sysmon

October 17, 2024 · View on GitHub

Expression

product = "sysmon"

Fields

FieldCoreDetectionInformational
log_name
event_code
local_user_name
fallback_user_name
src_host
user

Activity Types

Activity TypeFieldStatusCoreDetectionInformational
alert-trigger
dll-loadhash_sha256
thread_id
hash_sha1
process_guidLegacy
file_signature
file_signature_status
file_signed
hash_md5
dns-requestprocess_id
thread_id
process_guid
dns_response
process_name
process_dir
process_path
driver-loadhash_sha256Default
process_idDefault
thread_idDefault
hash_sha1Default
file_signatureDefault
file_signature_statusDefault
file_signedDefault
hash_md5Default
file-deletehash_sha256
process_id
thread_id
hash_sha1
is_executable
process_guid
is_archived
process_nameLegacy
hash_md5
process_dirLegacy
process_pathLegacy
file-writeprocess_id
thread_id
process_guid
process_nameLegacy
time_created
process_dirLegacy
process_pathLegacy
network-sessionprocess_idDefault
thread_idDefault
process_guidDefault
process_nameDefault
dest_ipv6Default
dest_hostDefault
process_dirDefault
process_pathDefault
src_ipv6Default
process-createhash_sha256Default
hash_sha1Default
process_guidDefault
parent_process_command_lineDefault
process_integrityDefault
hash_md5Default
parent_process_guidDefault
registry-modifyprocess_id
thread_id
process_guid
process_name
process_dir
process_path