Cyb3rWard0g/sysmon-ksql-processcreate-event

## sysmon-ksql-processcreate-event
12/18/18 10:42:32 PM UTC , NULL ,
{
    "@timestamp":"2018-12-18T22:42:32.841Z",
    "@metadata":
    {
        "beat":"winlogbeat",
        "type":"doc",
        "version":"6.5.3",
        "topic":"winlogbeat"
    },
    "opcode":"Info",
    "message":"Process Create:\x5CnRuleName: \x5CnUtcTime: 2018-12-18 22:42:32.826\x5CnProcessGuid: {1C9FDC81-77D8-5C19-0000-0010A8182800}\x5CnProcessId: 2620\x5CnImage: C:\x5C\x5CWindows\x5C\x5CSystem32\x5C\x5Ctaskhostw.exe\x5CnFileVersion: 10.0.17134.1 (WinBuild.160101.0800)\x5CnDescription: Host Process for Windows Tasks\x5CnProduct: Microsoft\xC2\xAE Windows\xC2\xAE Operating System\x5CnCompany: Microsoft Corporation\x5CnCommandLine: taskhostw.exe Logon\x5CnCurrentDirectory: C:\x5C\x5CWINDOWS\x5C\x5Csystem32\x5C\x5C\x5CnUser: RIVENDELL\x5C\x5Ccbrown\x5CnLogonGuid: {1C9FDC81-76A7-5C19-0000-00205D8E0900}\x5CnLogonId: 0x98E5D\x5CnTerminalSessionId: 1\x5CnIntegrityLevel: Medium\x5CnHashes: SHA1=2A594345FBCAAD453C72BD0937CBF67FB43A74DF,MD5=CE95E236FC9FE2D6F16C926C75B18BAF,SHA256=740122D338FFD2CBB0877F8AC17B28218EAD02F08A9B28D5266C94E33F938085,IMPHASH=3627BE269990D67CF76A03FA55EF9A08\x5CnParentProcessGuid: {1C9FDC81-7677-5C19-0000-00104A420100}\x5CnParentProcessId: 988\x5CnParentImage: C:\x5C\x5CWindows\x5C\x5CSystem32\x5C\x5Csvchost.exe\x5CnParentCommandLine: C:\x5C\x5CWINDOWS\x5C\x5Csystem32\x5C\x5Csvchost.exe -k netsvcs -p",
    "thread_id":3100,
    "computer_name":"DESKTOP-LFD11QP.RIVENDELL.local",
    "version":5,
    "task":"Process Create (rule: ProcessCreate)",
    "event_data":
    {
        "Hashes":"SHA1=2A594345FBCAAD453C72BD0937CBF67FB43A74DF,MD5=CE95E236FC9FE2D6F16C926C75B18BAF,SHA256=740122D338FFD2CBB0877F8AC17B28218EAD02F08A9B28D5266C94E33F938085,IMPHASH=3627BE269990D67CF76A03FA55EF9A08",
        "ProcessGuid":"{1C9FDC81-77D8-5C19-0000-0010A8182800}",
        "IntegrityLevel":"Medium",
        "UtcTime":"2018-12-18 22:42:32.826",
        "LogonId":"0x98e5d",
        "Description":"Host Process for Windows Tasks",
        "TerminalSessionId":"1",
        "CommandLine":"taskhostw.exe Logon",
        "ParentImage":"C:\x5C\x5CWindows\x5C\x5CSystem32\x5C\x5Csvchost.exe",
        "LogonGuid":"{1C9FDC81-76A7-5C19-0000-00205D8E0900}",
        "User":"RIVENDELL\x5C\x5Ccbrown",
        "FileVersion":"10.0.17134.1 (WinBuild.160101.0800)",
        "ParentProcessId":"988",
        "ParentCommandLine":"C:\x5C\x5CWINDOWS\x5C\x5Csystem32\x5C\x5Csvchost.exe -k netsvcs -p",
        "Product":"Microsoft\xC2\xAE Windows\xC2\xAE Operating System",
        "Image":"C:\x5C\x5CWindows\x5C\x5CSystem32\x5C\x5Ctaskhostw.exe",
        "ProcessId":"2620",
        "CurrentDirectory":"C:\x5C\x5CWINDOWS\x5C\x5Csystem32\x5C\x5C",
        "Company":"Microsoft Corporation",
        "ParentProcessGuid":"{1C9FDC81-7677-5C19-0000-00104A420100}"
    },
    "host":
    {
        "name":"DESKTOP-LFD11QP"
    },
    "type":"wineventlog",
    "provider_guid":"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}",
    "level":"Information",
    "event_id":1,
    "log_name":"Microsoft-Windows-Sysmon/Operational",
    "source_name":"Microsoft-Windows-Sysmon",
    "record_number":"3040257",
    "process_id":2160,
    "user":
    {
        "name":"SYSTEM",
        "domain":"NT AUTHORITY",
