Fix broken Sysmon EventID 1 (ProcessCreate) decoders and normalize regex patterns#908
Open
gustavo89587 wants to merge 1 commit intowazuh:masterfrom
Open
Fix broken Sysmon EventID 1 (ProcessCreate) decoders and normalize regex patterns#908gustavo89587 wants to merge 1 commit intowazuh:masterfrom
gustavo89587 wants to merge 1 commit intowazuh:masterfrom
Conversation
…gex patterns This commit fixes multiple issues in the Sysmon EventID 1 (Process Create) decoders and related Windows decoders. The previous implementation had malformed XML (missing <decoder> blocks) in the EventID 1 "new format" parser, which caused the ruleset to break at load time. This has been restructured into a valid multi-stage decoder chain using after_regex, preserving backward compatibility with both legacy (HashType/Hash) and modern (Hashes) Sysmon formats. Additionally, several regex patterns were corrected: - Replaced incorrect \.* and \.+ patterns that only match literal dots with proper wildcard captures - Fixed broken TerminalServices-Gateway patterns (typos and invalid escapes) - Normalized multiple Sysmon field extractions to properly handle spaces, quotes, and modern Sysmon output The result is a fully valid ruleset that correctly parses: - Sysmon ProcessCreate (Event ID 1) for both old and new formats - Network, file, and module load events - Defender and Terminal Services logs No functional behavior was removed; this change only fixes parsing correctness and reliability.
Author
|
Hi maintainers! This PR fixes several broken decoders that are currently preventing Sysmon Event ID 1 logs from being parsed correctly. Could someone please review this when available? Thanks! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR fixes multiple parsing issues in the Windows ruleset, mainly in Sysmon Event ID 1 (Process Create).
The previous implementation contained malformed XML in the new Sysmon decoder chain, which prevented the ruleset from loading correctly and caused EventID 1 logs to be dropped.
This PR:
This improves reliability of Windows telemetry parsing without changing detection logic or behavior.