Wrong values in log fields #9728
Replies: 1 comment 2 replies
-
|
It sounds like there's some sort of misbehavior during parsing. How are you sending Sysmon logs to Security Onion? Are you using winlogbeat, Wazuh, OSQuery, or some other method? These are coming from a Windows box? Can you provide a couple of examples? |
Beta Was this translation helpful? Give feedback.
-
|
Hello, Thank you for your reply. Sysmon logs are sent to the WEC using source initiated subscription. The WEC then forwards the logs to SO via winlogbeat. Endpoints and WEC are all Windows. Below is an example - I have Suspicious Rundll32 Activity play enabled and when I opened the alert the event_data.message field shows that the process was initiated by Teams.exe which doesn't make any sense. If you look at the 2nd screenshot you will see that the actual process that triggered the alert is rundll32.exe. Please advise.
|
Beta Was this translation helpful? Give feedback.
-
|
If you look up an event on the WEC server, does it match the message that you're seeing in Security Onion? This almost looks like two separate items got mashed together somehow. |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
Hello,
I run the newest version of SO, distributed architecture. I noticed that sysmon logs' fields don't macth the raw log data. The event message field (event_data.message) stores raw log data, but the rest of the fields (event_data.process.command_line or event_data.process.executable) show completely different values. It happens only to some sysmon logs. Please advise what might be causing it. Thank you
Beta Was this translation helpful? Give feedback.
All reactions