Collect Microsoft Windows Sysmon data
This document:
- describes the deployment architecture and installation steps, plus any required configuration that produce logs supported by the Google Security Operations Parser for Microsoft Windows Sysmon events. For an overview of Google Security Operations data ingestion, see Data ingestion to Google Security Operations.
- includes information about how the parser maps fields in the original log to Google Security Operations Unified Data Model fields.
Information in this document applies to the parser with the WINDOWS_SYSMON ingestion label. The ingestion label identifies which parser normalizes raw log data to structured UDM format.
Before you begin
Review the recommended deployment architecture
This diagram represents the recommended core components in a deployment architecture to collect and send Microsoft Windows Sysmon data to Google Security Operations. Compare this information with your environment to be sure these components are installed. Each customer deployment will differ from this representation and may be more complex. The following is required:
- Systems in the deployment architecture are configured with the UTC time zone.
- Sysmon is installed on servers, endpoints, and domain controllers.
- The collector Microsoft Windows server receives logs from servers, endpoints, and domain controllers.
Microsoft Windows systems in the deployment architecture use:
- Source Initiated Subscriptions to collect events across multiple devices.
- WinRM service for remote system management.
NXLog is installed on the collector Window server to forward logs to Google Security Operations forwarder.
Google Security Operations forwarder is installed on a central Microsoft Windows server or Linux server.
Review the supported devices and versions
The Google Security Operations parser supports logs generated by the following Microsoft Windows server versions. Microsoft Windows Server is released with the following editions: Foundation, Essentials, Standard, and Datacenter. The event schema of logs generated by each edition does not differ.
- Microsoft Windows Server 2019
- Microsoft Windows Server 2016
- Microsoft Windows Server 2012
Google Security Operations parser supports logs generated by:
- Microsoft Windows 7 and higher client systems
- Sysmon version 13.24.
Google Security Operations parser supports logs collected by NXLog Community or Enterprise Edition.
Review the supported log types
The Google Security Operations parser supports the following log types generated by Microsoft Windows Sysmon. For more information about these log types, see the Microsoft Windows Sysmon documentation. It supports logs generated with English language text and is not supported with logs generated in non-English languages.
Log Type | Description |
---|---|
Sysmon Logs | Sysmon channel contains 27 Event Ids. (Event Id: 1 to 26, and 255). For a description of this log type, see the Microsoft Windows Sysmon Events documentation |
Configure Microsoft Windows servers, endpoints, and domain controllers
- Install and configure the servers, endpoints, and domain controllers. For information, see Microsoft Windows Sysmon Configuration documentation.
- Set up a collector Microsoft Windows server to parse the collected logs from multiple systems.
- Set up the central Microsoft Windows or Linux server
- Configure all systems with the UTC time zone.
- Configure the devices to forward logs to the collector Microsoft Windows server.
- Configure Source Initiated Subscriptions on Microsoft Windows systems. For information, see Setting up a Source Initiated Subscription.
- Enable WinRM on Microsoft Windows servers and clients. For information, see Installation and configuration for Microsoft Windows Remote Management.
Configure the BindPlane Agent
Collect the Windows Sysmon logs by using the BindPlane Agent.
After installation, the BindPlane Agent service appears as the observerIQ
service in the list of Windows services.
- Install the BindPlane Agent on the collector that is running on a Windows server. For more information about installing the BindPlane Agent, see the BindPlane Agent installation instructions.
