Event ID 3

Logs network connections made by processes

Source:

Microsoft-Windows-Sysmon

Category:

Network connection detected (rule: NetworkConnect)

Network connection detected:
    RuleName: %1!s!
    UtcTime: %2!s!
    ProcessGuid: %3!s!
    ProcessId: %4!s!
    Image: %5!s!
    User: %6!s!
    Protocol: %7!s!
    Initiated: %8!s!
    SourceIsIpv6: %9!s!
    SourceIp: %10!s!
    SourceHostname: %11!s!
    SourcePort: %12!s!
    SourcePortName: %13!s!
    DestinationIsIpv6: %14!s!
    DestinationIp: %15!s!
    DestinationHostname: %16!s!
    DestinationPort: %17!s!
    DestinationPortName: %18!s!

The network connection event logs TCP/UDP connections on the machine. It is disabled by default. Each connection is linked to a process through the ProcessId and ProcessGuid fields. The event also contains the source and destination host names IP addresses, port numbers and IPv6 status.

LEFT/RIGHT arrow keys for navigation

Back to List