Skip to content

Instantly share code, notes, and snippets.

@williballenthin

williballenthin/Microsoft-Windows-Sysmon-schema.txt

Last active April 23, 2023 18:57
Show Gist options
  • Star 7 You must be signed in to star a gist
  • Fork 2 You must be signed in to fork a gist
  • Save williballenthin/f693b1c2f3d95cb8f8e17b5f7f26031d to your computer and use it in GitHub Desktop.
Save williballenthin/f693b1c2f3d95cb8f8e17b5f7f26031d to your computer and use it in GitHub Desktop.
Download ZIP
example events from sysmon
Raw
Microsoft-Windows-Sysmon-schema.txt
# generate via: wevtutil gp Microsoft-Windows-Sysmon /getevents /getmessage
name: Microsoft-Windows-Sysmon
guid: 5770385f-c22a-43e0-bf4c-06f5698ffbd9
helpLink:
resourceFileName: C:\Windows\Sysmon.exe
messageFileName: C:\Windows\Sysmon.exe
message:
channels:
channel:
name: Microsoft-Windows-Sysmon/Operational
id: 16
flags: 0
message:
levels:
level:
name: win:Error
value: 2
message: Error
level:
name: win:Informational
value: 4
message: Information
opcodes:
opcode:
name: win:Info
value: 0
task: 0
opcode: 0
message: Info
tasks:
task:
name: SysmonTask-SYSMON_ERROR
value: 255
eventGUID: c511ffb3-9fbf-45f5-a97b-9bee000000ff
message: Error report
task:
name: SysmonTask-SYSMON_CREATE_PROCESS
value: 1
eventGUID: c511ffb3-9fbf-45f5-a97b-9bee00000001
message: Process Create (rule: ProcessCreate)
task:
name: SysmonTask-SYSMON_FILE_TIME
value: 2
eventGUID: c511ffb3-9fbf-45f5-a97b-9bee00000002
message: File creation time changed (rule: FileCreateTime)
task:
name: SysmonTask-SYSMON_NETWORK_CONNECT
value: 3
eventGUID: c511ffb3-9fbf-45f5-a97b-9bee00000003
message: Network connection detected (rule: NetworkConnect)
task:
name: SysmonTask-SYSMON_SERVICE_STATE_CHANGE
value: 4
eventGUID: c511ffb3-9fbf-45f5-a97b-9bee00000004
message: Sysmon service state changed
task:
name: SysmonTask-SYSMON_PROCESS_TERMINATE
value: 5
eventGUID: c511ffb3-9fbf-45f5-a97b-9bee00000005
message: Process terminated (rule: ProcessTerminate)
task:
name: SysmonTask-SYSMON_DRIVER_LOAD
value: 6
eventGUID: c511ffb3-9fbf-45f5-a97b-9bee00000006
message: Driver loaded (rule: DriverLoad)
task:
name: SysmonTask-SYSMON_IMAGE_LOAD
value: 7
eventGUID: c511ffb3-9fbf-45f5-a97b-9bee00000007
message: Image loaded (rule: ImageLoad)
task:
name: SysmonTask-SYSMON_CREATE_REMOTE_THREAD
value: 8
eventGUID: c511ffb3-9fbf-45f5-a97b-9bee00000008
message: CreateRemoteThread detected (rule: CreateRemoteThread)
task:
name: SysmonTask-SYSMON_RAWACCESS_READ
value: 9
eventGUID: c511ffb3-9fbf-45f5-a97b-9bee00000009
message: RawAccessRead detected (rule: RawAccessRead)
task:
name: SysmonTask-SYSMON_ACCESS_PROCESS
value: 10
eventGUID: c511ffb3-9fbf-45f5-a97b-9bee0000000a
message: Process accessed (rule: ProcessAccess)
task:
name: SysmonTask-SYSMON_FILE_CREATE
value: 11
eventGUID: c511ffb3-9fbf-45f5-a97b-9bee0000000b
message: File created (rule: FileCreate)
task:
name: SysmonTask-SYSMON_REG_KEY
value: 12
eventGUID: c511ffb3-9fbf-45f5-a97b-9bee0000000c
message: Registry object added or deleted (rule: RegistryEvent)
task:
name: SysmonTask-SYSMON_REG_SETVALUE
value: 13
eventGUID: c511ffb3-9fbf-45f5-a97b-9bee0000000d
