System32
Sysmon
Events
Compliance
Validator
TLS/SSL
GeoIP
Tools
Sysmon Events
Source
Microsoft-Windows-Sysmon
(30)
Category
Clipboard changed (rule: ClipboardChange)
(1)
CreateRemoteThread detected (rule: CreateRemoteThread)
(1)
Dns query (rule: DnsQuery)
(1)
Driver loaded (rule: DriverLoad)
(1)
File Delete archived
(1)
File Delete logged
(1)
File created (rule: FileCreate)
(1)
File creation time changed (rule: FileCreateTime)
(1)
File stream created (rule: FileCreateStreamHash)
(1)
Image loaded (rule: ImageLoad)
(1)
Network connection detected (rule: NetworkConnect)
(1)
Pipe Connected (rule: PipeEvent)
(1)
Pipe Created (rule: PipeEvent)
(1)
Process Create (rule: ProcessCreate)
(1)
Process Tampering (rule: ProcessTampering)
(1)
Process accessed (rule: ProcessAccess)
(1)
Process terminated (rule: ProcessTerminate)
(1)
RawAccessRead detected (rule: RawAccessRead)
(1)
Registry object added or deleted (rule: RegistryEvent)
(1)
Registry object renamed
(1)
Registry value set (rule: RegistryEvent)
(1)
Sysmon config state changed
(1)
Sysmon service state changed
(1)
WmiEventConsumer activity detected
(1)
WmiEventConsumerToFilter activity detected
(1)
WmiEventFilter activity detected
(1)
Tags
AppLocker
All AppLocker events
EventSentry
All EventSentry events
Security
All Windows Security events
Sysmon
All Sysmon events
ID
Event Message
1
Process Create: RuleName: %1!s! UtcTime: %2!s! ProcessGuid: %3!s! ProcessId: %4!s! Image: %5!s! FileVersion: %6!s! Description: %7!s! Product: %8!s! Company: %9!s! OriginalFileName: %10!s! CommandLine: %11!s! CurrentDirectory: %12!s! User: %13!s! LogonGuid: %14!s! LogonId: %15!s! TerminalSessionId: %16!s! IntegrityLevel: %17!s! Hashes: %18!s! ParentProcessGuid: %19!s! ParentProcessId: %20!s! ParentImage: %21!s! ParentCommandLine: %22!s! ParentUser: %23!s!
2
File creation time changed: RuleName: %1!s! UtcTime: %2!s! ProcessGuid: %3!s! ProcessId: %4!s! Image: %5!s! TargetFilename: %6!s! CreationUtcTime: %7!s! PreviousCreationUtcTime: %8!s! User: %9!s!
3
Network connection detected: RuleName: %1!s! UtcTime: %2!s! ProcessGuid: %3!s! ProcessId: %4!s! Image: %5!s! User: %6!s! Protocol: %7!s! Initiated: %8!s! SourceIsIpv6: %9!s! SourceIp: %10!s! SourceHostname: %11!s! SourcePort: %12!s! SourcePortName: %13!s! DestinationIsIpv6: %14!s! DestinationIp: %15!s! DestinationHostname: %16!s! DestinationPort: %17!s! DestinationPortName: %18!s!
4
Sysmon service state changed: UtcTime: %1!s! State: %2!s! Version: %3!s! SchemaVersion: %4!s!
5
Process terminated: RuleName: %1!s! UtcTime: %2!s! ProcessGuid: %3!s! ProcessId: %4!s! Image: %5!s! User: %6!s!
6
Driver loaded: RuleName: %1!s! UtcTime: %2!s! ImageLoaded: %3!s! Hashes: %4!s! Signed: %5!s! Signature: %6!s! SignatureStatus: %7!s!
7
Image loaded: RuleName: %1!s! UtcTime: %2!s! ProcessGuid: %3!s! ProcessId: %4!s! Image: %5!s! ImageLoaded: %6!s! FileVersion: %7!s! Description: %8!s! Product: %9!s! Company: %10!s! OriginalFileName: %11!s! Hashes: %12!s! Signed: %13!s! Signature: %14!s! SignatureStatus: %15!s! User: %16!s!
8
CreateRemoteThread detected: RuleName: %1!s! UtcTime: %2!s! SourceProcessGuid: %3!s! SourceProcessId: %4!s! SourceImage: %5!s! TargetProcessGuid: %6!s! TargetProcessId: %7!s! TargetImage: %8!s! NewThreadId: %9!s! StartAddress: %10!s! StartModule: %11!s! StartFunction: %12!s! SourceUser: %13!s! TargetUser: %14!s!
9
RawAccessRead detected: RuleName: %1!s! UtcTime: %2!s! ProcessGuid: %3!s! ProcessId: %4!s! Image: %5!s! Device: %6!s! User: %7!s!
