Event ID 1

Logs detailed information when a new process is created

Source:

Microsoft-Windows-Sysmon

Category:

Process Create (rule: ProcessCreate)

Process Create:
    RuleName: %1!s!
    UtcTime: %2!s!
    ProcessGuid: %3!s!
    ProcessId: %4!s!
    Image: %5!s!
    FileVersion: %6!s!
    Description: %7!s!
    Product: %8!s!
    Company: %9!s!
    OriginalFileName: %10!s!
    CommandLine: %11!s!
    CurrentDirectory: %12!s!
    User: %13!s!
    LogonGuid: %14!s!
    LogonId: %15!s!
    TerminalSessionId: %16!s!
    IntegrityLevel: %17!s!
    Hashes: %18!s!
    ParentProcessGuid: %19!s!
    ParentProcessId: %20!s!
    ParentImage: %21!s!
    ParentCommandLine: %22!s!
    ParentUser: %23!s!

The process creation event provides extended information about a newly created process. The full command line provides context on the process execution. The ProcessGUID field is a unique value for this process across a domain to make event correlation easier. The hash is a full hash of the file with the algorithms in the HashType field.

Auditing: Conditional

If Windows process audit events (4688) are already enabled, then auditing event id 1 may not be necessary. This event does include additional details such as a file hash, which is not available in Windows event 4688.

Volume: Medium High

Volume depends on process activity.

LEFT/RIGHT arrow keys for navigation

Back to List