Forked from williballenthin/Microsoft-Windows-Sysmon-schema.txt
Created
March 5, 2018 10:08
-
-
Save pse1202/b4eaaebfd203b8d3da19753ba37c4194 to your computer and use it in GitHub Desktop.
example events from sysmon
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# generate via: wevtutil gp Microsoft-Windows-Sysmon /getevents /getmessage | |
name: Microsoft-Windows-Sysmon | |
guid: 5770385f-c22a-43e0-bf4c-06f5698ffbd9 | |
helpLink: | |
resourceFileName: C:\Windows\Sysmon.exe | |
messageFileName: C:\Windows\Sysmon.exe | |
message: | |
channels: | |
channel: | |
name: Microsoft-Windows-Sysmon/Operational | |
id: 16 | |
flags: 0 | |
message: | |
levels: | |
level: | |
name: win:Error | |
value: 2 | |
message: Error | |
level: | |
name: win:Informational | |
value: 4 | |
message: Information | |
opcodes: | |
opcode: | |
name: win:Info | |
value: 0 | |
task: 0 | |
opcode: 0 | |
message: Info | |
tasks: | |
task: | |
name: SysmonTask-SYSMON_ERROR | |
value: 255 | |
eventGUID: c511ffb3-9fbf-45f5-a97b-9bee000000ff | |
message: Error report | |
task: | |
name: SysmonTask-SYSMON_CREATE_PROCESS | |
value: 1 | |
eventGUID: c511ffb3-9fbf-45f5-a97b-9bee00000001 | |
message: Process Create (rule: ProcessCreate) | |
task: | |
name: SysmonTask-SYSMON_FILE_TIME | |
value: 2 | |
eventGUID: c511ffb3-9fbf-45f5-a97b-9bee00000002 | |
message: File creation time changed (rule: FileCreateTime) | |
task: | |
name: SysmonTask-SYSMON_NETWORK_CONNECT | |
value: 3 | |
eventGUID: c511ffb3-9fbf-45f5-a97b-9bee00000003 | |
message: Network connection detected (rule: NetworkConnect) | |
task: | |
name: SysmonTask-SYSMON_SERVICE_STATE_CHANGE | |
value: 4 | |
eventGUID: c511ffb3-9fbf-45f5-a97b-9bee00000004 | |
message: Sysmon service state changed | |
task: | |
name: SysmonTask-SYSMON_PROCESS_TERMINATE | |
value: 5 | |
eventGUID: c511ffb3-9fbf-45f5-a97b-9bee00000005 | |
message: Process terminated (rule: ProcessTerminate) | |
task: | |
name: SysmonTask-SYSMON_DRIVER_LOAD | |
value: 6 | |
eventGUID: c511ffb3-9fbf-45f5-a97b-9bee00000006 | |
message: Driver loaded (rule: DriverLoad) | |
task: | |
name: SysmonTask-SYSMON_IMAGE_LOAD | |
value: 7 | |
eventGUID: c511ffb3-9fbf-45f5-a97b-9bee00000007 | |
message: Image loaded (rule: ImageLoad) | |
task: | |
name: SysmonTask-SYSMON_CREATE_REMOTE_THREAD | |
value: 8 | |
eventGUID: c511ffb3-9fbf-45f5-a97b-9bee00000008 | |
message: CreateRemoteThread detected (rule: CreateRemoteThread) | |
task: | |
name: SysmonTask-SYSMON_RAWACCESS_READ | |
value: 9 | |
eventGUID: c511ffb3-9fbf-45f5-a97b-9bee00000009 | |
message: RawAccessRead detected (rule: RawAccessRead) | |
task: | |
name: SysmonTask-SYSMON_ACCESS_PROCESS | |
value: 10 | |
eventGUID: c511ffb3-9fbf-45f5-a97b-9bee0000000a | |
message: Process accessed (rule: ProcessAccess) | |
task: | |
name: SysmonTask-SYSMON_FILE_CREATE | |
value: 11 | |
eventGUID: c511ffb3-9fbf-45f5-a97b-9bee0000000b | |
message: File created (rule: FileCreate) | |
task: | |
name: SysmonTask-SYSMON_REG_KEY | |
value: 12 | |
eventGUID: c511ffb3-9fbf-45f5-a97b-9bee0000000c | |
message: Registry object added or deleted (rule: RegistryEvent) | |
task: | |
name: SysmonTask-SYSMON_REG_SETVALUE | |
value: 13 | |
