sysmon
October 17, 2024 · View on GitHub
Expression
product = "sysmon"
Fields
| Field | Core | Detection | Informational |
|---|---|---|---|
| log_name | ✓ | ||
| event_code | ✓ | ||
| local_user_name | |||
| fallback_user_name | |||
| src_host | ✓ | ✓ | |
| user | ✓ | ✓ |
Activity Types
| Activity Type | Field | Status | Core | Detection | Informational |
|---|---|---|---|---|---|
| alert-trigger | |||||
| dll-load | hash_sha256 | ✓ | |||
| thread_id | ✓ | ||||
| hash_sha1 | ✓ | ||||
| process_guid | Legacy | ✓ | |||
| file_signature | ✓ | ||||
| file_signature_status | ✓ | ||||
| file_signed | ✓ | ||||
| hash_md5 | ✓ | ||||
| dns-request | process_id | ✓ | |||
| thread_id | ✓ | ||||
| process_guid | ✓ | ||||
| dns_response | ✓ | ||||
| process_name | ✓ | ||||
| process_dir | ✓ | ||||
| process_path | ✓ | ||||
| driver-load | hash_sha256 | Default | ✓ | ||
| process_id | Default | ✓ | |||
| thread_id | Default | ✓ | |||
| hash_sha1 | Default | ✓ | |||
| file_signature | Default | ✓ | |||
| file_signature_status | Default | ✓ | |||
| file_signed | Default | ✓ | |||
| hash_md5 | Default | ✓ | |||
| file-delete | hash_sha256 | ✓ | |||
| process_id | ✓ | ||||
| thread_id | ✓ | ||||
| hash_sha1 | ✓ | ||||
| is_executable | ✓ | ||||
| process_guid | ✓ | ||||
| is_archived | ✓ | ||||
| process_name | Legacy | ✓ | |||
| hash_md5 | ✓ | ||||
| process_dir | Legacy | ✓ | |||
| process_path | Legacy | ✓ | |||
| file-write | process_id | ✓ | |||
| thread_id | |||||
| process_guid | ✓ | ||||
| process_name | Legacy | ✓ | |||
| time_created | ✓ | ||||
| process_dir | Legacy | ✓ | |||
| process_path | Legacy | ✓ | |||
| network-session | process_id | Default | ✓ | ||
| thread_id | Default | ✓ | |||
| process_guid | Default | ✓ | |||
| process_name | Default | ✓ | |||
| dest_ipv6 | Default | ✓ | |||
| dest_host | Default | ✓ | |||
| process_dir | Default | ✓ | |||
| process_path | Default | ✓ | |||
| src_ipv6 | Default | ✓ | |||
| process-create | hash_sha256 | Default | ✓ | ||
| hash_sha1 | Default | ✓ | |||
| process_guid | Default | ✓ | |||
| parent_process_command_line | Default | ✓ | |||
| process_integrity | Default | ✓ | |||
| hash_md5 | Default | ✓ | |||
| parent_process_guid | Default | ✓ | |||
| registry-modify | process_id | ✓ | |||
| thread_id | ✓ | ||||
| process_guid | ✓ | ||||
| process_name | ✓ | ||||
| process_dir | ✓ | ||||
| process_path | ✓ |