        "type":"User",
        "identifier":"S-1-5-18"
    },
    "beat":
    {
        "name":"DESKTOP-LFD11QP",
        "hostname":"DESKTOP-LFD11QP",
        "version":"6.5.3"
    }
}
	12/18/18 10:42:32 PM UTC , NULL ,
	{
	"@timestamp":"2018-12-18T22:42:32.841Z",
	"@metadata":
	{
	"beat":"winlogbeat",
	"type":"doc",
	"version":"6.5.3",
	"topic":"winlogbeat"
	},
	"opcode":"Info",
	"message":"Process Create:\x5CnRuleName: \x5CnUtcTime: 2018-12-18 22:42:32.826\x5CnProcessGuid: {1C9FDC81-77D8-5C19-0000-0010A8182800}\x5CnProcessId: 2620\x5CnImage: C:\x5C\x5CWindows\x5C\x5CSystem32\x5C\x5Ctaskhostw.exe\x5CnFileVersion: 10.0.17134.1 (WinBuild.160101.0800)\x5CnDescription: Host Process for Windows Tasks\x5CnProduct: Microsoft\xC2\xAE Windows\xC2\xAE Operating System\x5CnCompany: Microsoft Corporation\x5CnCommandLine: taskhostw.exe Logon\x5CnCurrentDirectory: C:\x5C\x5CWINDOWS\x5C\x5Csystem32\x5C\x5C\x5CnUser: RIVENDELL\x5C\x5Ccbrown\x5CnLogonGuid: {1C9FDC81-76A7-5C19-0000-00205D8E0900}\x5CnLogonId: 0x98E5D\x5CnTerminalSessionId: 1\x5CnIntegrityLevel: Medium\x5CnHashes: SHA1=2A594345FBCAAD453C72BD0937CBF67FB43A74DF,MD5=CE95E236FC9FE2D6F16C926C75B18BAF,SHA256=740122D338FFD2CBB0877F8AC17B28218EAD02F08A9B28D5266C94E33F938085,IMPHASH=3627BE269990D67CF76A03FA55EF9A08\x5CnParentProcessGuid: {1C9FDC81-7677-5C19-0000-00104A420100}\x5CnParentProcessId: 988\x5CnParentImage: C:\x5C\x5CWindows\x5C\x5CSystem32\x5C\x5Csvchost.exe\x5CnParentCommandLine: C:\x5C\x5CWINDOWS\x5C\x5Csystem32\x5C\x5Csvchost.exe -k netsvcs -p",
	"thread_id":3100,
	"computer_name":"DESKTOP-LFD11QP.RIVENDELL.local",
	"version":5,
	"task":"Process Create (rule: ProcessCreate)",
	"event_data":
	{
	"Hashes":"SHA1=2A594345FBCAAD453C72BD0937CBF67FB43A74DF,MD5=CE95E236FC9FE2D6F16C926C75B18BAF,SHA256=740122D338FFD2CBB0877F8AC17B28218EAD02F08A9B28D5266C94E33F938085,IMPHASH=3627BE269990D67CF76A03FA55EF9A08",
	"ProcessGuid":"{1C9FDC81-77D8-5C19-0000-0010A8182800}",
	"IntegrityLevel":"Medium",
	"UtcTime":"2018-12-18 22:42:32.826",
	"LogonId":"0x98e5d",
	"Description":"Host Process for Windows Tasks",
	"TerminalSessionId":"1",
	"CommandLine":"taskhostw.exe Logon",
	"ParentImage":"C:\x5C\x5CWindows\x5C\x5CSystem32\x5C\x5Csvchost.exe",
	"LogonGuid":"{1C9FDC81-76A7-5C19-0000-00205D8E0900}",
	"User":"RIVENDELL\x5C\x5Ccbrown",
	"FileVersion":"10.0.17134.1 (WinBuild.160101.0800)",
	"ParentProcessId":"988",
	"ParentCommandLine":"C:\x5C\x5CWINDOWS\x5C\x5Csystem32\x5C\x5Csvchost.exe -k netsvcs -p",
	"Product":"Microsoft\xC2\xAE Windows\xC2\xAE Operating System",
	"Image":"C:\x5C\x5CWindows\x5C\x5CSystem32\x5C\x5Ctaskhostw.exe",
	"ProcessId":"2620",
	"CurrentDirectory":"C:\x5C\x5CWINDOWS\x5C\x5Csystem32\x5C\x5C",
	"Company":"Microsoft Corporation",
	"ParentProcessGuid":"{1C9FDC81-7677-5C19-0000-00104A420100}"
	},
	"host":
	{
	"name":"DESKTOP-LFD11QP"
	},
	"type":"wineventlog",
	"provider_guid":"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}",
	"level":"Information",
	"event_id":1,
	"log_name":"Microsoft-Windows-Sysmon/Operational",
	"source_name":"Microsoft-Windows-Sysmon",
	"record_number":"3040257",
	"process_id":2160,
	"user":
	{
	"name":"SYSTEM",
	"domain":"NT AUTHORITY",
	"type":"User",
	"identifier":"S-1-5-18"
	},
	"beat":
	{
	"name":"DESKTOP-LFD11QP",
	"hostname":"DESKTOP-LFD11QP",
	"version":"6.5.3"
	}
	}