eventGUID: c511ffb3-9fbf-45f5-a97b-9bee0000000d | |
message: Registry value set (rule: RegistryEvent) | |
task: | |
name: SysmonTask-SYSMON_REG_NAME | |
value: 14 | |
eventGUID: c511ffb3-9fbf-45f5-a97b-9bee0000000e | |
message: Registry object renamed (rule: RegistryEvent) | |
task: | |
name: SysmonTask-SYSMON_FILE_CREATE_STREAM_HASH | |
value: 15 | |
eventGUID: c511ffb3-9fbf-45f5-a97b-9bee0000000f | |
message: File stream created (rule: FileCreateStreamHash) | |
task: | |
name: SysmonTask-SYSMON_SERVICE_CONFIGURATION_CHANGE | |
value: 16 | |
eventGUID: c511ffb3-9fbf-45f5-a97b-9bee00000010 | |
message: Sysmon config state changed | |
task: | |
name: SysmonTask-SYSMON_CREATE_NAMEDPIPE | |
value: 17 | |
eventGUID: c511ffb3-9fbf-45f5-a97b-9bee00000011 | |
message: Pipe Created (rule: PipeEvent) | |
task: | |
name: SysmonTask-SYSMON_CONNECT_NAMEDPIPE | |
value: 18 | |
eventGUID: c511ffb3-9fbf-45f5-a97b-9bee00000012 | |
message: Pipe Connected (rule: PipeEvent) | |
keywords: | |
events: | |
event: | |
value: 1 | |
version: 5 | |
opcode: 0 | |
channel: 16 | |
level: 4 | |
task: 1 | |
keywords: 0x8000000000000000 | |
message: Process Create: | |
UtcTime: %1 | |
ProcessGuid: %2 | |
ProcessId: %3 | |
Image: %4 | |
CommandLine: %5 | |
CurrentDirectory: %6 | |
User: %7 | |
LogonGuid: %8 | |
LogonId: %9 | |
TerminalSessionId: %10 | |
IntegrityLevel: %11 | |
Hashes: %12 | |
ParentProcessGuid: %13 | |
ParentProcessId: %14 | |
ParentImage: %15 | |
ParentCommandLine: %16 | |
event: | |
value: 2 | |
version: 4 | |
opcode: 0 | |
channel: 16 | |
level: 4 | |
task: 2 | |
keywords: 0x8000000000000000 | |
message: File creation time changed: | |
UtcTime: %1 | |
ProcessGuid: %2 | |
ProcessId: %3 | |
Image: %4 | |
TargetFilename: %5 | |
CreationUtcTime: %6 | |
PreviousCreationUtcTime: %7 | |
event: | |
value: 3 | |
version: 5 | |
opcode: 0 | |
channel: 16 | |
level: 4 | |
task: 3 | |
keywords: 0x8000000000000000 | |
message: Network connection detected: | |
UtcTime: %1 | |
ProcessGuid: %2 | |
ProcessId: %3 | |
Image: %4 | |
User: %5 | |
Protocol: %6 | |
Initiated: %7 | |
SourceIsIpv6: %8 | |
SourceIp: %9 | |
SourceHostname: %10 | |
SourcePort: %11 | |
SourcePortName: %12 | |
DestinationIsIpv6: %13 | |
DestinationIp: %14 | |
DestinationHostname: %15 | |
DestinationPort: %16 | |
DestinationPortName: %17 | |
event: | |
value: 4 | |
version: 3 | |
opcode: 0 | |
channel: 16 | |
level: 4 | |
task: 4 | |
keywords: 0x8000000000000000 | |
message: Sysmon service state changed: | |
UtcTime: %1 | |
State: %2 | |
Version: %3 | |
SchemaVersion: %4 | |
event: | |
value: 5 | |
version: 3 | |
opcode: 0 | |
channel: 16 | |
level: 4 | |
task: 5 | |
keywords: 0x8000000000000000 | |
message: Process terminated: | |
UtcTime: %1 | |
ProcessGuid: %2 | |
ProcessId: %3 | |
Image: %4 | |
event: | |
value: 6 | |
version: 3 | |
opcode: 0 | |
channel: 16 | |
level: 4 | |
task: 6 | |
keywords: 0x8000000000000000 | |
message: Driver loaded: | |
UtcTime: %1 | |
ImageLoaded: %2 | |
Hashes: %3 | |
Signed: %4 | |
Signature: %5 | |
SignatureStatus: %6 | |
event: | |
value: 7 | |
version: 3 | |
opcode: 0 | |
channel: 16 | |
level: 4 | |
task: 7 | |
keywords: 0x8000000000000000 | |
message: Image loaded: | |
UtcTime: %1 | |
ProcessGuid: %2 | |
ProcessId: %3 | |
Image: %4 | |
ImageLoaded: %5 | |
Hashes: %6 | |
Signed: %7 | |
Signature: %8 | |
SignatureStatus: %9 | |
event: | |
value: 8 | |
version: 2 | |
opcode: 0 | |
channel: 16 | |
level: 4 | |
task: 8 | |
keywords: 0x8000000000000000 | |
message: CreateRemoteThread detected: | |
UtcTime: %1 | |
SourceProcessGuid: %2 | |
SourceProcessId: %3 | |
SourceImage: %4 | |
TargetProcessGuid: %5 | |
TargetProcessId: %6 | |
TargetImage: %7 | |
NewThreadId: %8 | |
StartAddress: %9 | |
StartModule: %10 | |
StartFunction: %11 | |
event: | |
value: 9 | |
version: 2 | |
opcode: 0 | |
channel: 16 | |
level: 4 | |
task: 9 | |
keywords: 0x8000000000000000 | |
message: RawAccessRead detected: | |
UtcTime: %1 | |
ProcessGuid: %2 | |
ProcessId: %3 | |
Image: %4 | |
Device: %5 | |
event: | |
value: 10 | |
version: 3 | |
opcode: 0 | |
channel: 16 | |
level: 4 | |
task: 10 | |
keywords: 0x8000000000000000 | |
message: Process accessed: | |
UtcTime: %1 | |
SourceProcessGUID: %2 | |
SourceProcessId: %3 | |
SourceThreadId: %4 | |
SourceImage: %5 | |
TargetProcessGUID: %6 | |
TargetProcessId: %7 | |
TargetImage: %8 | |
GrantedAccess: %9 | |
CallTrace: %10 | |
event: | |
value: 11 | |
version: 2 | |
opcode: 0 | |
channel: 16 | |
level: 4 | |
task: 11 | |
keywords: 0x8000000000000000 | |
message: File created: | |
UtcTime: %1 | |
ProcessGuid: %2 | |
ProcessId: %3 | |
Image: %4 | |
TargetFilename: %5 | |
CreationUtcTime: %6 | |
event: | |
value: 12 | |
version: 2 | |
opcode: 0 | |
channel: 16 | |
level: 4 | |
task: 12 | |
keywords: 0x8000000000000000 | |
message: Registry object added or deleted: | |
EventType: %1 | |
UtcTime: %2 | |
ProcessGuid: %3 | |
ProcessId: %4 | |
Image: %5 | |
TargetObject: %6 | |
event: | |
value: 13 | |
version: 2 | |
opcode: 0 | |
channel: 16 | |
level: 4 | |
task: 13 | |
keywords: 0x8000000000000000 | |
message: Registry value set: | |
EventType: %1 | |
UtcTime: %2 | |
ProcessGuid: %3 | |
ProcessId: %4 | |
Image: %5 | |
TargetObject: %6 | |
Details: %7 | |
event: | |
value: 14 | |
version: 2 | |
opcode: 0 | |
channel: 16 | |
level: 4 | |
task: 14 | |
keywords: 0x8000000000000000 | |
message: Registry object renamed: | |
EventType: %1 | |
UtcTime: %2 | |
ProcessGuid: %3 | |
ProcessId: %4 | |
Image: %5 | |
TargetObject: %6 | |
NewName: %7 | |
event: | |
value: 15 | |
version: 2 | |
opcode: 0 | |
channel: 16 | |
level: 4 | |
task: 15 | |
keywords: 0x8000000000000000 | |
message: File stream created: | |
UtcTime: %1 | |
ProcessGuid: %2 | |
ProcessId: %3 | |
Image: %4 | |
TargetFilename: %5 | |
CreationUtcTime: %6 | |
Hash: %7 | |
event: | |
value: 16 | |
version: 3 | |
opcode: 0 | |
channel: 16 | |
level: 4 | |
task: 16 | |
keywords: 0x8000000000000000 | |
message: Sysmon config state changed: | |
UtcTime: %1 | |
Configuration: %2 | |
ConfigurationFileHash: %3 | |
event: | |
value: 17 | |
version: 1 | |
opcode: 0 | |
channel: 16 | |
level: 4 | |
task: 17 | |
keywords: 0x8000000000000000 | |
message: Pipe Created: | |
UtcTime: %1 | |
ProcessGuid: %2 | |
ProcessId: %3 | |
PipeName: %4 | |
Image: %5 | |
event: | |
value: 18 | |
version: 1 | |
opcode: 0 | |
channel: 16 | |
