System32
Events
Compliance
Validator
TLS/SSL
PingSentry
GeoIP
Tools
Source
Microsoft-Windows-Sysmon
(30)
Category
Clipboard changed (rule: ClipboardChange)
(1)
CreateRemoteThread detected (rule: CreateRemoteThread)
(1)
Dns query (rule: DnsQuery)
(1)
Driver loaded (rule: DriverLoad)
(1)
File Delete archived
(1)
File Delete logged
(1)
File created (rule: FileCreate)
(1)
File creation time changed (rule: FileCreateTime)
(1)
File stream created (rule: FileCreateStreamHash)
(1)
Image loaded (rule: ImageLoad)
(1)
Network connection detected (rule: NetworkConnect)
(1)
Pipe Connected (rule: PipeEvent)
(1)
Pipe Created (rule: PipeEvent)
(1)
Process Create (rule: ProcessCreate)
(1)
Process Tampering (rule: ProcessTampering)
(1)
Process accessed (rule: ProcessAccess)
(1)
Process terminated (rule: ProcessTerminate)
(1)
RawAccessRead detected (rule: RawAccessRead)
(1)
Registry object added or deleted (rule: RegistryEvent)
(1)
Registry object renamed
(1)
Registry value set (rule: RegistryEvent)
(1)
Sysmon config state changed
(1)
Sysmon service state changed
(1)
WmiEventConsumer activity detected
(1)
WmiEventConsumerToFilter activity detected
(1)
WmiEventFilter activity detected
(1)
Tags
Sysmon
All events
ID
Event Message
1
Process Create: RuleName: %1!s! UtcTime: %2!s! ProcessGuid: %3!s! ProcessId: %4!s! Image: %5!s! FileVersion: %6!s! Description: %7!s! Product: %8!s! Company: %9!s! OriginalFileName: %10!s! CommandLine: %11!s! CurrentDirectory: %12!s! User: %13!s! LogonGuid: %14!s! LogonId: %15!s! TerminalSessionId: %16!s! IntegrityLevel: %17!s! Hashes: %18!s! ParentProcessGuid: %19!s! ParentProcessId: %20!s! ParentImage: %21!s! ParentCommandLine: %22!s! ParentUser: %23!s!
2
File creation time changed: RuleName: %1!s! UtcTime: %2!s! ProcessGuid: %3!s! ProcessId: %4!s! Image: %5!s! TargetFilename: %6!s! CreationUtcTime: %7!s! PreviousCreationUtcTime: %8!s! User: %9!s!
3
Network connection detected: RuleName: %1!s! UtcTime: %2!s! ProcessGuid: %3!s! ProcessId: %4!s! Image: %5!s! User: %6!s! Protocol: %7!s! Initiated: %8!s! SourceIsIpv6: %9!s! SourceIp: %10!s! SourceHostname: %11!s! SourcePort: %12!s! SourcePortName: %13!s! DestinationIsIpv6: %14!s! DestinationIp: %15!s! DestinationHostname: %16!s! DestinationPort: %17!s! DestinationPortName: %18!s!
4
Sysmon service state changed: UtcTime: %1!s! State: %2!s! Version: %3!s! SchemaVersion: %4!s!
5
Process terminated: RuleName: %1!s! UtcTime: %2!s! ProcessGuid: %3!s! ProcessId: %4!s! Image: %5!s! User: %6!s!
6
Driver loaded: RuleName: %1!s! UtcTime: %2!s! ImageLoaded: %3!s! Hashes: %4!s! Signed: %5!s! Signature: %6!s! SignatureStatus: %7!s!
7
Image loaded: RuleName: %1!s! UtcTime: %2!s! ProcessGuid: %3!s! ProcessId: %4!s! Image: %5!s! ImageLoaded: %6!s! FileVersion: %7!s! Description: %8!s! Product: %9!s! Company: %10!s! OriginalFileName: %11!s! Hashes: %12!s! Signed: %13!s! Signature: %14!s! SignatureStatus: %15!s! User: %16!s!
8
CreateRemoteThread detected: RuleName: %1!s! UtcTime: %2!s! SourceProcessGuid: %3!s! SourceProcessId: %4!s! SourceImage: %5!s! TargetProcessGuid: %6!s! TargetProcessId: %7!s! TargetImage: %8!s! NewThreadId: %9!s! StartAddress: %10!s! StartModule: %11!s! StartFunction: %12!s! SourceUser: %13!s! TargetUser: %14!s!
9
RawAccessRead detected: RuleName: %1!s! UtcTime: %2!s! ProcessGuid: %3!s! ProcessId: %4!s! Image: %5!s! Device: %6!s! User: %7!s!
