<span class="pill kill-chain">_time</span>
<span class="pill kill-chain">Channel</span>
<span class="pill kill-chain">CommandLine</span>
<span class="pill kill-chain">Company</span>
<span class="pill kill-chain">Computer</span>
<span class="pill kill-chain">CurrentDirectory</span>
<span class="pill kill-chain">Description</span>
<span class="pill kill-chain">EventChannel</span>
<span class="pill kill-chain">EventCode</span>
<span class="pill kill-chain">EventData_Xml</span>
<span class="pill kill-chain">EventDescription</span>
<span class="pill kill-chain">EventID</span>
<span class="pill kill-chain">EventRecordID</span>
<span class="pill kill-chain">FileVersion</span>
<span class="pill kill-chain">Guid</span>
<span class="pill kill-chain">Hashes</span>
<span class="pill kill-chain">IMPHASH</span>
<span class="pill kill-chain">Image</span>
<span class="pill kill-chain">IntegrityLevel</span>
<span class="pill kill-chain">Keywords</span>
<span class="pill kill-chain">Level</span>
<span class="pill kill-chain">LogonGuid</span>
<span class="pill kill-chain">LogonId</span>
<span class="pill kill-chain">MD5</span>
<span class="pill kill-chain">Name</span>
<span class="pill kill-chain">Opcode</span>
<span class="pill kill-chain">OriginalFileName</span>
<span class="pill kill-chain">ParentCommandLine</span>
<span class="pill kill-chain">ParentImage</span>
<span class="pill kill-chain">ParentProcessGuid</span>
<span class="pill kill-chain">ParentProcessId</span>
<span class="pill kill-chain">ProcessGuid</span>
<span class="pill kill-chain">ProcessID</span>
<span class="pill kill-chain">ProcessId</span>
<span class="pill kill-chain">Product</span>
<span class="pill kill-chain">RecordID</span>
<span class="pill kill-chain">RecordNumber</span>
<span class="pill kill-chain">RuleName</span>
<span class="pill kill-chain">SHA256</span>
<span class="pill kill-chain">SecurityID</span>
<span class="pill kill-chain">SystemTime</span>
<span class="pill kill-chain">System_Props_Xml</span>
<span class="pill kill-chain">Task</span>
<span class="pill kill-chain">TerminalSessionId</span>
<span class="pill kill-chain">ThreadID</span>
<span class="pill kill-chain">TimeCreated</span>
<span class="pill kill-chain">User</span>
<span class="pill kill-chain">UserID</span>
<span class="pill kill-chain">UtcTime</span>
<span class="pill kill-chain">Version</span>
<span class="pill kill-chain">action</span>
<span class="pill kill-chain">date_hour</span>
<span class="pill kill-chain">date_mday</span>
<span class="pill kill-chain">date_minute</span>
<span class="pill kill-chain">date_month</span>
<span class="pill kill-chain">date_second</span>
<span class="pill kill-chain">date_wday</span>
<span class="pill kill-chain">date_year</span>
<span class="pill kill-chain">date_zone</span>
<span class="pill kill-chain">dest</span>
<span class="pill kill-chain">dvc_nt_host</span>
<span class="pill kill-chain">event_id</span>
<span class="pill kill-chain">eventtype</span>
<span class="pill kill-chain">host</span>
<span class="pill kill-chain">id</span>
<span class="pill kill-chain">index</span>
<span class="pill kill-chain">linecount</span>
<span class="pill kill-chain">original_file_name</span>
<span class="pill kill-chain">os</span>
<span class="pill kill-chain">parent_process</span>
<span class="pill kill-chain">parent_process_exec</span>
<span class="pill kill-chain">parent_process_guid</span>
<span class="pill kill-chain">parent_process_id</span>
<span class="pill kill-chain">parent_process_name</span>
<span class="pill kill-chain">parent_process_path</span>
<span class="pill kill-chain">process</span>
<span class="pill kill-chain">process_current_directory</span>
<span class="pill kill-chain">process_exec</span>
<span class="pill kill-chain">process_guid</span>
<span class="pill kill-chain">process_hash</span>
<span class="pill kill-chain">process_id</span>
<span class="pill kill-chain">process_integrity_level</span>
<span class="pill kill-chain">process_name</span>
<span class="pill kill-chain">process_path</span>
<span class="pill kill-chain">punct</span>
<span class="pill kill-chain">signature</span>
<span class="pill kill-chain">signature_id</span>
<span class="pill kill-chain">source</span>
<span class="pill kill-chain">sourcetype</span>
<span class="pill kill-chain">splunk_server</span>
<span class="pill kill-chain">tag</span>
<span class="pill kill-chain">tag::eventtype</span>
<span class="pill kill-chain">timeendpos</span>
<span class="pill kill-chain">timestartpos</span>
<span class="pill kill-chain">user</span>
<span class="pill kill-chain">user_id</span>
<span class="pill kill-chain">vendor_product</span>
</div>
Data Source: Sysmon EventID 1
Description
Data source object for Sysmon EventID 1
Details
| Property | Value |
|---|---|
| Source | XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
| Sourcetype | xmlwineventlog |
| Separator | EventID |
Supported Apps
- Splunk Add-on for Sysmon (version 4.0.1)
Event Fields
Fields
Example Log
1<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385F-C22A-43E0-BF4C-06F5698FFBD9}'/><EventID>1</EventID><Version>5</Version><Level>4</Level><Task>1</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2020-10-08T11:03:46.617920300Z'/><EventRecordID>4522</EventRecordID><Correlation/><Execution ProcessID='2912' ThreadID='3424'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>win-dc-6764986.attackrange.local</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='RuleName'>-</Data><Data Name='UtcTime'>2020-10-08 11:03:46.615</Data><Data Name='ProcessGuid'>{96128EA2-F212-5F7E-E400-000000007F01}</Data><Data Name='ProcessId'>2296</Data><Data Name='Image'>C:\Windows\System32\cmd.exe</Data><Data Name='FileVersion'>10.0.14393.0 (rs1_release.160715-1616)</Data><Data Name='Description'>Windows Command Processor</Data><Data Name='Product'>Microsoft® Windows® Operating System</Data><Data Name='Company'>Microsoft Corporation</Data><Data Name='OriginalFileName'>Cmd.Exe</Data><Data Name='CommandLine'>"C:\Windows\system32\cmd.exe" /c "reg save HKLM\sam %%temp%%\sam & reg save HKLM\system %%temp%%\system & reg save HKLM\security %%temp%%\security" </Data><Data Name='CurrentDirectory'>C:\Users\ADMINI~1\AppData\Local\Temp\</Data><Data Name='User'>ATTACKRANGE\Administrator</Data><Data Name='LogonGuid'>{96128EA2-F210-5F7E-ACD4-080000000000}</Data><Data Name='LogonId'>0x8d4ac</Data><Data Name='TerminalSessionId'>0</Data><Data Name='IntegrityLevel'>High</Data><Data Name='Hashes'>MD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A</Data><Data Name='ParentProcessGuid'>{96128EA2-F211-5F7E-DF00-000000007F01}</Data><Data Name='ParentProcessId'>4624</Data><Data Name='ParentImage'>C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data><Data Name='ParentCommandLine'>"powershell.exe" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAFQAMQAwADAAMwAuADAAMAAyACIAIAAtAEMAbwBuAGYAaQByAG0AOgAkAGYAYQBsAHMAZQAgAC0AVABpAG0AZQBvAHUAdABTAGUAYwBvAG4AZABzACAAMwAwADAAIAAtAEUAeABlAGMAdQB0AGkAbwBuAEwAbwBnAFAAYQB0AGgAIABDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAYQB0AGMAXwBlAHgAZQBjAHUAdABpAG8AbgAuAGMAcwB2AA==</Data></EventData></Event>
Source: GitHub | Version: 1