmonEvent16_ConfigChange,SysmonEvent17_CreateNamedPipe,SysmonEvent18_ConnectNamedPipe,
SysmonEvent19_WMIEventFilter,SysmonEvent20_WMIEventConsumer,SysmonEvent21_WMIEventConsumerToFilter,SysmonEvent22_DNSEvents)
Adding SysmonEvent13_RegistrySetValue in between SysmonEvent12_RegistryObjectAddDel and SysmonEvent14_RegistryObjectRename fixed it.
I'm just seeing that sentinel-attack\deployment\gallery.azuredeploy.json has the corresponding missing item in this section:
"type": "Microsoft.OperationalInsights/workspaces/savedSearches",
"apiVersion": "2020-03-01-preview",
"name": "[concat(parameters('workspace_name'), '/Sysmon')]",
"dependsOn": [
"[resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace_name'))]"
],
"properties": {
"category": "sentinel-attack",
"displayName": "Sysmon",
...
\r\n(union isfuzzy=true\r\nSysmonEvent1_ProcessCreate,SysmonEvent2_FileCreateTime,SysmonEvent3_NetworkConnect,SysmonEvent4_ServiceStateChange,SysmonEvent5_ProcessTerminate,\r\nSysmonEvent6_DriverLoad,SysmonEvent7_ImageLoad,SysmonEvent8_CreateRemoteThread,SysmonEvent9_RawAccessRead,SysmonEvent10_ProcessAccess,\r\nSysmonEvent11_FileCreate,SysmonEvent12_RegistryObjectAddDel,SysmonEvent14_RegistryObjectRename,\r\nSysmonEvent15_FileCreateStreamHash,SysmonEvent16_ConfigChange,SysmonEvent17_CreateNamedPipe,SysmonEvent18_ConnectNamedPipe,\r\nSysmonEvent19_WMIEventFilter,SysmonEvent20_WMIEventConsumer,SysmonEvent21_WMIEventConsumerToFilter,SysmonEvent22_DNSEvents)\r\n",
"functionAlias": "Sysmon",
"version": 2
}
The text was updated successfully, but these errors were encountered: