Data Source: Sysmon EventID 12

Date: 2024-07-18

ID: 3ef28798-8eaa-4fd2-b074-6f36d08a1b33

Author: Patrick Bareiss, Splunk

Description

Data source object for Sysmon EventID 12

Details

Property	Value
Source	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sourcetype	`xmlwineventlog`
Separator	EventID

Supported Apps

Splunk Add-on for Sysmon (version 4.0.1)

Event Fields

+ Fields

  <span class="pill kill-chain">_time</span>
  
  <span class="pill kill-chain">Channel</span>
  
  <span class="pill kill-chain">Computer</span>
  
  <span class="pill kill-chain">EventChannel</span>
  
  <span class="pill kill-chain">EventCode</span>
  
  <span class="pill kill-chain">EventData_Xml</span>
  
  <span class="pill kill-chain">EventDescription</span>
  
  <span class="pill kill-chain">EventID</span>
  
  <span class="pill kill-chain">EventRecordID</span>
  
  <span class="pill kill-chain">EventType</span>
  
  <span class="pill kill-chain">Guid</span>
  
  <span class="pill kill-chain">Image</span>
  
  <span class="pill kill-chain">Keywords</span>
  
  <span class="pill kill-chain">Level</span>
  
  <span class="pill kill-chain">Name</span>
  
  <span class="pill kill-chain">Opcode</span>
  
  <span class="pill kill-chain">ProcessGuid</span>
  
  <span class="pill kill-chain">ProcessID</span>
  
  <span class="pill kill-chain">ProcessId</span>
  
  <span class="pill kill-chain">RecordID</span>
  
  <span class="pill kill-chain">RecordNumber</span>
  
  <span class="pill kill-chain">RuleName</span>
  
  <span class="pill kill-chain">SecurityID</span>
  
  <span class="pill kill-chain">SystemTime</span>
  
  <span class="pill kill-chain">System_Props_Xml</span>
  
  <span class="pill kill-chain">TargetObject</span>
  
  <span class="pill kill-chain">Task</span>
  
  <span class="pill kill-chain">ThreadID</span>
  
  <span class="pill kill-chain">TimeCreated</span>
  
  <span class="pill kill-chain">UserID</span>
  
  <span class="pill kill-chain">UtcTime</span>
  
  <span class="pill kill-chain">Version</span>
  
  <span class="pill kill-chain">action</span>
  
  <span class="pill kill-chain">date_hour</span>
  
  <span class="pill kill-chain">date_mday</span>
  
  <span class="pill kill-chain">date_minute</span>
  
  <span class="pill kill-chain">date_month</span>
  
  <span class="pill kill-chain">date_second</span>
  
  <span class="pill kill-chain">date_wday</span>
  
  <span class="pill kill-chain">date_year</span>
  
  <span class="pill kill-chain">date_zone</span>
  
  <span class="pill kill-chain">dest</span>
  
  <span class="pill kill-chain">dvc_nt_host</span>
  
  <span class="pill kill-chain">event_id</span>
  
  <span class="pill kill-chain">eventtype</span>
  
  <span class="pill kill-chain">host</span>
  
  <span class="pill kill-chain">id</span>
  
  <span class="pill kill-chain">index</span>
  
  <span class="pill kill-chain">linecount</span>
  
  <span class="pill kill-chain">object_category</span>
  
  <span class="pill kill-chain">object_path</span>
  
  <span class="pill kill-chain">process_exec</span>
  
  <span class="pill kill-chain">process_guid</span>
  
  <span class="pill kill-chain">process_id</span>
  
  <span class="pill kill-chain">process_name</span>
  
  <span class="pill kill-chain">process_path</span>
  
  <span class="pill kill-chain">punct</span>
  
  <span class="pill kill-chain">registry_hive</span>
  
  <span class="pill kill-chain">registry_key_name</span>
  
  <span class="pill kill-chain">registry_path</span>
  
  <span class="pill kill-chain">severity_id</span>
  
  <span class="pill kill-chain">signature</span>
  
  <span class="pill kill-chain">signature_id</span>
  
  <span class="pill kill-chain">source</span>
  
  <span class="pill kill-chain">sourcetype</span>
  
  <span class="pill kill-chain">splunk_server</span>
  
  <span class="pill kill-chain">status</span>
  
  <span class="pill kill-chain">tag</span>
  
  <span class="pill kill-chain">tag::eventtype</span>
  
  <span class="pill kill-chain">tag::object_category</span>
  
  <span class="pill kill-chain">timeendpos</span>
  
  <span class="pill kill-chain">timestartpos</span>
  
  <span class="pill kill-chain">user_id</span>
  
  <span class="pill kill-chain">vendor_product</span>
  
</div>

Example Log

1<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385F-C22A-43E0-BF4C-06F5698FFBD9}'/><EventID>12</EventID><Version>2</Version><Level>4</Level><Task>12</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2021-07-12T08:10:32.607068200Z'/><EventRecordID>1055579</EventRecordID><Correlation/><Execution ProcessID='1152' ThreadID='1212'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>win-dc-890.attackrange.local</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='RuleName'>-</Data><Data Name='EventType'>DeleteKey</Data><Data Name='UtcTime'>2021-07-12 08:10:32.592</Data><Data Name='ProcessGuid'>{466BC892-F8F2-60EB-107E-00000000CF01}</Data><Data Name='ProcessId'>10188</Data><Data Name='Image'>C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data><Data Name='TargetObject'>HKU\S-1-5-21-2333072374-3391925831-3197092227-1112_Classes\exefile\shell\runas\command</Data></EventData></Event>

Source: GitHub | Version: 1