10
Process accessed: RuleName: %1!s! UtcTime: %2!s! SourceProcessGUID: %3!s! SourceProcessId: %4!s! SourceThreadId: %5!s! SourceImage: %6!s! TargetProcessGUID: %7!s! TargetProcessId: %8!s! TargetImage: %9!s! GrantedAccess: %10!s! CallTrace: %11!s! SourceUser: %12!s! TargetUser: %13!s!
11
File created: RuleName: %1!s! UtcTime: %2!s! ProcessGuid: %3!s! ProcessId: %4!s! Image: %5!s! TargetFilename: %6!s! CreationUtcTime: %7!s! User: %8!s!
12
Registry object added or deleted: RuleName: %1!s! EventType: %2!s! UtcTime: %3!s! ProcessGuid: %4!s! ProcessId: %5!s! Image: %6!s! TargetObject: %7!s! User: %8!s!
13
Registry value set: RuleName: %1!s! EventType: %2!s! UtcTime: %3!s! ProcessGuid: %4!s! ProcessId: %5!s! Image: %6!s! TargetObject: %7!s! Details: %8!s! User: %9!s!
14
Registry object renamed: RuleName: %1!s! EventType: %2!s! UtcTime: %3!s! ProcessGuid: %4!s! ProcessId: %5!s! Image: %6!s! TargetObject: %7!s! NewName: %8!s! User: %9!s!
15
File stream created: RuleName: %1!s! UtcTime: %2!s! ProcessGuid: %3!s! ProcessId: %4!s! Image: %5!s! TargetFilename: %6!s! CreationUtcTime: %7!s! Hash: %8!s! Contents: %9!s! User: %10!s!
16
Sysmon config state changed: UtcTime: %1!s! Configuration: %2!s! ConfigurationFileHash: %3!s!
17
Pipe Created: RuleName: %1!s! EventType: %2!s! UtcTime: %3!s! ProcessGuid: %4!s! ProcessId: %5!s! PipeName: %6!s! Image: %7!s! User: %8!s!
18
Pipe Connected: RuleName: %1!s! EventType: %2!s! UtcTime: %3!s! ProcessGuid: %4!s! ProcessId: %5!s! PipeName: %6!s! Image: %7!s! User: %8!s!
19
WmiEventFilter activity detected: RuleName: %1!s! EventType: %2!s! UtcTime: %3!s! Operation: %4!s! User: %5!s! EventNamespace: %6!s! Name: %7!s! Query: %8!s!
20
WmiEventConsumer activity detected: RuleName: %1!s! EventType: %2!s! UtcTime: %3!s! Operation: %4!s! User: %5!s! Name: %6!s! Type: %7!s! Destination: %8!s!
21
WmiEventConsumerToFilter activity detected: RuleName: %1!s! EventType: %2!s! UtcTime: %3!s! Operation: %4!s! User: %5!s! Consumer: %6!s! Filter: %7!s!
22
Dns query: RuleName: %1!s! UtcTime: %2!s! ProcessGuid: %3!s! ProcessId: %4!s! QueryName: %5!s! QueryStatus: %6!s! QueryResults: %7!s! Image: %8!s! User: %9!s!
23
File Delete archived: RuleName: %1!s! UtcTime: %2!s! ProcessGuid: %3!s! ProcessId: %4!s! User: %5!s! Image: %6!s! TargetFilename: %7!s! Hashes: %8!s! IsExecutable: %9!s! Archived: %10!s!
24
Clipboard changed: RuleName: %1!s! UtcTime: %2!s! ProcessGuid: %3!s! ProcessId: %4!s! Image: %5!s! Session: %6!s! ClientInfo: %7!s! Hashes: %8!s! Archived: %9!s! User: %10!s!
25
Process Tampering: RuleName: %1!s! UtcTime: %2!s! ProcessGuid: %3!s! ProcessId: %4!s! Image: %5!s! Type: %6!s! User: %7!s!
26
File Delete logged: RuleName: %1!s! UtcTime: %2!s! ProcessGuid: %3!s! ProcessId: %4!s! User: %5!s! Image: %6!s! TargetFilename: %7!s! Hashes: %8!s! IsExecutable: %9!s!
27
File Block Executable: RuleName: %1!s! UtcTime: %2!s! ProcessGuid: %3!s! ProcessId: %4!s! User: %5!s! Image: %6!s! TargetFilename: %7!s! Hashes: %8!s!
28
File Block Shredding: RuleName: %1!s! UtcTime: %2!s! ProcessGuid: %3!s! ProcessId: %4!s! User: %5!s! Image: %6!s! TargetFilename: %7!s! Hashes: %8!s! IsExecutable: %9!s!
29
File Executable Detected: RuleName: %1!s! UtcTime: %2!s! ProcessGuid: %3!s! ProcessId: %4!s! User: %5!s! Image: %6!s! TargetFilename: %7!s! Hashes: %8!s!
255
Error report: UtcTime: %1!s! ID: %2!s! Description: %3!s!