level: 4 | |
task: 18 | |
keywords: 0x8000000000000000 | |
message: Pipe Connected: | |
UtcTime: %1 | |
ProcessGuid: %2 | |
ProcessId: %3 | |
PipeName: %4 | |
Image: %5 | |
event: | |
value: 255 | |
version: 3 | |
opcode: 0 | |
channel: 16 | |
level: 2 | |
task: 255 | |
keywords: 0x8000000000000000 | |
message: Error report: | |
UtcTime: %1 | |
ID: %2 | |
Description: %3 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> | |
<System> | |
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" /> | |
<EventID>1</EventID> | |
<Version>5</Version> | |
<Level>4</Level> | |
<Task>1</Task> | |
<Opcode>0</Opcode> | |
<Keywords>0x8000000000000000</Keywords> | |
<TimeCreated SystemTime="2017-02-21T18:41:25.730575500Z" /> | |
<EventRecordID>9</EventRecordID> | |
<Correlation /> | |
<Execution ProcessID="4784" ThreadID="4656" /> | |
<Channel>Microsoft-Windows-Sysmon/Operational</Channel> | |
<Computer>DESKTOP-O3QJU3L</Computer> | |
<Security UserID="S-1-5-18" /> | |
</System> | |
<EventData> | |
<Data Name="UtcTime">2017-02-21 18:41:25.725</Data> | |
<Data Name="ProcessGuid">{DFB1C9EF-89D5-58AC-0000-0010EEDD0C00}</Data> | |
<Data Name="ProcessId">3272</Data> | |
<Data Name="Image">C:\Windows\System32\mmc.exe</Data> | |
<Data Name="CommandLine">"C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc" /s</Data> | |
<Data Name="CurrentDirectory">C:\Windows\system32\</Data> | |
<Data Name="User">DESKTOP-O3QJU3L\user</Data> | |
<Data Name="LogonGuid">{DFB1C9EF-8910-58AC-0000-0020D4480200}</Data> | |
<Data Name="LogonId">0x248d4</Data> | |
<Data Name="TerminalSessionId">1</Data> | |
<Data Name="IntegrityLevel">High</Data> | |
<Data Name="Hashes">SHA1=AAE83ECC4ABEE2E7567E2FF76B2B046C65336731,MD5=283BDCD7B83EEE614897619332E5B938,SHA256=17DD017B7E7D1DC835CDF5E57156A0FF508EBBC7F4A48E65D77E026C33FCB58E,IMPHASH=ED5A55DAB5A02F29D6EE7E0015F91A9F</Data> | |
<Data Name="ParentProcessGuid">{DFB1C9EF-8911-58AC-0000-00102B8C0200}</Data> | |
<Data Name="ParentProcessId">2388</Data> | |
<Data Name="ParentImage">C:\Windows\explorer.exe</Data> | |
<Data Name="ParentCommandLine">C:\Windows\Explorer.EXE</Data> | |
</EventData> | |
</Event> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> | |
<System> | |
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" /> | |
<EventID>11</EventID> | |
<Version>2</Version> | |
<Level>4</Level> | |
<Task>11</Task> | |
<Opcode>0</Opcode> | |
<Keywords>0x8000000000000000</Keywords> | |
<TimeCreated SystemTime="2017-02-21T18:42:22.078973800Z" /> | |
<EventRecordID>29</EventRecordID> | |
<Correlation /> | |
<Execution ProcessID="4784" ThreadID="4656" /> | |
<Channel>Microsoft-Windows-Sysmon/Operational</Channel> | |
<Computer>DESKTOP-O3QJU3L</Computer> | |
<Security UserID="S-1-5-18" /> | |
</System> | |
<EventData> | |
<Data Name="UtcTime">2017-02-21 18:42:22.074</Data> | |
<Data Name="ProcessGuid">{DFB1C9EF-B338-58AC-0000-001081BD0000}</Data> | |
<Data Name="ProcessId">876</Data> | |
<Data Name="Image">C:\Windows\system32\svchost.exe</Data> | |
<Data Name="TargetFilename">C:\Windows\SoftwareDistribution\Download\Install\AM_Delta_Patch_1.235.3236.0.exe</Data> | |
<Data Name="CreationUtcTime">2017-02-21 18:42:22.074</Data> | |
