Skip to content

SysmonEvent13_RegistrySetValue missing from Sysmon function query #48

New issue
New issue
Open
Open
SysmonEvent13_RegistrySetValue missing from Sysmon function query#48
@mpp-eric-m

Description

@mpp-eric-m
mpp-eric-m
opened on Dec 16, 2020

I had a problem with missing Registry "SetValue" events in most of the Workbook queries, I would only see CreateKey (EventId 12) results.
Noticed that the data was present in the raw xml, and returned data as expected with something like:
Event
| where Source contains "sysmon"
| where EventID in (13,14)
| extend RenderedDescription = tostring(split(RenderedDescription, ":")[0])
| project TimeGenerated, EventID, RenderedDescription, Computer, UserName, Data=parse_xml(EventData).DataItem.EventData.Data

I then noticed that the sentinel-attack/Sysmon saved Search was missing SysmonEvent13_RegistrySetValue at the end in:
(union isfuzzy=true
SysmonEvent1_ProcessCreate,SysmonEvent2_FileCreateTime,SysmonEvent3_NetworkConnect,SysmonEvent4_ServiceStateChange,SysmonEvent5_ProcessTerminate,
SysmonEvent6_DriverLoad,SysmonEvent7_ImageLoad,SysmonEvent8_CreateRemoteThread,SysmonEvent9_RawAccessRead,SysmonEvent10_ProcessAccess,
SysmonEvent11_FileCreate,SysmonEvent12_RegistryObjectAddDel,SysmonEvent14_RegistryObjectRename,
SysmonEvent15_FileCreateStreamHash,SysmonEvent16_ConfigChange,SysmonEvent17_CreateNamedPipe,SysmonEvent18_ConnectNamedPipe,
SysmonEvent19_WMIEventFilter,SysmonEvent20_WMIEventConsumer,SysmonEvent21_WMIEventConsumerToFilter,SysmonEvent22_DNSEvents)

Adding SysmonEvent13_RegistrySetValue in between SysmonEvent12_RegistryObjectAddDel and SysmonEvent14_RegistryObjectRename fixed it.

I'm just seeing that sentinel-attack\deployment\gallery.azuredeploy.json has the corresponding missing item in this section:
"type": "Microsoft.OperationalInsights/workspaces/savedSearches",
"apiVersion": "2020-03-01-preview",
"name": "[concat(parameters('workspace_name'), '/Sysmon')]",
"dependsOn": [
"[resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace_name'))]"
],
"properties": {
"category": "sentinel-attack",
"displayName": "Sysmon",
...
\r\n(union isfuzzy=true\r\nSysmonEvent1_ProcessCreate,SysmonEvent2_FileCreateTime,SysmonEvent3_NetworkConnect,SysmonEvent4_ServiceStateChange,SysmonEvent5_ProcessTerminate,\r\nSysmonEvent6_DriverLoad,SysmonEvent7_ImageLoad,SysmonEvent8_CreateRemoteThread,SysmonEvent9_RawAccessRead,SysmonEvent10_ProcessAccess,\r\nSysmonEvent11_FileCreate,SysmonEvent12_RegistryObjectAddDel,SysmonEvent14_RegistryObjectRename,\r\nSysmonEvent15_FileCreateStreamHash,SysmonEvent16_ConfigChange,SysmonEvent17_CreateNamedPipe,SysmonEvent18_ConnectNamedPipe,\r\nSysmonEvent19_WMIEventFilter,SysmonEvent20_WMIEventConsumer,SysmonEvent21_WMIEventConsumerToFilter,SysmonEvent22_DNSEvents)\r\n",
"functionAlias": "Sysmon",
"version": 2
}

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions