Switch branches/tags
Nothing to show
Find file History
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
..
Failed to load latest commit information.
README.md
event-1.md
event-10.md
event-11.md
event-12.md
event-13.md
event-14.md
event-15.md
event-16.md
event-17.md
event-18.md
event-19.md
event-2.md
event-20.md
event-21.md
event-3.md
event-4.md
event-5.md
event-6.md
event-7.md
event-8.md
event-9.md

README.md

Sysmon Event Logs

Data Dictionaries

EventID Name Description
1 Process creation Information about a newly created process
2 A process changed a file creation time File creation time is explicitly modified by a process
3 Network connection The network connection event logs TCP/UDP connections on the machine
4 Sysmon service state changed Reports the state of the Sysmon service (started or stopped)
5 Process terminated Reports when a process terminates
6 Driver loaded Information about a driver being loaded on the system
7 Image loaded Logs when a module is loaded in a specific process
8 CreateRemoteThread Detects when a process creates a thread in another process
9 RawAccessRead Detects when a process conducts reading operations from the drive using the \.\ denotation
10 ProcessAccess Reports when a process opens another process
11 FileCreate File create operations are logged when a file is created or overwritten
12 RegistryEvent (Object create and delete) Registry key and value create and delete operations map to this event type
13 RegistryEvent (Value Set) This Registry event type identifies Registry value modifications
14 RegistryEvent (Key and Value Rename) Registry key and value rename operations map to this event type
15 FileCreateStreamHash This event logs when a named file stream is created
16 Sysmon Config State Changed This event logs when the local sysmon configuration is updated
17 PipeEvent - Pipe Created This event generates when a named pipe is created
18 PipeEvent - Pipe Connected This event logs when a named pipe connection is made between a client and a server
19 WmiEvent - WmiEventFilter activity detected This event logs when a WMI event filter is registered
20 WmiEvent - WmiEventConsumer activity detected This event logs the registration of WMI consumers, recording the consumer name, log, and destination
21 WmiEvent - WmiEventConsumerToFilter activity detected This event logs when a consumer binds to a filter, this event logs the consumer name and filter path.