Sysmon Alerts
17 views
Skip to first unread message
Brenno Garcia
Nov 28, 2025, 12:40:27 AM (3 days ago) Nov 28
to Wazuh | Mailing List
Hello, can someone help me to supress some sysmon alerts like this:
{"timestamp":"2025-11-27T19:52:04.110+0000","rule":{"level":12,"description":"Explorer process was accessed by C:\\\\Users\\\\adm.shared\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\OneDrive.exe, possible process injection","id":"92910","mitre":{"id":["T1055"],"tactic":["Defense Evasion","Privilege Escalation"],"technique":["Process Injection"]},"firedtimes":1,"mail":false,"groups":["sysmon","sysmon_eid10_detections","windows"]},"agent":{"id":"004","name":"adm_shared","ip":"192.168.16.105","labels":{"grupo":"Windows_DBA"}},"manager":{"name":"wazuh.manager"},"id":"1764273124.16375027","decoder":{"name":"windows_eventchannel"},"data":{"win":{"system":{"providerName":"Microsoft-Windows-Sysmon","providerGuid":"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}","eventID":"10","version":"3","level":"4","task":"10","opcode":"0","keywords":"0x8000000000000000","systemTime":"2025-11-27T19:52:02.9579131Z","eventRecordID":"510326","processID":"3052","threadID":"4084","channel":"Microsoft-Windows-Sysmon/Operational","computer":"DESKTOP-K6Q4U22","severityValue":"INFORMATION","message":"\"Process accessed:\r\nRuleName: technique_id=T1036,technique_name=Masquerading\r\nUtcTime: 2025-11-27 19:52:02.952\r\nSourceProcessGUID: {61e41f6a-9308-6924-f912-000000001600}\r\nSourceProcessId: 10208\r\nSourceThreadId: 9184\r\nSourceImage: C:\\Users\\adm.shared\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe\r\nTargetProcessGUID: {61e41f6a-929e-6924-9512-000000001600}\r\nTargetProcessId: 5564\r\nTargetImage: C:\\WINDOWS\\Explorer.EXE\r\nGrantedAccess: 0x101411\r\nCallTrace: C:\\WINDOWS\\SYSTEM32\\ntdll.dll+9da64|C:\\WINDOWS\\System32\\KERNELBASE.dll+28d3e|C:\\Users\\adm.shared\\AppData\\Local\\Microsoft\\OneDrive\\25.209.1026.0002\\FileSyncClient.dll+63df91|C:\\Users\\adm.shared\\AppData\\Local\\Microsoft\\OneDrive\\25.209.1026.0002\\FileSyncClient.dll+8f1b8|C:\\Users\\adm.shared\\AppData\\Local\\Microsoft\\OneDrive\\25.209.1026.0002\\FileSyncClient.dll+8ef7d|C:\\Users\\adm.shared\\AppData\\Local\\Microsoft\\OneDrive\\25.209.1026.0002\\FileSyncClient.dll+8ee69|C:\\Users\\adm.shared\\AppData\\Local\\Microsoft\\OneDrive\\25.209.1026.0002\\FileSyncEvents.dll+f0e0|C:\\Users\\adm.shared\\AppData\\Local\\Microsoft\\OneDrive\\25.209.1026.0002\\FileSyncHost.DLL+e07f|C:\\Users\\adm.shared\\AppData\\Local\\Microsoft\\OneDrive\\25.209.1026.0002\\FileSyncHost.DLL+108f5|C:\\WINDOWS\\System32\\ucrtbase.dll+21bb2|C:\\WINDOWS\\System32\\KERNEL32.DLL+17374|C:\\WINDOWS\\SYSTEM32\\ntdll.dll+4cc91\r\nSourceUser: DESKTOP-K6Q4U22\\adm.shared\r\nTargetUser: DESKTOP-K6Q4U22\\adm.shared\""},"eventdata":{"ruleName":"technique_id=T1036,technique_name=Masquerading","utcTime":"2025-11-27 19:52:02.952","sourceProcessGUID":"{61e41f6a-9308-6924-f912-000000001600}","sourceProcessId":"10208","sourceThreadId":"9184","sourceImage":"C:\\\\Users\\\\adm.shared\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\OneDrive.exe","targetProcessGUID":"{61e41f6a-929e-6924-9512-000000001600}","targetProcessId":"5564","targetImage":"C:\\\\WINDOWS\\\\Explorer.EXE","grantedAccess":"0x101411","callTrace":"C:\\\\WINDOWS\\\\SYSTEM32\\\\ntdll.dll+9da64|C:\\\\WINDOWS\\\\System32\\\\KERNELBASE.dll+28d3e|C:\\\\Users\\\\adm.shared\