Create a configuration file for the BindPlane Agent with the following contents.
receivers: windowseventlog/sysmon: channel: Microsoft-Windows-Sysmon/Operational raw: true processors: batch: exporters: chronicle/winsysmon: endpoint: https://malachiteingestion-pa.googleapis.com creds: '{ "type": "service_account", "project_id": "malachite-projectname", "private_key_id": `PRIVATE_KEY_ID`, "private_key": `PRIVATE_KEY`, "client_email":"`SERVICE_ACCOUNT_NAME`@malachite-`PROJECT_ID`.iam.gserviceaccount.com", "client_id": `CLIENT_ID`, "auth_uri": "https://accounts.google.com/o/oauth2/auth", "token_uri": "https://oauth2.googleapis.com/token", "auth_provider_x509_cert_url":"https://www.googleapis.com/oauth2/v1/certs", "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/`SERVICSERVICE_ACCOUNT_NAME`%40malachite-`PROJECT_ID`.iam.gserviceaccount.com", "universe_domain": "googleapis.com" }' log_type: 'WINDOWS_SYSMON' override_log_type: false raw_log_field: body customer_id: `CUSTOMER_ID` service: pipelines: logs/winsysmon: receivers: - windowseventlog/sysmon processors: [batch] exporters: [chronicle/winsysmon]
Replace the
PRIVATE_KEY_ID
,PRIVATE_KEY
SERVICSERVICE_ACCOUNT_NAME
,PROJECT_ID
,CLIENT_ID
andCUSTOMER_ID
with the respective values from the service account JSON file which you can download from Google Cloud Platform. For more information about service account keys, see Create and delete service account keys documentation.To start the observerIQ agent service, select Services > Extended > the observerIQ Service > start.
Configure NXLog and Google Security Operations forwarder
- Install NXLog on the collector that is running on a Windows server. Follow the NXLog documentation, including information about configuring NXLog to collect logs from Sysmon.
Create a configuration file for NXLog. Use the im_msvistalog input module. Here is an example NXLog configuration. Replace
<hostname>
and<port>
values with information about the destination central Microsoft Windows or Linux server. For more information, see NXLog documentation about the om_tcp module.define ROOT C:\Program Files (x86)\nxlog define SYSMON_OUTPUT_DESTINATION_ADDRESS <hostname> define SYSMON_OUTPUT_DESTINATION_PORT <port> define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE% Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data <Extension _json> Module xm_json </Extension> <Input windows_sysmon_eventlog> Module im_msvistalog <QueryXML> <QueryList> <Query Id="0"> <Select Path="Microsoft-Windows-Sysmon/Operational">*</Select> </Query> </QueryList> </QueryXML> ReadFromLast False SavePos False </Input> <Output out_chronicle_sysmon> Module om_tcp Host %SYSMON_OUTPUT_DESTINATION_ADDRESS% Port %SYSMON_OUTPUT_DESTINATION_PORT% Exec $EventTime = integer($EventTime) / 1000; Exec $EventReceivedTime = integer($EventReceivedTime) / 1000; Exec to_json(); </Output> <Route r2> Path windows_sysmon_eventlog => out_chronicle_sysmon </Route>
Install the Google Security Operations forwarder on the central Microsoft Windows or Linux server. See the Installing and configuring the forwarder on Linux or Installing and configuring the forwarder on Microsoft Windows for information about installing and configuring the forwarder.
Configure the Google Security Operations forwarder to send logs to Google Security Operations. Here is an example forwarder configuration.
- syslog: common: enabled: true data_type: WINDOWS_SYSMON Data_hint: batch_n_seconds: 10 batch_n_bytes: 1048576 tcp_address: 0.0.0.0:10518 connection_timeout_sec: 60
Start the NXLog service.
Field mapping reference: device event fields to UDM fields
This section describes how the parser maps original device log fields to Unified Data Model (UDM) fields. The field mapping may differ by Event Id.
Common fields
NXLog field | UDM field |
---|---|
UtcTime | metadata.event_timestamp |
Category | security_result.summary and metadata.product_event_type |
AccountName | principal.user.userid |
Domain | principal.administrative_domain |
RecordNumber | metadata.product_log_id |
HostName | principal.hostname |
UserID | principal.user.windows_sid |
SeverityValue | security_result.severity |
ProcessID | observer.process.pid |
ProviderGuid | observer.asset_id |
LogonId | principal.network.session_id |
ThreadID | additional.fields.key set to thread_id and
value stored in additional.fields.value.string_value |
Channel | additional.fields.key set to channel and
value stored in additional.fields.value.string_value |
EventID | security_result.rule_name set to EventID: <EventID> metadata.product_event_type set to <Category> [<EventID>] |
Event Id: 1
NXLog field | UDM field |
---|---|
metadata.event_type set to PROCESS_LAUNCH |
|
RuleName | security_result.rule_name |
UtcTime | metadata.event_timestamp |
ProcessGuid | target.process.product_specific_process_id set to
SYSMON:<ProcessGuid> |
ProcessId | target.process.pid |
IntegrityLevel | The value for the field target.process.integrity_level_rid
is determined based on the value of the field IntegrityLevel as follows:
|
Image | target.process.file.full_path |
FileVersion | target.asset.software.version |
Description | target.asset.software.description |
Product | target.asset.software.name |
Company | target.asset.software.vendor_name |
CommandLine | target.process.command_line |
CurrentDirectory | additional.fields.key set to current_directory and
value stored in additional.fields.value.string_value |
User | Domain stored in principal.administrative_domain Username stored in principal.user.userid |
Hashes | Based on Hash algorithm.
|
ParentProcessGuid | principal.process.product_specific_process_id set to
SYSMON:<ParentProcessGuid> |
ParentProcessId | principal.process.pid |
ParentImage | principal.process.file.full_path |
ParentCommandLine | principal.process.command_line |
Event Id: 2
NXLog field | UDM field |
---|---|
metadata.event_type set to FILE_MODIFICATION |
|
RuleName | security_result.rule_name |
UtcTime | metadata.event_timestamp |
ProcessGuid | principal.process.product_specific_process_id set to
SYSMON:<ProcessGuid> |
ProcessId | principal.process.pid |
IntegrityLevel | The value for the field principal.process.integrity_level_rid
is determined based on the value of the field IntegrityLevel as follows:
|
Image | principal.process.file.full_path |
TargetFilename | target.file.full_path |
CreationUtcTime | target.resource.attribute.labels.key set to CreationUtcTime and value
stored in target.resource.attribute.labels.value |
PreviousCreationUtcTime | target.resource.attribute.labels.key set to PreviousCreationUtcTime and
value stored in target.resource.attribute.labels.value |
Event Id: 3
NXLog field | UDM field |
---|---|
metadata.event_type set to NETWORK_CONNECTION security_result.action set to ALLOW network.direction set to OUTBOUND |
|
RuleName | security_result.rule_name |
UtcTime | metadata.event_timestamp |
ProcessGuid | principal.process.product_specific_process_id set to
SYSMON:<ProcessGuid> |
ProcessId | principal.process.pid |
IntegrityLevel | The value for the field principal.process.integrity_level_rid
is determined based on the value of the field IntegrityLevel as follows:
|
Image | principal.process.file.full_path |
User | Domain stored in principal.administrative_domain Username stored in principal.user.userid |
Protocol | network.ip_protocol |
SourceIp | principal.ip |
SourcePort | principal.port |
DestinationIp | target.ip |
DestinationHostname | target.hostname |
DestinationPort | target.port |
Event Id: 4
NXLog field | UDM field |
---|---|
metadata.event_type set to SETTING_MODIFICATION target.resource.resource_type set to SETTING target.resource.resource_subtype set to State |
|
UtcTime | metadata.event_timestamp |
State | target.resource.name |
Version | metadata.product_version |
Event Id: 5
NXLog field | UDM field |
---|---|
metadata.event_type set to PROCESS_TERMINATION |
|
RuleName | security_result.rule_name |
UtcTime | metadata.event_timestamp |
ProcessGuid | principal.process.product_specific_process_id set to
SYSMON:<ProcessGuid> |
ProcessId | target.process.pid |
IntegrityLevel | The value for the field target.process.integrity_level_rid
is determined based on the value of the field IntegrityLevel as follows:
|
Image | target.process.file.full_path |
Event Id: 6
NXLog field | UDM field |
---|---|
metadata.event_type set to PROCESS_MODULE_LOAD |
|
RuleName | security_result.rule_name |
UtcTime | metadata.event_timestamp |
ImageLoaded | principal.process.file.full_path |
Hashes | The field populated is determined by the Hash algorithm.
|
Signed | target.resource.attribute.labels.key set to Signed and value set to
target.resource.attribute.labels.value |
Signature | target.resource.attribute.labels.key set to Signature and value stored in
target.resource.attribute.labels.value |
SignatureStatus | target.resource.attribute.labels.key set to SignatureStatus and value
stored in target.resource.attribute.labels.value |
Event Id: 7
NXLog field | UDM field |
---|---|
metadata.event_type set to PROCESS_MODULE_LOAD |
|
RuleName | security_result.rule_name |
UtcTime | metadata.event_timestamp |
ProcessGuid | principal.process.product_specific_process_id set to
SYSMON:<ProcessGuid> |
ProcessId | principal.process.pid |
IntegrityLevel | The value for the field principal.process.integrity_level_rid
is determined based on the value of the field IntegrityLevel as follows:
|
Image | principal.process.file.full_path |
ImageLoaded | target.process.file.full_path |
FileVersion | target.asset.software.version |
Description | target.asset.software.description |
Product | target.asset.software.name |
Company | target.asset.software.vendor_name |
Hashes | The field populated is determined by the Hash algorithm.
|
Signed | target.resource.attribute.labels.key set to Signed and value stored in
target.resource.attribute.labels.value |
Signature | target.resource.attribute.labels.key set to Signature Signature value in target.resource.attribute.labels.value |
SignatureStatus | target.resource.attribute.labels.key set to SignatureStatus and value
stored in target.resource.attribute.labels.value |
Event Id: 8
NXLog field | UDM field |
---|---|
metadata.event_type set to PROCESS_MODULE_LOAD |
|
RuleName | security_result.rule_name |
UtcTime | metadata.event_timestamp |
SourceProcessGuid | principal.process.product_specific_process_id set to
SYSMON:<SourceProcessGuid> |
SourceProcessId | principal.process.pid |
SourceImage | principal.process.file.full_path |
TargetProcessGuid | target.process.product_specific_process_id set to
SYSMON:<TargetProcessGuid> |
TargetProcessId | target.process.pid |
TargetImage | target.process.file.full_path |
Event Id: 9
NXLog field | UDM field |
---|---|
metadata.event_type set to FILE_READ
If the |
|
RuleName | security_result.rule_name |
UtcTime | metadata.event_timestamp |
ProcessGuid | principal.process.product_specific_process_id set to
SYSMON:<ProcessGuid> |
ProcessId | principal.process.pid |
IntegrityLevel | The value for the field principal.process.integrity_level_rid
is determined based on the value of the field IntegrityLevel as follows:
|
Image | principal.process.file.full_path |
Device | target.file.full_path |
Event Id: 10
NXLog field | UDM field |
---|---|
metadata.event_type set to PROCESS_OPEN target.resource.resource_subtype set to GrantedAccess |
|
RuleName | security_result.rule_name |
UtcTime | metadata.event_timestamp |
SourceProcessGUID | principal.process.product_specific_process_id set to
SYSMON:<SourceProcessGUID> |
SourceProcessId | principal.process.pid |
SourceImage | principal.process.file.full_path |
TargetProcessGUID | target.process.product_specific_process_id set to
SYSMON:<TargetProcessGUID> |
TargetProcessId | target.process.pid |
TargetImage | target.process.file.full_path |
GrantedAccess | target.resource.name |
Event Id: 11
NXLog field | UDM field |
---|---|
metadata.event_type set to FILE_CREATION target.resource.resource_subtype set to CreationUtcTime |
|
RuleName | security_result.rule_name |
UtcTime | metadata.event_timestamp |
ProcessGuid | principal.process.product_specific_process_id set to
SYSMON:<ProcessGuid> |
ProcessId | principal.process.pid |
IntegrityLevel | The value for the field principal.process.integrity_level_rid
is determined based on the value of the field IntegrityLevel as follows:
|
Image | principal.process.file.full_path |
TargetFilename | target.file.full_path |
CreationUtcTime | target.resource.name |
Event Id: 12
NXLog field | UDM field |
---|---|
If the Message the field contains CreateKey|CreateValue , then
metadata.event_type set to REGISTRY_CREATION If the Message field contains DeleteKey|DeleteValue , thenmetadata.event_type set to REGISTRY_DELETION Otherwise, metadata.event_type set to REGISTRY_MODIFICATION |
|
RuleName | security_result.rule_name |
UtcTime | metadata.event_timestamp |
ProcessGuid | principal.process.product_specific_process_id set to
SYSMON:<ProcessGuid> |
ProcessId | principal.process.pid |
IntegrityLevel | The value for the field principal.process.integrity_level_rid
is determined based on the value of the field IntegrityLevel as follows:
|
Image | principal.process.file.full_path |
TargetObject | target.registry.registry_key |
Event Id: 13
NXLog field | UDM field |
---|---|
metadata.event_type set to REGISTRY_MODIFICATION |
|
RuleName | security_result.rule_name |
UtcTime | metadata.event_timestamp |
ProcessGuid | principal.process.product_specific_process_id set to
SYSMON:<ProcessGuid> |
ProcessId | principal.process.pid |
IntegrityLevel | The value for the field principal.process.integrity_level_rid
is determined based on the value of the field IntegrityLevel as follows:
|
Image | principal.process.file.full_path |
TargetObject | target.registry.registry_key |
Details | target.registry.registry_value_data |
Event Id: 14
NXLog field | UDM field |
---|---|
metadata.event_type set to REGISTRY_MODIFICATION |
|
RuleName | security_result.rule_name |
UtcTime | metadata.event_timestamp |
ProcessGuid | principal.process.product_specific_process_id set to
SYSMON:<ProcessGuid> |
ProcessId | principal.process.pid |
IntegrityLevel | The value for the field principal.process.integrity_level_rid
is determined based on the value of the field IntegrityLevel as follows:
|
Image | principal.process.file.full_path |
TargetObject | src.registry.registry_key |
NewName | target.registry.registry_key |
Event Id: 15
NXLog field | UDM field |
---|---|
metadata.event_type set to FILE_CREATION |
|
RuleName | security_result.rule_name |
UtcTime | metadata.event_timestamp |
ProcessGuid | principal.process.product_specific_process_id set to
SYSMON:<ProcessGuid> |
ProcessId | principal.process.pid |
IntegrityLevel | The value for the field principal.process.integrity_level_rid
is determined based on the value of the field IntegrityLevel as follows:
|
Image | principal.process.file.full_path |
TargetFilename | target.file.full_path |
CreationUtcTime | target.resource.attribute.labels.key set to CreationUtcTime and value
stored in target.resource.attribute.labels.value |
Hash | The field populated is determined by the Hash algorithm.
|
Event Id: 16
NXLog field | UDM field |
---|---|
metadata.event_type set to SETTING_MODIFICATION |
|
UtcTime | metadata.event_timestamp |
ProcessID | target.process.pid |
Configuration | The value is stored in target.process.command_line when this field value
contains any command line or processThe value is stored in target.process.file.full_path when this field value
contains the configuration file path. |
ConfigurationFileHash | The field populated is determined by the Hash algorithm.
