Event ID 11 - Empty TargetFilename

[DodoK94]

Describe the bug
All events ID 11 - File Create are missing values in TargetFilename field. Only dash (-) is being shown.
Works OK for event ID 23 - File Delete - path and filename is present.

To Reproduce
Happened with both default config ("catch all" and custom configs)

Sysmon version
Tested on both 1.3.0 and newest 1.3.1

Distro/kernel version
Linux xxx 5.4.0-72-generic #80-Ubuntu SMP Mon Apr 12 17:35:00 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
Ubuntu 20.04LTS

Sysmon configuration
Tested with default catch all config. Tested this one: https://github.com/microsoft/MSTIC-Sysmon/blob/main/linux/configs/main.xml and tested couple of custom configurations, all with same results - events are being collected but TargetFilename field is empty.

Logs
Event SYSMONEVENT_FILE_CREATE
RuleName: TechniqueID=T1546,TechniqueName=Event Trigerred Execution
UtcTime: 2023-10-23 09:58:58.151
ProcessGuid: {c8ee428b-43e2-6536-15b6-ced6bf550000}
ProcessId: 3045565
Image: /usr/bin/vim.basic
TargetFilename: -
CreationUtcTime: 2023-10-23 09:58:58.151
User: isd_poc_security
Event SYSMONEVENT_FILE_CREATE
RuleName: TechniqueID=T1546,TechniqueName=Event Trigerred Execution
UtcTime: 2023-10-23 09:58:58.151
ProcessGuid: {c8ee428b-43e2-6536-15b6-ced6bf550000}
ProcessId: 3045565
Image: /usr/bin/vim.basic
TargetFilename: -
CreationUtcTime: 2023-10-23 09:58:58.151
User: isd_poc_security
Event SYSMONEVENT_FILE_CREATE
RuleName: TechniqueID=T1546,TechniqueName=Event Trigerred Execution
UtcTime: 2023-10-23 09:58:58.151
ProcessGuid: {c8ee428b-43e2-6536-15b6-ced6bf550000}
ProcessId: 3045565
Image: /usr/bin/vim.basic
TargetFilename: -
CreationUtcTime: 2023-10-23 09:58:58.151
User: isd_poc_security
Event SYSMONEVENT_FILE_CREATE
RuleName: TechniqueID=T1546,TechniqueName=Event Trigerred Execution
UtcTime: 2023-10-23 09:59:09.978
ProcessGuid: {c8ee428b-43e2-6536-15b6-ced6bf550000}
ProcessId: 3045565
Image: /usr/bin/vim.basic
TargetFilename: -
CreationUtcTime: 2023-10-23 09:59:09.978
User: isd_poc_security
Event SYSMONEVENT_FILE_CREATE
RuleName: TechniqueID=T1546,TechniqueName=Event Trigerred Execution
UtcTime: 2023-10-23 09:59:14.168
ProcessGuid: {c8ee428b-43f2-6536-15b6-41abbf550000}
ProcessId: 3045567
Image: /usr/bin/vim.basic
TargetFilename: -
CreationUtcTime: 2023-10-23 09:59:14.168
User: -
Event SYSMONEVENT_FILE_CREATE
RuleName: TechniqueID=T1546,TechniqueName=Event Trigerred Execution
UtcTime: 2023-10-23 09:59:14.168
ProcessGuid: {c8ee428b-43f2-6536-15b6-41abbf550000}
ProcessId: 3045567
Image: /usr/bin/vim.basic
TargetFilename: -
CreationUtcTime: 2023-10-23 09:59:14.168
User: -
Event SYSMONEVENT_FILE_CREATE
RuleName: TechniqueID=T1546,TechniqueName=Event Trigerred Execution
UtcTime: 2023-10-23 09:59:14.168
ProcessGuid: {c8ee428b-43f2-6536-15b6-41abbf550000}
ProcessId: 3045567
Image: /usr/bin/vim.basic
TargetFilename: -
CreationUtcTime: 2023-10-23 09:59:14.168
User: -
Event SYSMONEVENT_FILE_CREATE
RuleName: TechniqueID=T1546,TechniqueName=Event Trigerred Execution
UtcTime: 2023-10-23 09:59:21.021
ProcessGuid: {c8ee428b-43f2-6536-15b6-41abbf550000}
ProcessId: 3045567
Image: /usr/bin/vim.basic
TargetFilename: -
CreationUtcTime: 2023-10-23 09:59:21.021
User: -
Event SYSMONEVENT_FILE_CREATE
RuleName: TechniqueID=T1546,TechniqueName=Event Trigerred Execution
UtcTime: 2023-10-23 09:59:21.030
ProcessGuid: {c8ee428b-43f2-6536-15b6-41abbf550000}
ProcessId: 3045567
Image: /usr/bin/vim.basic
TargetFilename: -
CreationUtcTime: 2023-10-23 09:59:21.030
User: -

Expected behavior
A path and file name is expected in TargetFilename same way as for ID 23 file delete. Without this information it is not possible to investigate events and perform filtering in config file.

Thank you.
Regards,
Jozef

[cc-sir]

I also encountered the same problem, and my version is the latest version 1.3.3. This is why and there is any temporary solution? Thanks!