</EventData> | |
</Event> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> | |
<System> | |
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" /> | |
<EventID>12</EventID> | |
<Version>2</Version> | |
<Level>4</Level> | |
<Task>12</Task> | |
<Opcode>0</Opcode> | |
<Keywords>0x8000000000000000</Keywords> | |
<TimeCreated SystemTime="2017-02-21T18:41:25.386462100Z" /> | |
<EventRecordID>6</EventRecordID> | |
<Correlation /> | |
<Execution ProcessID="4784" ThreadID="4656" /> | |
<Channel>Microsoft-Windows-Sysmon/Operational</Channel> | |
<Computer>DESKTOP-O3QJU3L</Computer> | |
<Security UserID="S-1-5-18" /> | |
</System> | |
<EventData> | |
<Data Name="EventType">CreateKey</Data> | |
<Data Name="UtcTime">2017-02-21 18:41:25.370</Data> | |
<Data Name="ProcessGuid">{DFB1C9EF-8911-58AC-0000-00102B8C0200}</Data> | |
<Data Name="ProcessId">2388</Data> | |
<Data Name="Image">C:\Windows\Explorer.EXE</Data> | |
<Data Name="TargetObject">HKEY_USERS\S-1-5-21-734394340-2380731162-4032342150-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.msc</Data> | |
</EventData> | |
</Event> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> | |
<System> | |
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" /> | |
<EventID>13</EventID> | |
<Version>2</Version> | |
<Level>4</Level> | |
<Task>13</Task> | |
<Opcode>0</Opcode> | |
<Keywords>0x8000000000000000</Keywords> | |
<TimeCreated SystemTime="2017-02-21T18:41:41.843242600Z" /> | |
<EventRecordID>10</EventRecordID> | |
<Correlation /> | |
<Execution ProcessID="4784" ThreadID="4656" /> | |
<Channel>Microsoft-Windows-Sysmon/Operational</Channel> | |
<Computer>DESKTOP-O3QJU3L</Computer> | |
<Security UserID="S-1-5-18" /> | |
</System> | |
<EventData> | |
<Data Name="EventType">SetValue</Data> | |
<Data Name="UtcTime">2017-02-21 18:41:41.840</Data> | |
<Data Name="ProcessGuid">{DFB1C9EF-B336-58AC-0000-0010E2500000}</Data> | |
<Data Name="ProcessId">592</Data> | |
<Data Name="Image">C:\Windows\system32\services.exe</Data> | |
<Data Name="TargetObject">HKLM\System\CurrentControlSet\Services\DeviceAssociationService\Start</Data> | |
<Data Name="Details">DWORD (0x00000003)</Data> | |
</EventData> | |
</Event> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> | |
<System> | |
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" /> | |
<EventID>16</EventID> | |
<Version>3</Version> | |
<Level>4</Level> | |
<Task>16</Task> | |
<Opcode>0</Opcode> | |
<Keywords>0x8000000000000000</Keywords> | |
<TimeCreated SystemTime="2017-02-21T18:41:12.874210100Z" /> | |
<EventRecordID>1</EventRecordID> | |
<Correlation /> | |
<Execution ProcessID="4772" ThreadID="4748" /> | |
<Channel>Microsoft-Windows-Sysmon/Operational</Channel> | |
<Computer>DESKTOP-O3QJU3L</Computer> | |
<Security UserID="S-1-5-21-734394340-2380731162-4032342150-1001" /> | |
</System> | |
<EventData> | |
<Data Name="UtcTime">2017-02-21 18:41:12.871</Data> | |
<Data Name="Configuration">config.xml.txt</Data> | |
<Data Name="ConfigurationFileHash">SHA1=4DF0A30B182E6F181C574724FDE6AA11857DCC17</Data> | |
</EventData> | |
</Event> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> | |
<System> | |