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\25.209.1026.0002\\\\FileSyncClient.dll+63df91|C:\\\\Users\\\\adm.shared\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\25.209.1026.0002\\\\FileSyncClient.dll+8f1b8|C:\\\\Users\\\\adm.shared\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\25.209.1026.0002\\\\FileSyncClient.dll+8ef7d|C:\\\\Users\\\\adm.shared\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\25.209.1026.0002\\\\FileSyncClient.dll+8ee69|C:\\\\Users\\\\adm.shared\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\25.209.1026.0002\\\\FileSyncEvents.dll+f0e0|C:\\\\Users\\\\adm.shared\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\25.209.1026.0002\\\\FileSyncHost.DLL+e07f|C:\\\\Users\\\\adm.shared\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\25.209.1026.0002\\\\FileSyncHost.DLL+108f5|C:\\\\WINDOWS\\\\System32\\\\ucrtbase.dll+21bb2|C:\\\\WINDOWS\\\\System32\\\\KERNEL32.DLL+17374|C:\\\\WINDOWS\\\\SYSTEM32\\\\ntdll.dll+4cc91","sourceUser":"DESKTOP-K6Q4U22\\\\adm.shared","targetUser":"DESKTOP-K6Q4U22\\\\adm.shared"}}},"location":"EventChannel"}
I want supress by sourceImage field
here's the log:
{"win":{"system":{"providerName":"Microsoft-Windows-Sysmon","providerGuid":"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}","eventID":"10","version":"3","level":"4","task":"10","opcode":"0","keywords":"0x8000000000000000","systemTime":"2025-11-27T01:52:02.2092691Z","eventRecordID":"504181","processID":"3052","threadID":"4084","channel":"Microsoft-Windows-Sysmon/Operational","computer":"DESKTOP-K6Q4U22","severityValue":"INFORMATION","message":"\"Process accessed:\r\nRuleName: -\r\nUtcTime: 2025-11-27 01:52:02.201\r\nSourceProcessGUID: {61e41f6a-9308-6924-f912-000000001600}\r\nSourceProcessId: 10208\r\nSourceThreadId: 280\r\nSourceImage: C:\\Users\\adm.shared\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe\r\nTargetProcessGUID: {61e41f6a-9bc2-6927-501f-000000001600}\r\nTargetProcessId: 9488\r\nTargetImage: C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_22510.1401.2.0_x64__8wekyb3d8bbwe\\StoreDesktopExtension.exe\r\nGrantedAccess: 0x101411\r\nCallTrace: C:\\WINDOWS\\SYSTEM32\\ntdll.dll+9da64|C:\\WINDOWS\\System32\\KERNELBASE.dll+28d3e|C:\\Users\\adm.shared\\AppData\\Local\\Microsoft\\OneDrive\\25.209.1026.0002\\FileSyncClient.dll+63df91|C:\\Users\\adm.shared\\AppData\\Local\\Microsoft\\OneDrive\\25.209.1026.0002\\FileSyncClient.dll+8f1b8|C:\\Users\\adm.shared\\AppData\\Local\\Microsoft\\OneDrive\\25.209.1026.0002\\FileSyncClient.dll+8ef7d|C:\\Users\\adm.shared\\AppData\\Local\\Microsoft\\OneDrive\\25.209.1026.0002\\FileSyncClient.dll+8ee69|C:\\Users\\adm.shared\\AppData\\Local\\Microsoft\\OneDrive\\25.209.1026.0002\\FileSyncEvents.dll+f0e0|C:\\Users\\adm.shared\\AppData\\Local\\Microsoft\\OneDrive\\25.209.1026.0002\\FileSyncHost.DLL+e07f|C:\\Users\\adm.shared\\AppData\\Local\\Microsoft\\OneDrive\\25.209.1026.0002\\FileSyncHost.DLL+108f5|C:\\WINDOWS\\System32\\ucrtbase.dll+21bb2|C:\\WINDOWS\\System32\\KERNEL32.DLL+17374|C:\\WINDOWS\\SYSTEM32\\ntdll.dll+4cc91\r\nSourceUser: DESKTOP-K6Q4U22\\adm.shared\r\nTargetUser: DESKTOP-K6Q4U22\\adm.shared\""},"eventdata":{"utcTime":"2025-11-27 01:52:02.201","sourceProcessGUID":"{61e41f6a-9308-6924-f912-000000001600}","sourceProcessId":"10208","sourceThreadId":"280","sourceImage":"C:\\\\Users\\\\adm.shared\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\OneDrive.exe","targetProcessGUID":"{61e41f6a-9bc2-6927-501f-000000001600}","targetProcessId":"9488","targetImage":"C:\\\\Program