10
Process accessed: RuleName: %1!s! UtcTime: %2!s! SourceProcessGUID: %3!s! SourceProcessId: %4!s! SourceThreadId: %5!s! SourceImage: %6!s! TargetProcessGUID: %7!s! TargetProcessId: %8!s! TargetImage: %9!s! GrantedAccess: %10!s! CallTrace: %11!s! SourceUser: %12!s! TargetUser: %13!s!
11
File created: RuleName: %1!s! UtcTime: %2!s! ProcessGuid: %3!s! ProcessId: %4!s! Image: %5!s! TargetFilename: %6!s! CreationUtcTime: %7!s! User: %8!s!
12
Registry object added or deleted: RuleName: %1!s! EventType: %2!s! UtcTime: %3!s! ProcessGuid: %4!s! ProcessId: %5!s! Image: %6!s! TargetObject: %7!s! User: %8!s!
13
Registry value set: RuleName: %1!s! EventType: %2!s! UtcTime: %3!s! ProcessGuid: %4!s! ProcessId: %5!s! Image: %6!s! TargetObject: %7!s! Details: %8!s! User: %9!s!
14
Registry object renamed: RuleName: %1!s! EventType: %2!s! UtcTime: %3!s! ProcessGuid: %4!s! ProcessId: %5!s! Image: %6!s! TargetObject: %7!s! NewName: %8!s! User: %9!s!
15
File stream created: RuleName: %1!s! UtcTime: %2!s! ProcessGuid: %3!s! ProcessId: %4!s! Image: %5!s! TargetFilename: %6!s! CreationUtcTime: %7!s! Hash: %8!s! Contents: %9!s! User: %10!s!
16
Sysmon config state changed: UtcTime: %1!s! Configuration: %2!s! ConfigurationFileHash: %3!s!
17
Pipe Created: RuleName: %1!s! EventType: %2!s! UtcTime: %3!s! ProcessGuid: %4!s! ProcessId: %5!s! PipeName: %6!s! Image: %7!s! User: %8!s!
18
Pipe Connected: RuleName: %1!s! EventType: %2!s! UtcTime: %3!s! ProcessGuid: %4!s! ProcessId: %5!s! PipeName: %6!s! Image: %7!s! User: %8!s!
19
WmiEventFilter activity detected: RuleName: %1!s! EventType: %2!s! UtcTime: %3!s! Operation: %4!s! User: %5!s! EventNamespace: %6!s! Name: %7!s! Query: %8!s!
20
WmiEventConsumer activity detected: RuleName: %1!s! EventType: %2!s! UtcTime: %3!s! Operation: %4!s! User: %5!s! Name: %6!s! Type: %7!s! Destination: %8!s!
21
WmiEventConsumerToFilter activity detected: RuleName: %1!s! EventType: %2!s! UtcTime: %3!s! Operation: %4!s! User: %5!s! Consumer: %6!s! Filter: %7!s!
22
Dns query: RuleName: %1!s! UtcTime: %2!s! ProcessGuid: %3!s! ProcessId: %4!s! QueryName: %5!s! QueryStatus: %6!s! QueryResults: %7!s! Image: %8!s! User: %9!s!
23
File Delete archived: RuleName: %1!s! UtcTime: %2!s! ProcessGuid: %3!s! ProcessId: %4!s! User: %5!s! Image: %6!s! TargetFilename: %7!s! Hashes: %8!s! IsExecutable: %9!s! Archived: %10!s!
24
Clipboard changed: RuleName: %1!s! UtcTime: %2!s! ProcessGuid: %3!s! ProcessId: %4!s! Image: %5!s! Session: %6!s! ClientInfo: %7!s! Hashes: %8!s! Archived: %9!s! User: %10!s!
25
Process Tampering: RuleName: %1!s! UtcTime: %2!s! ProcessGuid: %3!s! ProcessId: %4!s! Image: %5!s! Type: %6!s! User: %7!s!
26
File Delete logged: RuleName: %1!s! UtcTime: %2!s! ProcessGuid: %3!s! ProcessId: %4!s! User: %5!s! Image: %6!s! TargetFilename: %7!s! Hashes: %8!s! IsExecutable: %9!s!
27
File Block Executable: RuleName: %1!s! UtcTime: %2!s! ProcessGuid: %3!s! ProcessId: %4!s! User: %5!s! Image: %6!s! TargetFilename: %7!s! Hashes: %8!s!
28
File Block Shredding: RuleName: %1!s! UtcTime: %2!s! ProcessGuid: %3!s! ProcessId: %4!s! User: %5!s! Image: %6!s! TargetFilename: %7!s! Hashes: %8!s! IsExecutable: %9!s!
29
File Executable Detected: RuleName: %1!s! UtcTime: %2!s! ProcessGuid: %3!s! ProcessId: %4!s! User: %5!s! Image: %6!s! TargetFilename: %7!s! Hashes: %8!s!
255
Error report: UtcTime: %1!s! ID: %2!s! Description: %3!s!