ipotap

Comments

There are mistakes for last two conditions on in the rule definition. It says “Access.EventInfo”, but should say “FileExecute.EventInfo” in order for rule to match events properly (similarly for ExtraneousInfo condition)

in SEM Rule Not Firing for EventInfo / ExtraInfo Fields Comment by ipotap October 2025