|
Event Id: 17
NXLog field | UDM field |
---|---|
metadata.event_type set to PROCESS_UNCATEGORIZED target.resource.resource_type set to PIPE |
|
RuleName | security_result.rule_name |
UtcTime | metadata.event_timestamp |
ProcessGuid | target.process.product_specific_process_id set to
SYSMON:<ProcessGuid> |
ProcessId | target.process.pid |
IntegrityLevel | The value for the field target.process.integrity_level_rid
is determined based on the value of the field IntegrityLevel as follows:
|
PipeName | target.resource.name |
Image | target.process.file.full_path |
Event Id: 18
NXLog field | UDM field |
---|---|
metadata.event_type set to PROCESS_UNCATEGORIZED target.resource.resource_type set to PIPE |
|
RuleName | security_result.rule_name |
UtcTime | metadata.event_timestamp |
ProcessGuid | target.process.product_specific_process_id set to
SYSMON:<ProcessGuid> |
ProcessId | target.process.pid |
IntegrityLevel | The value for the field target.process.integrity_level_rid
is determined based on the value of the field IntegrityLevel as follows:
|
PipeName | target.resource.name |
Image | target.process.file.full_path |
Event Id: 19
NXLog field | UDM field |
---|---|
metadata.event_type set to USER_RESOURCE_ACCESS |
|
RuleName | security_result.rule_name |
UtcTime | metadata.event_timestamp |
Operation | |
User | The Domain is stored in principal.administrative_domain The Username is stored in principal.user.userid |
EventNamespace | target.file.full_path |
Name | target.application |
Query | target.resource.name |
Event Id: 20
NXLog field | UDM field |
---|---|
metadata.event_type set to USER_RESOURCE_ACCESS |
|
RuleName | security_result.rule_name |
UtcTime | metadata.event_timestamp |
Operation | target.resource.attribute.labels.key set to Operation and the value is
stored in target.resource.attribute.labels.value |
User | The domain is stored in principal.administrative_domain The Username is stored in principal.user.userid |
Name | target.resource.attribute.labels.key set to Name Name value in target.resource.attribute.labels.value |
Type | target.resource.attribute.labels.key set to Type and the value is stored
in target.resource.attribute.labels.value |
Destination | target.resource.name |
Event Id: 21
NXLog field | UDM field |
---|---|
metadata.event_type set to USER_RESOURCE_ACCESS |
|
RuleName | security_result.rule_name |
UtcTime | metadata.event_timestamp |
Operation | target.resource.attribute.labels.key set to Operation and the value is
stored in target.resource.attribute.labels.value |
User | The domain is stored in principal.administrative_domain The username is stored in principal.user.userid |
Consumer | target.resource.attribute.labels.key set to Consumer and the value is
stored in target.resource.attribute.labels.value |
Filter | target.resource.name |
Event Id: 22
NXLog field | UDM field |
---|---|
metadata.event_type set to NETWORK_DNS network.application_protocol set to DNS |
|
RuleName | security_result.rule_name |
UtcTime | metadata.event_timestamp |
ProcessGuid | principal.process.product_specific_process_id set to
SYSMON:<ProcessGuid> |
ProcessId | principal.process.pid |
IntegrityLevel | The value for the field principal.process.integrity_level_rid
is determined based on the value of the field IntegrityLevel as follows:
|
QueryName | network.dns.questions |
QueryStatus | Stored in security_result.summary as Query Status: <QueryStatus> |
QueryResults | Type is saved to network.dns.answers.type with values separated by a
semicolon (;)Data is saved to network.dns.answers.data Values that do not have type are mapped to network.dns.answers.data . |
Image | principal.process.file.full_path |
Event Id: 23
NXLog field | UDM field |
---|---|
metadata.event_type set to FILE_DELETION |
|
RuleName | security_result.rule_name |
UtcTime | metadata.event_timestamp |
ProcessGuid | principal.process.product_specific_process_id set to
SYSMON:<ProcessGuid> |
ProcessId | principal.process.pid |
IntegrityLevel | The value for the field principal.process.integrity_level_rid
is determined based on the value of the field IntegrityLevel as follows:
|
User | Domain stored into principal.administrative_domain Username stored in principal.user.userid |
Image | principal.process.file.full_path |
TargetFilename | target.file.full_path |
Hashes | The field populated is determined by the Hash algorithm.