Files\\\\WindowsApps\\\\Microsoft.WindowsStore_22510.1401.2.0_x64__8wekyb3d8bbwe\\\\StoreDesktopExtension.exe","grantedAccess":"0x101411","callTrace":"C:\\\\WINDOWS\\\\SYSTEM32\\\\ntdll.dll+9da64|C:\\\\WINDOWS\\\\System32\\\\KERNELBASE.dll+28d3e|C:\\\\Users\\\\adm.shared\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\25.209.1026.0002\\\\FileSyncClient.dll+63df91|C:\\\\Users\\\\adm.shared\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\25.209.1026.0002\\\\FileSyncClient.dll+8f1b8|C:\\\\Users\\\\adm.shared\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\25.209.1026.0002\\\\FileSyncClient.dll+8ef7d|C:\\\\Users\\\\adm.shared\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\25.209.1026.0002\\\\FileSyncClient.dll+8ee69|C:\\\\Users\\\\adm.shared\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\25.209.1026.0002\\\\FileSyncEvents.dll+f0e0|C:\\\\Users\\\\adm.shared\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\25.209.1026.0002\\\\FileSyncHost.DLL+e07f|C:\\\\Users\\\\adm.shared\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\25.209.1026.0002\\\\FileSyncHost.DLL+108f5|C:\\\\WINDOWS\\\\System32\\\\ucrtbase.dll+21bb2|C:\\\\WINDOWS\\\\System32\\\\KERNEL32.DLL+17374|C:\\\\WINDOWS\\\\SYSTEM32\\\\ntdll.dll+4cc91","sourceUser":"DESKTOP-K6Q4U22\\\\adm.shared","targetUser":"DESKTOP-K6Q4U22\\\\adm.shared"}}}
i cant even test on wazuh logtest
Bony V John
Nov 28, 2025, 1:08:48 AM (3 days ago) Nov 28
to Wazuh | Mailing List
Hi,
Please allow me some time, I'm working on this and will get back to you with an update as soon as possible.
Bony V John
Nov 28, 2025, 2:06:11 AM (3 days ago) Nov 28
to Wazuh | Mailing List
Hi,
Using the shared sample log, I am unable to test it in the Wazuh Logtest tool because it does not contain the raw event log from the Windows event channel. However, I have created a suppression rule based on your requirement. You can test the custom rule below and verify whether it suppresses the alert when the sourceImage value is: C:\\Users\\adm.shared\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe
Suppression rule:
<group name="sysmon,sysmon_eid10_detections,windows,">
<rule id="100910" level="0">
<if_sid>92910</if_sid>
<field name="win.eventdata.sourceImage" type="pcre2">C:\\\\Users\\\\adm.shared\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\OneDrive.exe</field>
<options>no_full_log</options>
<description>Suppress: Explorer process was accessed by $(win.eventdata.sourceImage), possible process injection</description>
</rule>
</group>
<rule id="100910" level="0">
<if_sid>92910</if_sid>
<field name="win.eventdata.sourceImage" type="pcre2">C:\\\\Users\\\\adm.shared\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\OneDrive.exe</field>
<options>no_full_log</options>
<description>Suppress: Explorer process was accessed by $(win.eventdata.sourceImage), possible process injection</description>
</rule>
</group>
I used the field tag to match both the field name and its value, and I added the required escape characters in the sourceImage path to properly escape the \\ directory separators.
You can refer to the Wazuh regex documentation to learn more about regex patterns and also review the Wazuh rule syntax documentation for additional details on writing custom rules.
Reply all
Reply to author
Forward
0 new messages