cmutt78
commented
2 years ago Updated to Detected sysmon state and configuration change on [$result.Computer$] for status [$result.status$] or state [$result.state$]
Closed jward51 closed 2 years ago
cmutt78
commented
2 years ago Updated to Detected sysmon state and configuration change on [$result.Computer$] for status [$result.status$] or state [$result.state$]
This search looks for if the the field "State" or "status" has changed but the risk message still shows a generic format by user which is not captured in the _raw log. I recommend we show either State or status and value in the [ ] brackets. For example, the values will be Started or Stopped