Sysmon logs are missing event.category and event.dataset

[sleepingbel]

Hello all,

After installing the new sysmon modular sysmonconfig.xml, I have seen that multiple sysmon events do not have a event.category and some event.dataset.

This results in a missing value in the default SOC dashboard

After some research I prepose the following event.category and event.dataset values for the sysmon event.code:
Remark only the values in bold where missing

event.dataset	event.code	event.category
process_changed_file	2	host, file
service_state_change	4	host
process_terminated	5	host, process
image_loaded	7	host
create_remote_thread	8	host
process_access	10	host, process
file_create	11	host, file
registry_create_delete	12	host, registry
registry_value_set	13	host, registry
file_create_stream_hash	15	host, file
config_change	16	host
pipe_create	17	host, pipe
pipe_connected	18	host, pipe
process_tampering	25	host, process
file_delete	26	host, file
error_report	255	host

Could these be added?

Regards

Bart

[weslambert]

An issue has been created to look into updating the fields with the aforementioned data. Thanks!
#8194

[3isenHeiM]

I also have this issue, thanks for raising it !

[dougburks]

This should be resolved in the upcoming Security Onion 2.3.200 release:
#8194

[3isenHeiM]

Thanks !