Event ID 3

Logs network connections made by processes

Source:

Microsoft-Windows-Sysmon

Category:

Network connection detected (rule: NetworkConnect)

Network connection detected:
    RuleName: %1!s!
    UtcTime: %2!s!
    ProcessGuid: %3!s!
    ProcessId: %4!s!
    Image: %5!s!
    User: %6!s!
    Protocol: %7!s!
    Initiated: %8!s!
    SourceIsIpv6: %9!s!
    SourceIp: %10!s!
    SourceHostname: %11!s!
    SourcePort: %12!s!
    SourcePortName: %13!s!
    DestinationIsIpv6: %14!s!
    DestinationIp: %15!s!
    DestinationHostname: %16!s!
    DestinationPort: %17!s!
    DestinationPortName: %18!s!

The network connection event logs TCP/UDP connections on the machine. It is disabled by default. Each connection is linked to a process through the ProcessId and ProcessGuid fields. The event also contains the source and destination host names IP addresses, port numbers and IPv6 status.

Auditing: Always

This event adds critical visibility into network activity, since it logs every connection made by processes on monitored end points. It's generally recommended to audit this event despite the potentially high volume.

Volume: Medium High Very High

Volume depends on process as well as network activity from processes.

LEFT/RIGHT arrow keys for navigation

Back to List