message: Registry value set (rule: RegistryEvent)
task:
name: SysmonTask-SYSMON_REG_NAME
value: 14
eventGUID: c511ffb3-9fbf-45f5-a97b-9bee0000000e
message: Registry object renamed (rule: RegistryEvent)
task:
name: SysmonTask-SYSMON_FILE_CREATE_STREAM_HASH
value: 15
eventGUID: c511ffb3-9fbf-45f5-a97b-9bee0000000f
message: File stream created (rule: FileCreateStreamHash)
task:
name: SysmonTask-SYSMON_SERVICE_CONFIGURATION_CHANGE
value: 16
eventGUID: c511ffb3-9fbf-45f5-a97b-9bee00000010
message: Sysmon config state changed
task:
name: SysmonTask-SYSMON_CREATE_NAMEDPIPE
value: 17
eventGUID: c511ffb3-9fbf-45f5-a97b-9bee00000011
message: Pipe Created (rule: PipeEvent)
task:
name: SysmonTask-SYSMON_CONNECT_NAMEDPIPE
value: 18
eventGUID: c511ffb3-9fbf-45f5-a97b-9bee00000012
message: Pipe Connected (rule: PipeEvent)
keywords:
events:
event:
value: 1
version: 5
opcode: 0
channel: 16
level: 4
task: 1
keywords: 0x8000000000000000
message: Process Create:
UtcTime: %1
ProcessGuid: %2
ProcessId: %3
Image: %4
CommandLine: %5
CurrentDirectory: %6
User: %7
LogonGuid: %8
LogonId: %9
TerminalSessionId: %10
IntegrityLevel: %11
Hashes: %12
ParentProcessGuid: %13
ParentProcessId: %14
ParentImage: %15
ParentCommandLine: %16
event:
value: 2
version: 4
opcode: 0
channel: 16
level: 4
task: 2
keywords: 0x8000000000000000
message: File creation time changed:
UtcTime: %1
ProcessGuid: %2
ProcessId: %3
Image: %4
TargetFilename: %5
CreationUtcTime: %6
PreviousCreationUtcTime: %7
event:
value: 3
version: 5
opcode: 0
channel: 16
level: 4
task: 3
keywords: 0x8000000000000000
message: Network connection detected:
UtcTime: %1
ProcessGuid: %2
ProcessId: %3
Image: %4
User: %5
Protocol: %6
Initiated: %7
SourceIsIpv6: %8
SourceIp: %9
SourceHostname: %10
SourcePort: %11
SourcePortName: %12
DestinationIsIpv6: %13
DestinationIp: %14
DestinationHostname: %15
DestinationPort: %16
DestinationPortName: %17
event:
value: 4
version: 3
opcode: 0
channel: 16
level: 4
task: 4
keywords: 0x8000000000000000
message: Sysmon service state changed:
UtcTime: %1
State: %2
Version: %3
SchemaVersion: %4
event:
value: 5
version: 3
opcode: 0
channel: 16
level: 4
task: 5
keywords: 0x8000000000000000
message: Process terminated:
UtcTime: %1
ProcessGuid: %2
ProcessId: %3
Image: %4
event:
value: 6
version: 3
opcode: 0
channel: 16
level: 4
task: 6
keywords: 0x8000000000000000
message: Driver loaded:
UtcTime: %1
ImageLoaded: %2
Hashes: %3
Signed: %4
Signature: %5
SignatureStatus: %6
event:
value: 7
version: 3
opcode: 0
channel: 16
level: 4
task: 7
keywords: 0x8000000000000000
message: Image loaded:
UtcTime: %1
ProcessGuid: %2
ProcessId: %3
Image: %4
ImageLoaded: %5
Hashes: %6
Signed: %7
Signature: %8
SignatureStatus: %9
event:
value: 8
version: 2
opcode: 0
channel: 16
level: 4
task: 8
keywords: 0x8000000000000000
message: CreateRemoteThread detected:
UtcTime: %1
SourceProcessGuid: %2
SourceProcessId: %3
SourceImage: %4
TargetProcessGuid: %5
TargetProcessId: %6
TargetImage: %7
NewThreadId: %8
StartAddress: %9
StartModule: %10
StartFunction: %11
event:
value: 9
version: 2
opcode: 0
channel: 16
level: 4
task: 9
keywords: 0x8000000000000000
message: RawAccessRead detected:
UtcTime: %1
