@@ -211,6 +211,247 @@ In the filters element under configuration is the list of operators that can be
211211
212212Each of these operators execute against the value in a given field for each of the event types.
213213
214+ ### Filter Operator Examples
215+
216+ Below are practical examples demonstrating how to use each filter operator in Sysmon configurations:
217+
218+ #### is
219+
220+ Matches an exact value. Case-sensitive for strings.
221+
222+ ``` xml
223+ <RuleGroup name =" " groupRelation =" or"
224+ <ProcessCreate onmatch =" include"
225+ <!-- Match exact process name -->
226+ <Image condition =" is" Image >
227+ </ProcessCreate >
228+ </RuleGroup >
229+ ```
230+
231+ #### is not
232+
233+ Negates an exact match. Includes events that do NOT match the specified value.
234+
235+ ``` xml
236+ <RuleGroup name =" " groupRelation =" or"
237+ <ProcessCreate onmatch =" exclude"
238+ <!-- Exclude everything except cmd.exe -->
239+ <Image condition =" is not" Image >
240+ </ProcessCreate >
241+ </RuleGroup >
242+ ```
243+
244+ #### is any
245+
246+ Matches any of the provided exact values. Values are separated by semicolons (;).
247+
248+ ``` xml
249+ <RuleGroup name =" " groupRelation =" or"
250+ <NetworkConnect onmatch =" include"
251+ <!-- Match connections to common web ports -->
252+ <DestinationPort condition =" is any" DestinationPort >
253+ </NetworkConnect >
254+ </RuleGroup >
255+ ```
256+
257+ #### contains
258+
259+ Matches if the specified string is found anywhere within the field value. Case-insensitive.
260+
261+ ``` xml
262+ <RuleGroup name =" " groupRelation =" or"
263+ <ProcessCreate onmatch =" include"
264+ <!-- Match any command line containing "powershell" -->
265+ <CommandLine condition =" contains" CommandLine >
266+ </ProcessCreate >
267+ </RuleGroup >
268+ ```
269+
270+ #### excludes
271+
272+ Excludes events where the field value matches the specified string.
273+
274+ ``` xml
275+ <RuleGroup name =" " groupRelation =" or"
276+ <ProcessCreate onmatch =" include"
277+ <!-- Include processes but exclude those from System32 -->
278+ <Image condition =" excludes" Image >
279+ </ProcessCreate >
280+ </RuleGroup >
281+ ```
282+
283+ #### excludes all
284+
285+ Excludes events only if ALL specified values are present in the field. Values are separated by semicolons (;).
286+
287+ ``` xml
288+ <RuleGroup name =" " groupRelation =" or"
289+ <ProcessCreate onmatch =" include"
290+ <!-- Exclude only if command line contains both strings -->
291+ <CommandLine condition =" excludes all" CommandLine >
292+ </ProcessCreate >
293+ </RuleGroup >
294+ ```
295+
296+ #### excludes any
297+
298+ Excludes events if ANY of the specified values are present in the field. Values are separated by semicolons (;).
299+
300+ ``` xml
301+ <RuleGroup name =" " groupRelation =" or"
302+ <ProcessCreate onmatch =" include"
303+ <!-- Exclude if command line contains any of these strings -->
304+ <CommandLine condition =" excludes any" CommandLine >
305+ </ProcessCreate >
306+ </RuleGroup >
307+ ```
308+
309+ #### image
310+
311+ Matches only the image name without the full path. This is useful for matching process names regardless of their location.
312+
313+ ``` xml
314+ <RuleGroup name =" " groupRelation =" or"
315+ <ProcessCreate onmatch =" include"
316+ <!-- Match cmd.exe regardless of path -->
317+ <Image condition =" image" Image >
318+ </ProcessCreate >
319+ </RuleGroup >
320+ ```
321+
322+ #### begins with
323+
324+ Matches if the field value starts with the specified string. Case-insensitive.
325+
326+ ``` xml
327+ <RuleGroup name =" " groupRelation =" or"
328+ <ProcessCreate onmatch =" include"
329+ <!-- Match any process starting from user directories -->
330+ <Image condition =" begins with" Image >
331+ </ProcessCreate >
332+ </RuleGroup >
333+ ```
334+
335+ #### not begins with
336+
337+ Matches if the field value does NOT start with the specified string.
