Event ID 3
Logs network connections made by processesSource:
Microsoft-Windows-Sysmon
Category:
Network connection detected (rule: NetworkConnect)
Network connection detected: RuleName: %1!s! UtcTime: %2!s! ProcessGuid: %3!s! ProcessId: %4!s! Image: %5!s! User: %6!s! Protocol: %7!s! Initiated: %8!s! SourceIsIpv6: %9!s! SourceIp: %10!s! SourceHostname: %11!s! SourcePort: %12!s! SourcePortName: %13!s! DestinationIsIpv6: %14!s! DestinationIp: %15!s! DestinationHostname: %16!s! DestinationPort: %17!s! DestinationPortName: %18!s!
The network connection event logs TCP/UDP connections on the machine. It is disabled by default. Each connection is linked to a process through the ProcessId and ProcessGuid fields. The event also contains the source and destination host names IP addresses, port numbers and IPv6 status.
Auditing:
Always
This event adds critical visibility into network activity, since it logs every connection made by processes on monitored end points. It's generally recommended to audit this event despite the potentially high volume.
Volume:
Medium
High
Very High
Volume depends on process as well as network activity from processes.
LEFT/RIGHT arrow keys for navigation
Back to List