ProcessGuid: %2
ProcessId: %3
Image: %4
Device: %5
event:
value: 10
version: 3
opcode: 0
channel: 16
level: 4
task: 10
keywords: 0x8000000000000000
message: Process accessed:
UtcTime: %1
SourceProcessGUID: %2
SourceProcessId: %3
SourceThreadId: %4
SourceImage: %5
TargetProcessGUID: %6
TargetProcessId: %7
TargetImage: %8
GrantedAccess: %9
CallTrace: %10
event:
value: 11
version: 2
opcode: 0
channel: 16
level: 4
task: 11
keywords: 0x8000000000000000
message: File created:
UtcTime: %1
ProcessGuid: %2
ProcessId: %3
Image: %4
TargetFilename: %5
CreationUtcTime: %6
event:
value: 12
version: 2
opcode: 0
channel: 16
level: 4
task: 12
keywords: 0x8000000000000000
message: Registry object added or deleted:
EventType: %1
UtcTime: %2
ProcessGuid: %3
ProcessId: %4
Image: %5
TargetObject: %6
event:
value: 13
version: 2
opcode: 0
channel: 16
level: 4
task: 13
keywords: 0x8000000000000000
message: Registry value set:
EventType: %1
UtcTime: %2
ProcessGuid: %3
ProcessId: %4
Image: %5
TargetObject: %6
Details: %7
event:
value: 14
version: 2
opcode: 0
channel: 16
level: 4
task: 14
keywords: 0x8000000000000000
message: Registry object renamed:
EventType: %1
UtcTime: %2
ProcessGuid: %3
ProcessId: %4
Image: %5
TargetObject: %6
NewName: %7
event:
value: 15
version: 2
opcode: 0
channel: 16
level: 4
task: 15
keywords: 0x8000000000000000
message: File stream created:
UtcTime: %1
ProcessGuid: %2
ProcessId: %3
Image: %4
TargetFilename: %5
CreationUtcTime: %6
Hash: %7
event:
value: 16
version: 3
opcode: 0
channel: 16
level: 4
task: 16
keywords: 0x8000000000000000
message: Sysmon config state changed:
UtcTime: %1
Configuration: %2
ConfigurationFileHash: %3
event:
value: 17
version: 1
opcode: 0
channel: 16
level: 4
task: 17
keywords: 0x8000000000000000
message: Pipe Created:
UtcTime: %1
ProcessGuid: %2
ProcessId: %3
PipeName: %4
Image: %5
event:
value: 18
version: 1
opcode: 0
channel: 16
level: 4
task: 18
keywords: 0x8000000000000000
message: Pipe Connected:
UtcTime: %1
ProcessGuid: %2
ProcessId: %3
PipeName: %4
Image: %5
event:
value: 255
version: 3
opcode: 0
channel: 16
level: 2
task: 255
keywords: 0x8000000000000000
message: Error report:
UtcTime: %1
ID: %2
Description: %3
Raw
sysmon-event-1.xml
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2017-02-21T18:41:25.730575500Z" />
<EventRecordID>9</EventRecordID>
<Correlation />
<Execution ProcessID="4784" ThreadID="4656" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>DESKTOP-O3QJU3L</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data Name="UtcTime">2017-02-21 18:41:25.725</Data>
<Data Name="ProcessGuid">{DFB1C9EF-89D5-58AC-0000-0010EEDD0C00}</Data>
<Data Name="ProcessId">3272</Data>
<Data Name="Image">C:\Windows\System32\mmc.exe</Data>
<Data Name="CommandLine">"C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc" /s</Data>
<Data Name="CurrentDirectory">C:\Windows\system32\</Data>
<Data Name="User">DESKTOP-O3QJU3L\user</Data>
<Data Name="LogonGuid">{DFB1C9EF-8910-58AC-0000-0020D4480200}</Data>
<Data Name="LogonId">0x248d4</Data>
<Data Name="TerminalSessionId">1</Data>
<Data Name="IntegrityLevel">High</Data>
