Sysmon 10.4 has been released and this is one I particularly was looking forward to ever since the release of version 9, which introduced the RuleGroups. At that time there was no real benefit apart from making it behave the way you need for the total set of EventTypes.

This release packs a few refinements to this approach, and trust me you'll probably love them as much as I do! Don’t get fooled by the seemingly small uptick in version numbering, it's a huge improvement.

So for the quick TL;DR, The schema has been updated to 4.22, here is the new schema This version adds; new filter options "contains any" and "contains all" and most significantly the option to add sub-rules to a rule group allowing you to make multiple AND/OR statement.

First the filters, these are super useful, and allow for a lot of flexibility as well as a form of basic regex-ing in for instance command lines like the one below.