You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Rule 92214 creates maximum-level false-positive alerts when opening office files. A new LNK file appears with every open office file.
Just open %appdata%\Microsoft\Office\Recent and you will see several LNKs.
Current results
Rules triggering with opening every new office file.
Quick fix
Create custom_rules.xml and add following lines:
sysmon_event_11
(?i)(winword|excel|powerpnt|outlook)\.exe
(?i)appdata\\\\(?!Roaming\\\\Microsoft\\\\).+\.lnk
no_full_log
Suspicious file created by Microsoft Office process: $(win.eventdata.image) created $(win.eventdata.targetFilename)
T1027
Description
Rule 92214 creates maximum-level false-positive alerts when opening office files. A new LNK file appears with every open office file.
Just open
%appdata%\Microsoft\Office\Recent
and you will see several LNKs.Current results
Rules triggering with opening every new office file.
wazuh/ruleset/rules/0830-sysmon_id_11.xml
Lines 158 to 163 in dff3ece
ex:
C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Office\\Recent\\Document.docx.LNK
Expected results
LNK files should be ignored in the
Recent
.Resources
Log reference
https://answers.microsoft.com/en-us/msoffice/forum/all/how-to-disable-from-logging-all-recent-files-in/f229f69b-d46f-4fa4-9d24-072164032cd6
#13631
The text was updated successfully, but these errors were encountered: