From 85c0a10e977cfc7f1406606b5f4466fba67673b0 Mon Sep 17 00:00:00 2001 From: Giorgi Mkervalishvili Date: Thu, 10 Aug 2023 14:59:53 +0400 Subject: [PATCH] Update network-connections.md Controls reverse DNS lookup by Default is True. To disable, you need to specify as false --- chapters/network-connections.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/chapters/network-connections.md b/chapters/network-connections.md index a21f724..07e4c0a 100644 --- a/chapters/network-connections.md +++ b/chapters/network-connections.md @@ -3,7 +3,7 @@ Network Connections Sysmon will log **EventID 3** for all TCP and UDP network connections. This event will generate a large number of entries and filtering should be tuned for specific processes and ports. -For the DestinationHostname, the GetNameInfo API is used and it will often not have any information and may just be a CDN, making it NOT reliable for filtering since it uses a reverse DNS Lookup to get this information, in Sysmon v11.0 this behaviour can be disabled by using the ```True``` at the root of the configuration file. +For the DestinationHostname, the GetNameInfo API is used and it will often not have any information and may just be a CDN, making it NOT reliable for filtering since it uses a reverse DNS Lookup to get this information, in Sysmon v11.0 this behaviour can be disabled by using the ```False``` at the root of the configuration file. For the DestinationPortName, the GetNameInfo API is used for the friendly name of ports. In the case of services doing connections on some systems due to memory use, they are hosted under svchost.exe and most connections will originate from this process.