<Data Name="Hashes">SHA1=AAE83ECC4ABEE2E7567E2FF76B2B046C65336731,MD5=283BDCD7B83EEE614897619332E5B938,SHA256=17DD017B7E7D1DC835CDF5E57156A0FF508EBBC7F4A48E65D77E026C33FCB58E,IMPHASH=ED5A55DAB5A02F29D6EE7E0015F91A9F</Data>
<Data Name="ParentProcessGuid">{DFB1C9EF-8911-58AC-0000-00102B8C0200}</Data>
<Data Name="ParentProcessId">2388</Data>
<Data Name="ParentImage">C:\Windows\explorer.exe</Data>
<Data Name="ParentCommandLine">C:\Windows\Explorer.EXE</Data>
</EventData>
</Event>
Raw
sysmon-event-11.xml
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>11</EventID>
<Version>2</Version>
<Level>4</Level>
<Task>11</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2017-02-21T18:42:22.078973800Z" />
<EventRecordID>29</EventRecordID>
<Correlation />
<Execution ProcessID="4784" ThreadID="4656" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>DESKTOP-O3QJU3L</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data Name="UtcTime">2017-02-21 18:42:22.074</Data>
<Data Name="ProcessGuid">{DFB1C9EF-B338-58AC-0000-001081BD0000}</Data>
<Data Name="ProcessId">876</Data>
<Data Name="Image">C:\Windows\system32\svchost.exe</Data>
<Data Name="TargetFilename">C:\Windows\SoftwareDistribution\Download\Install\AM_Delta_Patch_1.235.3236.0.exe</Data>
<Data Name="CreationUtcTime">2017-02-21 18:42:22.074</Data>
</EventData>
</Event>
Raw
sysmon-event-12.xml
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>12</EventID>
<Version>2</Version>
<Level>4</Level>
<Task>12</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2017-02-21T18:41:25.386462100Z" />
<EventRecordID>6</EventRecordID>
<Correlation />
<Execution ProcessID="4784" ThreadID="4656" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>DESKTOP-O3QJU3L</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data Name="EventType">CreateKey</Data>
<Data Name="UtcTime">2017-02-21 18:41:25.370</Data>
<Data Name="ProcessGuid">{DFB1C9EF-8911-58AC-0000-00102B8C0200}</Data>
<Data Name="ProcessId">2388</Data>
<Data Name="Image">C:\Windows\Explorer.EXE</Data>
<Data Name="TargetObject">HKEY_USERS\S-1-5-21-734394340-2380731162-4032342150-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.msc</Data>
</EventData>
</Event>
Raw
sysmon-event-13.xml
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>13</EventID>
<Version>2</Version>
<Level>4</Level>
<Task>13</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2017-02-21T18:41:41.843242600Z" />
<EventRecordID>10</EventRecordID>
<Correlation />
<Execution ProcessID="4784" ThreadID="4656" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>DESKTOP-O3QJU3L</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data Name="EventType">SetValue</Data>
<Data Name="UtcTime">2017-02-21 18:41:41.840</Data>
<Data Name="ProcessGuid">{DFB1C9EF-B336-58AC-0000-0010E2500000}</Data>
<Data Name="ProcessId">592</Data>
<Data Name="Image">C:\Windows\system32\services.exe</Data>
<Data Name="TargetObject">HKLM\System\CurrentControlSet\Services\DeviceAssociationService\Start</Data>
<Data Name="Details">DWORD (0x00000003)</Data>
</EventData>
</Event>
Raw
sysmon-event-16.xml
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>16</EventID>
<Version>3</Version>
<Level>4</Level>
