EventID 1 Process Create EventID 4 Sysmon service state changed EventID 10 Process Access

UtcTime Time in UTC when event was created UtcTime Time in UTC when event was created UtcTime Time in UTC when event was created

ProcessGuid Process Guid of the process that got spawned/created (child) State Sysmon service state SourceProcessGUID Process Guid of the source process that opened another process. It is derived from a truncated part of
the machine GUID, the process start-time and the process token ID.
ProcessId Process ID used by the OS to identify the created process (child) Version Sysmon binary version
SourceProcessId Process ID used by the OS to identify the source process that opened another process. Derived partially
Image File path of the process being spawned/created. Considered also the child or source process SchemaVersion Sysmon config schema version
from the EPROCESS kernel structure
FileVersion Version of the image associated with the main process (child)
EventID 5 Process terminated SourceThreadId ID of the specific thread inside of the source process that opened another process
Description Description of the image associated with the main process (child) SourceImage File path of the source process that created a thread in another process
UtcTime Time in UTC when event was created
Product Product name the image associated with the main process (child) belongs to
ProcessGuid Process Guid of the process that terminated TargetProcessGUID Process Guid of the target process
OriginalFileName OriginalFileName from the PE header, added on compilation
ProcessId Process ID used by the OS to identify the process that terminated TargetProcessId Process ID used by the OS to identify the target process
Company Company name the image associated with the main process (child) belongs to
Image File path of the executable of the process that terminated TargetImage File path of the executable of the target process
CommandLine Arguments which were passed to the executable associated with the main process
User Name of the account that created the process. It usually contains domain name and username GrantedAccess The access flags (bitmask) associated with the process rights requested for the target process
CurrentDirectory The path without the name of the image associated with the process
CallTrace Stack trace of where open process is called. Included is the DLL and the relative virtual address of the
User Name of the account that created the process (child) . It usually contains domain name and username EventID 6 Kernel driver loaded functions in the call stack right before the open process call
UtcTime Time in UTC when event was created SourceUser Name of the account that runs the source process.
LogonGuid Logon GUID of the user who created the new process. Value that can help you correlate this event with
ImageLoaded File path of the driver loaded TargetUser Name of the account that runs the targeted process which is accessed
others that contain the same Logon GUID
Hashes Hashes captured by Sysmon driver
LogonId Login ID of the user who created the new process. Value that can help you correlate this event with EventID 11 File create
others that contain the same Logon ID Signed Is the driver loaded signed
UtcTime Time in UTC when event was created
TerminalSessionId ID of the session the user belongs to Signature Signer name of the driver
ProcessGuid Process Guid of the process that created the file
IntegrityLevel Integrity label assigned to a process SignatureStatus Status of the signature
ProcessId Process ID used by the OS to identify the process that created the file (child)
Hashes Full hash of the file with the algorithms in the HashType field EventID 7 Image loaded
Image File path of the process that created the file
ParentProcessGuid ProcessGUID of the process that spawned/created the main process (child) UtcTime Time in UTC when event was created
TargetFilename Name of the file that was created
ParentProcessId Process ID of the process that spawned/created the main process (child) ProcessGuid Process Guid of the process that loaded the image
CreationUtcTime File creation time
ParentImage File path that spawned/created the main process ProcessId Process ID used by the OS to identify the process that loaded the image
User Name of the account that created the file. It usually contains domain name and username
ParentCommandLine Arguments which were passed to the executable associated with the parent process Image File path of the process that loaded the image

ParentUser Name of the account that created the parent process. It usually contains domain name and username ImageLoaded Path of the image loaded EventID 12 Registry event (Object create and delete)

FileVersion Version of the image loaded UtcTime Time in UTC when event was created
EventID 2 File creation time changed
Description Description of the image loaded EventType CreateKey or DeleteKey
UtcTime Time in UTC when event was created
Product Product name the image loaded belongs to ProcessGuid Process Guid of the process that created or deleted a registry key
ProcessGuid Process Guid of the process that changed the file creation time
Company Company name the image loaded belongs to ProcessId Process ID used by the OS to identify the process that created or deleted a registry key
ProcessId Process ID used by the OS to identify the process changing the file creation time
OriginalFileName OriginalFileName from the PE header, added on compilation Image File path of the process that created or deleted a registry key
Image File path of the process that changed the file creation time
Hashes Full hash of the file with the algorithms in the HashType field TargetObject Complete path of the registry key
TargetFilename Full path name of the file
Signed State whether the image loaded is signed User Name of the account that accessed the registry. It usually contains domain name and username
CreationUtcTime New creation time of the file
Signature The signer name
PreviousCreationUtcTime Previous creation time of the file EventID 13 Registry event (Value set)
SignatureStatus status of the signature
User Name of the account that created the file. It usually contains domain name and username UtcTime Time in UTC when event was created
User Name of the account that loaded the image. It usually contains domain name and username
EventType SetValue
EventID 3 Network connection EventID 8 Remote thread
ProcessGuid Process Guid of the process that modified a registry value
UtcTime UtcTime Time in UTC when event was created
Time in UTC when event was created
ProcessId Process ID used by the OS to identify the process that that modified a registry value
ProcessGuid Process Guid of the process that made the network connection SourceProcessGuid Process Guid of the source process that created a thread in another process
Image File path of the process that that modified a registry value
ProcessId Process ID used by the OS to identify the process that made the network connection SourceProcessId Process ID used by the OS to identify the source process that created a thread in another process
TargetObject Complete path of the modified registry key
Image File path of the process that made the network connection SourceImage File path of the source process that created a thread in another process
Details Details added to the registry key
User Name of the account who made the network connection TargetProcessGuid Process Guid of the target process
User Name of the account that accessed the registry. It usually contains domain name and username
Protocol Protocol being used for the network connection TargetProcessId Process ID used by the OS to identify the target process

TargetImage File path of the target process EventID 14 Registry event (Key and value rename)
Initiated Indicates whether the process initiated the TCP connection
NewThreadId Id of the new thread created in the target process UtcTime Time in UTC when event was created
SourceIsIpv6 Is the source IP an Ipv6 address
SourceIp Source IP address that made the network connection StartAddress New thread start address EventType RenameKey

SourceHostname DNS name of the host that made the network connection StartModule Start module determined from thread start address mapping to PEB loaded module list ProcessGuid Process Guid of the process that renamed a registry value and key

SourcePort Source port number StartFunction Start function is reported if exact match to function in image export tables ProcessId Process ID used by the OS to identify the process that renamed a registry value and key

SourcePortName Name of the source port being used SourceUser Name of the account for which process that started the remote thread Image File path of the process that renamed a registry value and key

DestinationIsIpv6 Is the destination IP an Ipv6 address TargetUser Name of the account for which process the thread was started in TargetObject Complete path of the renamed registry key
EventID 9 Raw access read NewName New name of the registry key
DestinationIp IP address destination
UtcTime Time in UTC when event was created User Name of the account that accessed the registry. It usually contains domain name and username
DestinationHostname DNS name of the host that is contacted

DestinationPort Destination port number ProcessGuid Process Guid of the process that conducted reading operations from the drive

DestinationPortName Name of the destination port ProcessId Process ID used by the OS to identify the process that conducted reading operations from the drive
Image File path of the process that conducted reading operations from the drive
Device Target device

User Name of the account that accessed the disk. It usually contains domain name and username
EventID 15 File create stream hash EventID 21 WMI event (WmiEventConsumerToFilter activity detected) EventID 26 File Delete Detected

UtcTime Time in UTC when event was created UtcTime Time in UTC when event was created UtcTime Time in UTC when event was created

ProcessGuid Process Guid of the process that created the named file stream EventType WmiBindingEvent ProcessGuid Process Guid of the process that deleted the file
ProcessId Process ID used by the OS to identify the process that created the named file stream Operation WMI Filter to Event consumer binding operation ProcessId Process ID used by the OS to identify the process that deleted the file
Image File path of the process that created the named file stream User User that created the WMI event consumer User Name of the account that deleted the file. It usually contains domain name and username
TargetFilename Name of the file Consumer Consumer to bind Image File path of the process that deleted the file
CreationUtcTime File download time Filter Filter to bind to the Consumer TargetFilename The path of the deleted file
Hash Full hash of the file with the algorithms in the HashType field Hashes The hashes of the file, types set in the config. This also determines the stored filename
EventID 22 DNS
User Name of the account that created the file. It usually contains domain name and username IsExecutable Boolean statement whether the file is a PE file
UtcTime Time in UTC when event was created
EventID 16 Sysmon config state changed ProcessGuid Process Guid of the process that made the DNS query EventID 255 Sysmon error

UtcTime Time in UTC when event was created UtcTime Time in UTC when event was created
ProcessId Process ID used by the OS to identify the process that made the DNS query
Configuration File path of the Sysmon config file being updated QueryName DNS name that was queried ID Error code
ConfigurationFileHash Hash (SHA1) of the Sysmon config file being updated QueryStatus Query result status code Description Error description

QueryResults Results of the query

EventID 17 Pipe event (Pipe created) Universal for all events
Image File path of the process that made the DNS query
UtcTime Time in UTC when event was created RuleName Name of the configured rule
User Name of the account that made the DNS query. It usually contains domain name and username
EventType CreatePipe

ProcessGuid Process Guid of the process that created the named file stream EventID 23 File Delete event Configuration options

ProcessId Process ID used by the OS to identify the process that created the named file stream UtcTime ArchiveDirectory Name of the archive directory
Time in UTC when event was created
PipeName Name of the pipe created ProcessGuid CaptureClipboard Boolean setting, defines whether clipboard monitoring is enabled
Process Guid of the process that deleted the file
Image File path of the process that created the pipe DriverName Custom name of the Sysmon driver
ProcessId Process ID used by the OS to identify the process that deleted the file
User Name of the account that created the pipe. It usually contains domain name and username HashAlgorithms Type of hashes to store for (Image) files and stored archive file
User Name of the account that deleted the file. It usually contains domain name and username

Image File path of the process that deleted the file DnsLookup Boolean setting, defines whether Sysmon should do a reverse lookup on IP addresses
EventID 18 Pipe event (Pipe Connected)
TargetFilename The path of the deleted file CheckRevocation Boolean setting, defines whether certificates are validated. Can be performance intensive
UtcTime Time in UTC when event was created
Hashes The hashes of the file, types set in the config. This also determines the stored filename FieldSizes Define the max field value size
EventType ConnectPipe
IsExecutable Boolean statement whether the file is a PE file
ProcessGuid Process Guid of the process that created the named file stream
Archived Boolean statement whether the file was stored in the configured archive folder Filter options
ProcessId Process ID used by the OS to identify the process that created the named file stream is,is not,contains,contains any,is any,contains all,excludes,excludes any,excludes all,begin with,not
begin with,end with,not end with,less than,more than,image
PipeName Name of the pipe created EventID 24 Clipboard event
Image File path of the process that created the pipe UtcTime Time in UTC when event was created Credits
User Name of the account that connected to the pipe. It usually contains domain name and username ProcessGuid Process Guid of the process that added data to the clipboard Creator Olaf Hartong (@olafhartong), FalconForce (@falconforceteam)

ProcessId Process ID used by the OS to identify the process that added data to the clipboard
EventID 19 WMI event (WmiEventFilter activity detected)
Image File path of the process that added data to the clipboard
UtcTime Time in UTC when event was created
Session Terminal Session ID
EventType WmiFilterEvent
ClientInfo Username and hostname of the originating RDP host, if capturable
Operation WMI Event filter operation
Hashes The hashes of the clipboard data, types set in the config. This also determines the stored filename
User User that created the WMI filter
Archived Boolean statement whether the file was stored in the configured archive folder
EventNamespace Event Namespace of the WMI class
User Name of the account that added data to the clipboard.
Name Name of the created filter
Query WMI query tied to the filter EventID 25 Process Tampering

UtcTime Time in UTC when event was created

EventID 20 WMI event (WmiEventConsumer activity detected)
ProcessGuid Process Guid of the process that was tampered with
UtcTime Time in UTC when event was created
ProcessId Process ID used by the OS to identify the process that was tampered with
EventType WmiConsumerEvent
Image File path of the process that was tampered with
Operation WMI Event consumer operation
Type The type of tampering detected
User User that created the WMI event consumer
User Name of the account in who’s user context the process tampered with runs
Name Name of the event consumer created

Type Type of event consumer

Destination Process executed by the consumer