|
IsExecutable | Field target.resource.attribute.labels.key set to IsExecutable and the
value is stored in target.resource.attribute.labels.value |
Archived | target.resource.attribute.labels.key set to Archived and the value is
stored in target.resource.attribute.labels.value |
Event Id: 24
NXLog field | UDM field |
---|---|
metadata.event_type set to RESOURCE_READ |
|
RuleName | security_result.rule_name |
UtcTime | metadata.event_timestamp |
ProcessGuid | target.process.product_specific_process_id set to
SYSMON:<ProcessGuid> |
ProcessId | principal.process.pid |
IntegrityLevel | The value for the field principal.process.integrity_level_rid
is determined based on the value of the field IntegrityLevel as follows:
|
Image | target.process.file.full_path target.resource.name |
ClientInfo | ip stored in target.ip hostname stored in target.hostname user stored in principal.user.userid |
Hashes | The field populated is determined by the Hash algorithm.
|
Archived | target.resource.attribute.labels.key set to Archived and value stored in
target.resource.attribute.labels.value |
Event Id: 25
NXLog field | UDM field |
---|---|
metadata.event_type set to PROCESS_LAUNCH |
|
RuleName | security_result.rule_name |
UtcTime | metadata.event_timestamp |
ProcessGuid | target.process.product_specific_process_id stored as
SYSMON:<ProcessGuid> |
ProcessId | principal.process.pid |
IntegrityLevel | The value for the field principal.process.integrity_level_rid
is determined based on the value of the field IntegrityLevel as follows:
|
Image | target.process.file.full_path |
Event Id: 26
NXLog field | UDM field |
---|---|
metadata.event_type set to FILE_DELETION |
|
RuleName | security_result.rule_name |
UtcTime | metadata.event_timestamp |
ProcessGuid | principal.process.product_specific_process_id set to
SYSMON:<%{ProcessGuid}> |
ProcessId | principal.process.pid |
IntegrityLevel | The value for the field principal.process.integrity_level_rid
is determined based on the value of the field IntegrityLevel as follows:
|
User | Domain set to principal.administrative_domain Username set to principal.user.userid |
Image | principal.process.file.full_path |
TargetFilename | target.file.full_path |
Hashes | Based on Hash algorithm. MD5 set to target.process.file.md5 SHA256 set to target.process.file.sha256 SHA1 set to target.process.file.sha1 |
IsExecutable | target.resource.attribute.labels.key set to IsExecutable & value in
target.resource.attribute.labels.value |
Event Id: 29
NXLog field | UDM field |
---|---|
metadata.event_type set to FILE_CREATION |
|
RuleName | security_result.rule_name |
UtcTime | metadata.event_timestamp |
ProcessGuid | principal.process.product_specific_process_id is set to
SYSMON:<PROCESS_GUID>
PROCESS_GUID is the ProcessGuid . The ProcessGuid field is a unique value for this process across a domain to make event correlation easier.
|
ProcessId | principal.process.pid |
IntegrityLevel | The value for the field principal.process.integrity_level_rid
is determined based on the value of the field IntegrityLevel as follows:
|
User | Domain is set to principal.administrative_domain Username is set to principal.user.userid |
Image | principal.process.file.full_path |
TargetFilename | target.file.full_path |
Hashes | Based on the hash algorithm, the following values are set:
|
Event Id: 255
NXLog field | UDM field |
---|---|
metadata.event_type set to SERVICE_UNSPECIFIED metadata.product_event_type set to Error - [255] target.application set to Microsoft Sysmon |
|
UtcTime | metadata.event_timestamp |
ID | security_result.summary |
Description | security_result.description |