<Task>16</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2017-02-21T18:41:12.874210100Z" />
<EventRecordID>1</EventRecordID>
<Correlation />
<Execution ProcessID="4772" ThreadID="4748" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>DESKTOP-O3QJU3L</Computer>
<Security UserID="S-1-5-21-734394340-2380731162-4032342150-1001" />
</System>
<EventData>
<Data Name="UtcTime">2017-02-21 18:41:12.871</Data>
<Data Name="Configuration">config.xml.txt</Data>
<Data Name="ConfigurationFileHash">SHA1=4DF0A30B182E6F181C574724FDE6AA11857DCC17</Data>
</EventData>
</Event>
Raw
sysmon-event-3.xml
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>3</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>3</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2017-02-21T18:42:05.590721200Z" />
<EventRecordID>26</EventRecordID>
<Correlation />
<Execution ProcessID="4784" ThreadID="2164" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>DESKTOP-O3QJU3L</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data Name="UtcTime">2017-02-21 18:42:04.422</Data>
<Data Name="ProcessGuid">{DFB1C9EF-89FA-58AC-0000-0010FABC1100}</Data>
<Data Name="ProcessId">2324</Data>
<Data Name="Image">C:\Users\user\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe</Data>
<Data Name="User">DESKTOP-O3QJU3L\user</Data>
<Data Name="Protocol">tcp</Data>
<Data Name="Initiated">true</Data>
<Data Name="SourceIsIpv6">false</Data>
<Data Name="SourceIp">10.0.42.89</Data>
<Data Name="SourceHostname">DESKTOP-O3QJU3L.lair</Data>
<Data Name="SourcePort">49925</Data>
<Data Name="SourcePortName" />
<Data Name="DestinationIsIpv6">false</Data>
<Data Name="DestinationIp">40.117.100.83</Data>
<Data Name="DestinationHostname" />
<Data Name="DestinationPort">443</Data>
<Data Name="DestinationPortName">https</Data>
</EventData>
</Event>
Raw
sysmon-event-4.xml
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>4</EventID>
<Version>3</Version>
<Level>4</Level>
<Task>4</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2017-02-21T18:41:12.923641300Z" />
<EventRecordID>2</EventRecordID>
<Correlation />
<Execution ProcessID="4784" ThreadID="4656" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>DESKTOP-O3QJU3L</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data Name="UtcTime">2017-02-21 18:41:12.917</Data>
<Data Name="State">Started</Data>
<Data Name="Version">6.00</Data>
<Data Name="SchemaVersion">3.30</Data>
</EventData>
</Event>
Raw
sysmon-event-5.xml
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>5</EventID>
<Version>3</Version>
<Level>4</Level>
<Task>5</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2017-02-21T18:41:13.940905800Z" />
<EventRecordID>4</EventRecordID>
<Correlation />
<Execution ProcessID="4784" ThreadID="4656" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>DESKTOP-O3QJU3L</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data Name="UtcTime">2017-02-21 18:41:13.933</Data>
<Data Name="ProcessGuid">{DFB1C9EF-89C5-58AC-0000-001070D80B00}</Data>
<Data Name="ProcessId">4772</Data>
<Data Name="Image">C:\Users\user\Downloads\Sysmon\Sysmon64.exe</Data>
</EventData>
</Event>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment