Describe the enhancement:
Requesting an update to the winlogbeat\module\sysmon\config\winlogbeat-sysmon.js to include event 26 for correct parsing into elasticsearch using the sysmon module.
The new sysmon event id is nearly identical to event id 23 except for the archived boolean.
DATA: RuleName, UtcTime, ProcessGuid, ProcessId, User, Image, TargetFilename, Hashes, IsExecutable
https://medium.com/falconforce/sysmon-13-10-filedeletedetected-fe2475cb419e
In Symon 13.21.0.0 the application supports the use of schema version 4.70 which can be verified by running the latest sysmon executable from Microsoft as .\sysmon.exe -s
<Sysmon schemaversion="4.70">
<EventFiltering>
<RuleGroup name="" groupRelation="or">
<FileDeleteDetected onmatch="exclude">
<User condition="contains any">NETWORK SERVICE; LOCAL SERVICE</User>
</FileDeleteDetected>
</RuleGroup>
</EventFiltering>
</Sysmon>
Describe a specific use case for the enhancement or feature:
Like event ID 23; Event ID 26 also hashes the deletion of files but without archiving the deleted file in C:\Sysmon allowing its use in areas outside of a malware sandbox or in IR triage. Maintaining a record of deleted files along with hashes can facilitate historical lookups during compromise investigations to identify which hosts have been affected by identified IoCs.
Describe the enhancement:
Requesting an update to the winlogbeat\module\sysmon\config\winlogbeat-sysmon.js to include event 26 for correct parsing into elasticsearch using the sysmon module.
The new sysmon event id is nearly identical to event id 23 except for the archived boolean.
DATA: RuleName, UtcTime, ProcessGuid, ProcessId, User, Image, TargetFilename, Hashes, IsExecutablehttps://medium.com/falconforce/sysmon-13-10-filedeletedetected-fe2475cb419e
In Symon 13.21.0.0 the application supports the use of schema version 4.70 which can be verified by running the latest sysmon executable from Microsoft as
.\sysmon.exe -sDescribe a specific use case for the enhancement or feature:
Like event ID 23; Event ID 26 also hashes the deletion of files but without archiving the deleted file in C:\Sysmon allowing its use in areas outside of a malware sandbox or in IR triage. Maintaining a record of deleted files along with hashes can facilitate historical lookups during compromise investigations to identify which hosts have been affected by identified IoCs.