338+
339+ ``` xml
340+ <RuleGroup name =" " groupRelation =" or"
341+ <ProcessCreate onmatch =" include"
342+ <!-- Include processes not starting from Windows directory -->
343+ <Image condition =" not begins with" Image >
344+ </ProcessCreate >
345+ </RuleGroup >
346+ ```
347+
348+ #### ends with
349+
350+ Matches if the field value ends with the specified string. Case-insensitive.
351+
352+ ``` xml
353+ <RuleGroup name =" " groupRelation =" or"
354+ <FileCreate onmatch =" include"
355+ <!-- Match files with specific extensions -->
356+ <TargetFilename condition =" ends with" TargetFilename >
357+ </FileCreate >
358+ </RuleGroup >
359+ ```
360+
361+ #### not ends with
362+
363+ Matches if the field value does NOT end with the specified string.
364+
365+ ``` xml
366+ <RuleGroup name =" " groupRelation =" or"
367+ <FileCreate onmatch =" include"
368+ <!-- Include files that don't end with .txt -->
369+ <TargetFilename condition =" not ends with" TargetFilename >
370+ </FileCreate >
371+ </RuleGroup >
372+ ```
373+
374+ #### less than
375+
376+ Compares numeric values. Matches if the field value is less than the specified number.
377+
378+ ``` xml
379+ <RuleGroup name =" " groupRelation =" or"
380+ <NetworkConnect onmatch =" include"
381+ <!-- Match connections from low source ports (system/privileged range) -->
382+ <SourcePort condition =" less than" SourcePort >
383+ </NetworkConnect >
384+ </RuleGroup >
385+ ```
386+
387+ #### more than
388+
389+ Compares numeric values. Matches if the field value is greater than the specified number.
390+
391+ ``` xml
392+ <RuleGroup name =" " groupRelation =" or"
393+ <NetworkConnect onmatch =" include"
394+ <!-- Match connections to dynamic/ephemeral ports -->
395+ <DestinationPort condition =" more than" DestinationPort >
396+ </NetworkConnect >
397+ </RuleGroup >
398+ ```
399+
400+ #### contains any
401+
402+ Matches if the field contains ANY of the specified strings. Values are separated by semicolons (;).
403+
404+ ``` xml
405+ <RuleGroup name =" " groupRelation =" or"
406+ <ProcessCreate onmatch =" include"
407+ <!-- Match command lines containing any suspicious keywords -->
408+ <CommandLine condition =" contains any" CommandLine >
409+ </ProcessCreate >
410+ </RuleGroup >
411+ ```
412+
413+ #### contains all
414+
415+ Matches if the field contains ALL of the specified strings. Values are separated by semicolons (;).
416+
417+ ``` xml
418+ <RuleGroup name =" " groupRelation =" or"
419+ <ProcessCreate onmatch =" include"
420+ <!-- Match only if command line contains all specified strings -->
421+ <CommandLine condition =" contains all" CommandLine >
422+ </ProcessCreate >
423+ </RuleGroup >
424+ ```
425+
426+ ### Combining Multiple Operators
427+
428+ Operators can be combined within a single Rule element to create more complex filtering logic:
429+
430+ ``` xml
431+ <RuleGroup name =" " groupRelation =" or"
432+ <ProcessCreate onmatch =" include"
433+ <Rule name =" Suspicious PowerShell" groupRelation =" and"
434+ <!-- Match PowerShell process -->
435+ <Image condition =" image" Image >
436+ <!-- With encoded command -->
437+ <CommandLine condition =" contains" CommandLine >
438+ <!-- But not from System32 -->
439+ <Image condition =" not begins with" Image >
440+ </Rule >
441+ </ProcessCreate >
442+ </RuleGroup >
443+ ```
444+
445+ ### Performance Considerations
446+
447+ When using filter operators, be aware that some operators consume more CPU resources than others. The operators that use slightly more resources are:
448+
449+ * contains
450+ * contains all
451+ * contains any
452+
453+ For high-performance environments, prefer exact match operators (` is ` , ` is any ` ) or path-based operators (` begins with ` , ` ends with ` ) when possible.
454+
214455Event Schema
215456------------
216457
0 commit comments