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" /> | |
<EventID>3</EventID> | |
<Version>5</Version> | |
<Level>4</Level> | |
<Task>3</Task> | |
<Opcode>0</Opcode> | |
<Keywords>0x8000000000000000</Keywords> | |
<TimeCreated SystemTime="2017-02-21T18:42:05.590721200Z" /> | |
<EventRecordID>26</EventRecordID> | |
<Correlation /> | |
<Execution ProcessID="4784" ThreadID="2164" /> | |
<Channel>Microsoft-Windows-Sysmon/Operational</Channel> | |
<Computer>DESKTOP-O3QJU3L</Computer> | |
<Security UserID="S-1-5-18" /> | |
</System> | |
<EventData> | |
<Data Name="UtcTime">2017-02-21 18:42:04.422</Data> | |
<Data Name="ProcessGuid">{DFB1C9EF-89FA-58AC-0000-0010FABC1100}</Data> | |
<Data Name="ProcessId">2324</Data> | |
<Data Name="Image">C:\Users\user\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe</Data> | |
<Data Name="User">DESKTOP-O3QJU3L\user</Data> | |
<Data Name="Protocol">tcp</Data> | |
<Data Name="Initiated">true</Data> | |
<Data Name="SourceIsIpv6">false</Data> | |
<Data Name="SourceIp">10.0.42.89</Data> | |
<Data Name="SourceHostname">DESKTOP-O3QJU3L.lair</Data> | |
<Data Name="SourcePort">49925</Data> | |
<Data Name="SourcePortName" /> | |
<Data Name="DestinationIsIpv6">false</Data> | |
<Data Name="DestinationIp">40.117.100.83</Data> | |
<Data Name="DestinationHostname" /> | |
<Data Name="DestinationPort">443</Data> | |
<Data Name="DestinationPortName">https</Data> | |
</EventData> | |
</Event> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> | |
<System> | |
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" /> | |
<EventID>4</EventID> | |
<Version>3</Version> | |
<Level>4</Level> | |
<Task>4</Task> | |
<Opcode>0</Opcode> | |
<Keywords>0x8000000000000000</Keywords> | |
<TimeCreated SystemTime="2017-02-21T18:41:12.923641300Z" /> | |
<EventRecordID>2</EventRecordID> | |
<Correlation /> | |
<Execution ProcessID="4784" ThreadID="4656" /> | |
<Channel>Microsoft-Windows-Sysmon/Operational</Channel> | |
<Computer>DESKTOP-O3QJU3L</Computer> | |
<Security UserID="S-1-5-18" /> | |
</System> | |
<EventData> | |
<Data Name="UtcTime">2017-02-21 18:41:12.917</Data> | |
<Data Name="State">Started</Data> | |
<Data Name="Version">6.00</Data> | |
<Data Name="SchemaVersion">3.30</Data> | |
</EventData> | |
</Event> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> | |
<System> | |
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" /> | |
<EventID>5</EventID> | |
<Version>3</Version> | |
<Level>4</Level> | |
<Task>5</Task> | |
<Opcode>0</Opcode> | |
<Keywords>0x8000000000000000</Keywords> | |
<TimeCreated SystemTime="2017-02-21T18:41:13.940905800Z" /> | |
<EventRecordID>4</EventRecordID> | |
<Correlation /> | |
<Execution ProcessID="4784" ThreadID="4656" /> | |
<Channel>Microsoft-Windows-Sysmon/Operational</Channel> | |
<Computer>DESKTOP-O3QJU3L</Computer> | |
<Security UserID="S-1-5-18" /> | |
</System> | |
<EventData> | |
<Data Name="UtcTime">2017-02-21 18:41:13.933</Data> | |
<Data Name="ProcessGuid">{DFB1C9EF-89C5-58AC-0000-001070D80B00}</Data> | |
<Data Name="ProcessId">4772</Data> | |
<Data Name="Image">C:\Users\user\Downloads\Sysmon\Sysmon64.exe</Data> | |
</EventData> | |
</Event> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment