Sysmon
Microsoft Sysmon is an advanced Windows event provider that records process, network and registry activity for forensics.
EnginsightGlobal Fields (4)
| Field | Type |
|---|---|
ngs.id Unique identifier for the log entry. | string |
ngs.createdAt Timestamp when the event was created locally. | pdate |
ngs.indexedAt Timestamp when the log was indexed into the SIEM. | pdate |
ngs.source Origin or source system of the log. | string |
Reference-Specific Fields (89)
| Field | Type |
|---|---|
sysmon.EventID Numeric identifier of the Sysmon event type (e.g., 1 = Process Create, 3 = Network Connection). | pint |
sysmon.Computer Hostname of the machine on which the event was recorded. | text_general |
sysmon.EventName Human-readable name corresponding to the EventID (e.g., ProcessCreate, FileCreate). | text_general |
sysmon.Archived Indicates whether the event came from an archived log file. | text_general |
sysmon.CallTrace Captured call stack or trace information at the time of the event. | text_general |
sysmon.ClientInfo Additional client context or metadata included with the event. | text_general |
sysmon.CommandLine Full command-line string used to launch the process (for Process Create events). | text_general |
sysmon.Company Company name embedded in the executable's metadata, if present. | text_general |
sysmon.Configuration Current Sysmon configuration XML text, as loaded when the service started. | text_general |
sysmon.ConfigurationFileHash Hash value of the loaded configuration file for integrity verification. | text_general |
sysmon.Consumer Identifier of the consumer (e.g., Windows Event Log) that received the event. | text_general |
sysmon.Contents Raw contents or payload associated with the event record. | text_general |
sysmon.CreationUtcTime UTC timestamp when the event was created by the Sysmon service. | text_general |
sysmon.CurrentDirectory Current working directory of the process at the time of the event. | text_general |
sysmon.Description Textual description or message associated with the event. | text_general |
sysmon.Destination Destination path or resource targeted by the event (e.g., file path, registry key). | text_general |
sysmon.DestinationHostname Resolved hostname of a remote endpoint (for network events). | text_general |
sysmon.DestinationIp IP address of the remote endpoint involved in the event. | text_general |
sysmon.DestinationIsIpv6 Boolean flag indicating if the destination IP is IPv6. | boolean |
sysmon.DestinationPort TCP/UDP port number used by the destination (for network events). | pint |
sysmon.DestinationPortName Resolved service name for the destination port (e.g., http, dns). | text_general |
sysmon.Details Additional detailed information provided by the event source. | text_general |
sysmon.Device Device identifier or name associated with the event (e.g., storage device). | text_general |
sysmon.EventNamespace Namespace or category grouping for the event type. | text_general |
sysmon.EventType Sub-type or classification of the main EventID. | text_general |
sysmon.FileVersion Version string from the executable file's metadata, if available. | text_general |
sysmon.Filter Name or identifier of any filter applied to include or exclude this event. | text_general |
sysmon.GrantedAccess Access rights granted in the event (e.g., ReadData, WriteData). | string |
sysmon.Hash Cryptographic hash of a single file or object. | text_general |
sysmon.Hashes List of cryptographic hashes (MD5, SHA1, SHA256) for the file or object. | text_general |
sysmon.ID Internal unique identifier assigned by Sysmon to each record. | text_general |
sysmon.Image Full path to the executable image involved in the event. | text_general |
sysmon.ImageLoaded Path of a module or driver image loaded into a process. | text_general |
sysmon.Initiated Boolean flag indicating if the action was initiated locally or remotely. | boolean |
sysmon.IntegrityLevel Integrity level of the process (e.g., High, Medium, Low). | text_general |
sysmon.IsExecutable Boolean indicating whether the target object is an executable file. | boolean |
sysmon.LogonGuid GUID representing the logon session for the event's process. | string |
sysmon.LogonId Identifier for the user logon session (e.g., 0x1234abcd). | string |
sysmon.Name Generic name field, context varies by event type (e.g., registry key name). | text_general |
sysmon.NewName New name assigned in rename operations (e.g., file rename). | text_general |
sysmon.NewThreadId Thread ID assigned to a newly created thread in a process. | plong |
sysmon.Operation Specific operation or sub-action description, context depends on event type. | text_general |
sysmon.OriginalFileName Original file name before any rename or move action. | text_general |
sysmon.ParentCommandLine Command line string of the parent process, if applicable. | text_general |
sysmon.ParentImage Full path of the parent process executable image. | text_general |
sysmon.ParentProcessGuid GUID of the parent process that spawned the child process. | string |
sysmon.ParentProcessId Process ID of the parent process that created this event's process. | plong |
sysmon.ParentUser Username that ran the parent process. | text_general |
sysmon.PipeName Name of the named pipe involved in the event (for pipe events). | text_general |
sysmon.PreviousCreationUtcTime UTC timestamp of a prior creation time for a renamed or replaced object. | text_general |
sysmon.ProcessGuid GUID uniquely identifying the process instance. | string |
sysmon.ProcessId Process ID assigned by the operating system. | plong |
sysmon.Product Product name from the executable's metadata, if available. | text_general |
sysmon.Protocol Network protocol used (e.g., TCP, UDP) for network-related events. | text_general |
sysmon.Query WMI or registry query string used in query events. | text_general |
sysmon.QueryName Identifier or name given to a WMI or registry query. | text_general |
sysmon.QueryResults Results returned by a WMI or registry query. | text_general |
sysmon.QueryStatus Status code or message for a WMI or registry query execution. | text_general |
sysmon.RuleName Name of the Sysmon rule that matched or triggered the event. | text_general |
sysmon.SchemaVersion Version of the Sysmon event schema. | text_general |
sysmon.Session Session ID (e.g., logon session) associated with the event. | plong |
sysmon.Signature Digital signature information of the executable, if present. | text_general |
sysmon.SignatureStatus Verification status of the digital signature (e.g., Valid, Invalid). | text_general |
sysmon.Signed Boolean indicating whether the executable was signed. | text_general |
sysmon.SourceHostname Hostname of the source endpoint for network events. | text_general |
sysmon.SourceImage Path of the source image or module that initiated the action. | text_general |
sysmon.SourceIp IP address of the source endpoint involved in the event. | text_general |
sysmon.SourceIsIpv6 Boolean flag indicating if the source IP is IPv6. | boolean |
sysmon.SourcePort TCP/UDP port number used by the source (for network events). | pint |
sysmon.SourcePortName Resolved service name for the source port. | text_general |
sysmon.SourceProcessGuid GUID of the process that acted as the source in this event. | string |
sysmon.SourceProcessId Process ID of the source process that generated the event. | plong |
sysmon.SourceThreadId Thread ID within the source process that generated the event. | plong |
sysmon.SourceUser Username under which the source action was performed. | text_general |
sysmon.StartAddress Memory address where execution began (for image load events). | text_general |
sysmon.StartFunction Function name at the start address in a loaded module. | text_general |
sysmon.StartModule Module name at the start address in a loaded image. | text_general |
sysmon.State State or status of the object or operation at event time. | text_general |
sysmon.TargetFilename Filename of the target object in the event. | text_general |
sysmon.TargetImage Executable image name of the target process or module. | text_general |
sysmon.TargetObject Generic name or path of the target object (e.g., registry key, file). | text_general |
sysmon.TargetProcessGuid GUID of the process targeted by the action. | string |
sysmon.TargetProcessId Process ID of the target process in the event. | plong |
sysmon.TargetUser Username associated with the target process or object. | text_general |
sysmon.TerminalSessionId ID of the terminal session (e.g., RDP) where the event occurred. | string |
sysmon.Type Subtype designation of the event within its category. | text_general |
sysmon.User Username under which the event-generating process ran. | text_general |
sysmon.UtcTime UTC timestamp of the event as recorded by Sysmon. | text_general |
sysmon.Version Sysmon driver/service version that generated the event. | text_general |
Sample Log Event
Below is a representative JSON log entry showing key fields as they're emitted by the system. Depending on the context of the event, some fields may be omitted if they're not applicable.