Collect Microsoft Windows Sysmon data

This document:

  • describes the deployment architecture and installation steps, plus any required configuration that produce logs supported by the Chronicle Parser for Microsoft Windows Sysmon events. For an overview of Chronicle data ingestion, see Data ingestion to Chronicle.
  • includes information about how the parser maps fields in the original log to Chronicle Unified Data Model fields.

Information in this document applies to the parser with the WINDOWS_SYSMON ingestion label. The ingestion label identifies which parser normalizes raw log data to structured UDM format.

Before you begin

This diagram represents the recommended core components in a deployment architecture to collect and send Microsoft Windows Sysmon data to Chronicle. Compare this information with your environment to be sure these components are installed. Each customer deployment will differ from this representation and may be more complex. The following is required:

  • Systems in the deployment architecture are configured with the UTC time zone.
  • Sysmon is installed on servers, endpoints, and domain controllers.
  • The collector Microsoft Windows server receives logs from servers, endpoints, and domain controllers.
  • Microsoft Windows systems in the deployment architecture use:

    • Source Initiated Subscriptions to collect events across multiple devices.
    • WinRM service for remote system management.
  • NXLog is installed on the collector Window server to forward logs to Chronicle forwarder.

  • Chronicle forwarder is installed on a central Microsoft Windows server or Linux server.

    Deployment archtecture

Review the supported devices and versions

The Chronicle parser supports logs generated by the following Microsoft Windows server versions. Microsoft Windows Server is released with the following editions: Foundation, Essentials, Standard, and Datacenter. The event schema of logs generated by each edition does not differ.

  • Microsoft Windows Server 2019
  • Microsoft Windows Server 2016
  • Microsoft Windows Server 2012

Chronicle parser supports logs generated by:

  • Microsoft Windows 7 and higher client systems
  • Sysmon version 13.24.

Chronicle parser supports logs collected by NXLog Community or Enterprise Edition.

Review the supported log types

The Chronicle parser supports the following log types generated by Microsoft Windows Sysmon. For more information about these log types, see the Microsoft Windows Sysmon documentation. It supports logs generated with English language text and is not supported with logs generated in non-English languages.

Log Type Description
Sysmon Logs Sysmon channel contains 27 Event Ids. (Event Id: 1 to 26, and 255).
For a description of this log type, see the Microsoft Windows Sysmon Events documentation

Configure Microsoft Windows servers, endpoints, and domain controllers

  1. Install and configure the servers, endpoints, and domain controllers. For information, see Microsoft Windows Sysmon Configuration documentation.
  2. Set up a collector Microsoft Windows server to parse the collected logs from multiple systems.
  3. Set up the central Microsoft Windows or Linux server
  4. Configure all systems with the UTC time zone.
  5. Configure the devices to forward logs to the collector Microsoft Windows server.

Configure NXLog and Chronicle forwarder

  1. Install NXLog on the collector Microsoft Windows server. Follow the NXLog documentation, including information about configuring NXLog to collect logs from Sysmon.
  2. Create a configuration file for NXLog. Use the im_msvistalog input module. Here is an example NXLog configuration. Replace <hostname> and <port> values with information about the destination central Microsoft Windows or Linux server. For more information, see NXLog documentation about the om_tcp module.

    define ROOT     C:\Program Files (x86)\nxlog
    define SYSMON_OUTPUT_DESTINATION_ADDRESS <hostname>
    define SYSMON_OUTPUT_DESTINATION_PORT <port>
    define CERTDIR  %ROOT%\cert
    define CONFDIR  %ROOT%\conf
    define LOGDIR   %ROOT%\data
    define LOGFILE  %LOGDIR%\nxlog.log
    LogFile %LOGFILE%
    
    Moduledir %ROOT%\modules
    CacheDir  %ROOT%\data
    Pidfile   %ROOT%\data\nxlog.pid
    SpoolDir  %ROOT%\data
    
    <Extension _json>
        Module      xm_json
    </Extension>
    
    <Input windows_sysmon_eventlog>
        Module  im_msvistalog
        <QueryXML>
            <QueryList>
                <Query Id="0">
                    <Select Path="Microsoft-Windows-Sysmon/Operational">*</Select>
                </Query>
            </QueryList>
        </QueryXML>
        ReadFromLast  False 
        SavePos  False
    </Input>
    
    <Output out_chronicle_sysmon>
        Module      om_tcp
        Host        %SYSMON_OUTPUT_DESTINATION_ADDRESS%
        Port        %SYSMON_OUTPUT_DESTINATION_PORT%
        Exec        $EventTime = integer($EventTime) / 1000;
        Exec        $EventReceivedTime = integer($EventReceivedTime) / 1000;
        Exec        to_json();
    </Output>
    
    <Route r2>
        Path    windows_sysmon_eventlog => out_chronicle_sysmon
    </Route>
    
  3. Install the Chronicle forwarder on the central Microsoft Windows or Linux server. See the Installing and configuring the forwarder on Linux or Installing and configuring the forwarder on Microsoft Windows for information about installing and configuring the forwarder.

  4. Configure the Chronicle forwarder to send logs to Chronicle. Here is an example forwarder configuration.

      - syslog:
          common:
            enabled: true
            data_type: WINDOWS_SYSMON
            Data_hint:
            batch_n_seconds: 10
            batch_n_bytes: 1048576
          tcp_address: 0.0.0.0:10518
          connection_timeout_sec: 60
    
  5. Start the NXLog service.

Field mapping reference: device event fields to UDM fields

This section describes how the parser maps original device log fields to Unified Data Model (UDM) fields. The field mapping may differ by Event Id.

Common fields

NXLog field UDM field
UtcTime metadata.event_timestamp
Category security_result.summary and metadata.product_event_type
AccountName principal.user.userid
Domain principal.administrative_domain
RecordNumber metadata.product_log_id
HostName principal.hostname
UserID principal.user.windows_sid
SeverityValue security_result.severity
ProcessID observer.process.pid
ProviderGuid observer.asset_id
LogonId principal.network.session_id
ThreadID additional.fields.key set to thread_id and value stored in additional.fields.value.string_value
Channel additional.fields.key set to channel and value stored in additional.fields.value.string_value
EventID security_result.rule_name set to EventID: <EventID>

metadata.product_event_type set to <Category> [<EventID>]

Event Id: 1

NXLog field UDM field
metadata.event_type set to PROCESS_LAUNCH
RuleName security_result.rule_name
UtcTime metadata.event_timestamp
ProcessGuid target.process.product_specific_process_id set to SYSMON:<ProcessGuid>
ProcessId target.process.pid
IntegrityLevel The value for the field target.process.integrity_level_rid is determined based on the value of the field IntegrityLevel as follows:
  • If the IntegrityLevel log field value matches the regular expression Untrusted, then the target.process.integrity_level_rid UDM field is set to 0
  • If the IntegrityLevel log field value matches the regular expression Low, then the target.process.integrity_level_rid UDM field is set to 4096
  • If the IntegrityLevel log field value matches the regular expression Medium, then the target.process.integrity_level_rid UDM field is set to 8192
  • If the IntegrityLevel log field value matches the regular expression High, then the target.process.integrity_level_rid UDM field is set to 12288
  • If the IntegrityLevel log field value matches the regular expression System, then the target.process.integrity_level_rid UDM field is set to 16384
  • If the IntegrityLevel log field value matches the regular expression Protected, then the target.process.integrity_level_rid UDM field is set to 20480
Image target.process.file.full_path
Description metadata.description
CommandLine target.process.command_line
CurrentDirectory additional.fields.key set to current_directory and value stored in additional.fields.value.string_value
User Domain stored in principal.administrative_domain

Username stored in principal.user.userid
Hashes Based on Hash algorithm.
  • MD5 stored in target.process.file.md5
  • SHA256 stored in target.process.file.sha256
  • SHA1 stored in target.process.file.sha1
ParentProcessGuid principal.process.product_specific_process_id set to SYSMON:<ParentProcessGuid>
ParentProcessId principal.process.pid
ParentImage principal.process.file.full_path
ParentCommandLine principal.process.command_line

Event Id: 2

NXLog field UDM field
metadata.event_type set to FILE_MODIFICATION
RuleName security_result.rule_name
UtcTime metadata.event_timestamp
ProcessGuid principal.process.product_specific_process_id set to SYSMON:<ProcessGuid>
ProcessId principal.process.pid
IntegrityLevel The value for the field principal.process.integrity_level_rid is determined based on the value of the field IntegrityLevel as follows:
  • If the IntegrityLevel log field value matches the regular expression Untrusted, then the principal.process.integrity_level_rid UDM field is set to 0
  • If the IntegrityLevel log field value matches the regular expression Low, then the principal.process.integrity_level_rid UDM field is set to 4096
  • If the IntegrityLevel log field value matches the regular expression Medium, then the principal.process.integrity_level_rid UDM field is set to 8192
  • If the IntegrityLevel log field value matches the regular expression High, then the principal.process.integrity_level_rid UDM field is set to 12288
  • If the IntegrityLevel log field value matches the regular expression System, then the principal.process.integrity_level_rid UDM field is set to 16384
  • If the IntegrityLevel log field value matches the regular expression Protected, then the principal.process.integrity_level_rid UDM field is set to 20480
Image principal.process.file.full_path
TargetFilename target.file.full_path
CreationUtcTime target.resource.attribute.labels.key set to CreationUtcTime and value stored in target.resource.attribute.labels.value
PreviousCreationUtcTime target.resource.attribute.labels.key set to PreviousCreationUtcTime and value stored in target.resource.attribute.labels.value

Event Id: 3

NXLog field UDM field
metadata.event_type set to NETWORK_CONNECTION

security_result.action set to ALLOW

network.direction set to OUTBOUND
RuleName security_result.rule_name
UtcTime metadata.event_timestamp
ProcessGuid principal.process.product_specific_process_id set to SYSMON:<ProcessGuid>
ProcessId principal.process.pid
IntegrityLevel The value for the field principal.process.integrity_level_rid is determined based on the value of the field IntegrityLevel as follows:
  • If the IntegrityLevel log field value matches the regular expression Untrusted, then the principal.process.integrity_level_rid UDM field is set to 0
  • If the IntegrityLevel log field value matches the regular expression Low, then the principal.process.integrity_level_rid UDM field is set to 4096
  • If the IntegrityLevel log field value matches the regular expression Medium, then the principal.process.integrity_level_rid UDM field is set to 8192
  • If the IntegrityLevel log field value matches the regular expression High, then the principal.process.integrity_level_rid UDM field is set to 12288
  • If the IntegrityLevel log field value matches the regular expression System, then the principal.process.integrity_level_rid UDM field is set to 16384
  • If the IntegrityLevel log field value matches the regular expression Protected, then the principal.process.integrity_level_rid UDM field is set to 20480
Image principal.process.file.full_path
User Domain stored in principal.administrative_domain

Username stored in principal.user.userid
Protocol network.ip_protocol
SourceIp principal.ip
SourcePort principal.port
DestinationIp target.ip
DestinationHostname target.hostname
DestinationPort target.port

Event Id: 4

NXLog field UDM field
metadata.event_type set to SETTING_MODIFICATION

target.resource.resource_type set to SETTING

target.resource.resource_subtype set to State
UtcTime metadata.event_timestamp
State target.resource.name
Version metadata.product_version

Event Id: 5

NXLog field UDM field
metadata.event_type set to PROCESS_TERMINATION
RuleName security_result.rule_name
UtcTime metadata.event_timestamp
ProcessGuid principal.process.product_specific_process_id set to SYSMON:<ProcessGuid>
ProcessId target.process.pid
IntegrityLevel The value for the field target.process.integrity_level_rid is determined based on the value of the field IntegrityLevel as follows:
  • If the IntegrityLevel log field value matches the regular expression Untrusted, then the target.process.integrity_level_rid UDM field is set to 0
  • If the IntegrityLevel log field value matches the regular expression Low, then the target.process.integrity_level_rid UDM field is set to 4096
  • If the IntegrityLevel log field value matches the regular expression Medium, then the target.process.integrity_level_rid UDM field is set to 8192
  • If the IntegrityLevel log field value matches the regular expression High, then the target.process.integrity_level_rid UDM field is set to 12288
  • If the IntegrityLevel log field value matches the regular expression System, then the target.process.integrity_level_rid UDM field is set to 16384
  • If the IntegrityLevel log field value matches the regular expression Protected, then the target.process.integrity_level_rid UDM field is set to 20480
Image target.process.file.full_path

Event Id: 6

NXLog field UDM field
metadata.event_type set to PROCESS_MODULE_LOAD
RuleName security_result.rule_name
UtcTime metadata.event_timestamp
ImageLoaded principal.process.file.full_path
Hashes The field populated is determined by the Hash algorithm.
  • MD5 stored in target.process.file.md5
  • SHA256 stored in target.process.file.sha256
  • SHA1 stored in target.process.file.sha1
Signed target.resource.attribute.labels.key set to Signed and value set to target.resource.attribute.labels.value
Signature target.resource.attribute.labels.key set to Signature and value stored in target.resource.attribute.labels.value
SignatureStatus target.resource.attribute.labels.key set to SignatureStatus and value stored in target.resource.attribute.labels.value

Event Id: 7

NXLog field UDM field
metadata.event_type set to PROCESS_MODULE_LOAD
RuleName security_result.rule_name
UtcTime metadata.event_timestamp
ProcessGuid principal.process.product_specific_process_id set to SYSMON:<ProcessGuid>
ProcessId principal.process.pid
IntegrityLevel The value for the field principal.process.integrity_level_rid is determined based on the value of the field IntegrityLevel as follows:
  • If the IntegrityLevel log field value matches the regular expression Untrusted, then the principal.process.integrity_level_rid UDM field is set to 0
  • If the IntegrityLevel log field value matches the regular expression Low, then the principal.process.integrity_level_rid UDM field is set to 4096
  • If the IntegrityLevel log field value matches the regular expression Medium, then the principal.process.integrity_level_rid UDM field is set to 8192
  • If the IntegrityLevel log field value matches the regular expression High, then the principal.process.integrity_level_rid UDM field is set to 12288
  • If the IntegrityLevel log field value matches the regular expression System, then the principal.process.integrity_level_rid UDM field is set to 16384
  • If the IntegrityLevel log field value matches the regular expression Protected, then the principal.process.integrity_level_rid UDM field is set to 20480
Image principal.process.file.full_path
ImageLoaded target.process.file.full_path
Description metadata.description
Hashes The field populated is determined by the Hash algorithm.
  • MD5 stored in target.process.file.md5
  • SHA256 stored in target.process.file.sha256
  • SHA1 stored in target.process.file.sha1
Signed target.resource.attribute.labels.key set to Signed and value stored in target.resource.attribute.labels.value
Signature target.resource.attribute.labels.key set to Signature
Signature value in target.resource.attribute.labels.value
SignatureStatus target.resource.attribute.labels.key set to SignatureStatus and value stored in target.resource.attribute.labels.value

Event Id: 8

NXLog field UDM field
metadata.event_type set to PROCESS_MODULE_LOAD
RuleName security_result.rule_name
UtcTime metadata.event_timestamp
SourceProcessGuid principal.process.product_specific_process_id set to SYSMON:<SourceProcessGuid>
SourceProcessId principal.process.pid
SourceImage principal.process.file.full_path
TargetProcessGuid target.process.product_specific_process_id set to SYSMON:<TargetProcessGuid>
TargetProcessId target.process.pid
TargetImage target.process.file.full_path

Event Id: 9

NXLog field UDM field
metadata.event_type set to FILE_READ

If the Device log field, which is required to validate the FILE_READ UDM event type, is not available, then metadata.event_type is set to GENERIC_EVENT.

RuleName security_result.rule_name
UtcTime metadata.event_timestamp
ProcessGuid principal.process.product_specific_process_id set to SYSMON:<ProcessGuid>
ProcessId principal.process.pid
IntegrityLevel The value for the field principal.process.integrity_level_rid is determined based on the value of the field IntegrityLevel as follows:
  • If the IntegrityLevel log field value matches the regular expression Untrusted, then the principal.process.integrity_level_rid UDM field is set to 0
  • If the IntegrityLevel log field value matches the regular expression Low, then the principal.process.integrity_level_rid UDM field is set to 4096
  • If the IntegrityLevel log field value matches the regular expression Medium, then the principal.process.integrity_level_rid UDM field is set to 8192
  • If the IntegrityLevel log field value matches the regular expression High, then the principal.process.integrity_level_rid UDM field is set to 12288
  • If the IntegrityLevel log field value matches the regular expression System, then the principal.process.integrity_level_rid UDM field is set to 16384
  • If the IntegrityLevel log field value matches the regular expression Protected, then the principal.process.integrity_level_rid UDM field is set to 20480
Image principal.process.file.full_path
Device target.file.full_path

Event Id: 10

NXLog field UDM field
metadata.event_type set to PROCESS_OPEN

target.resource.resource_subtype set to GrantedAccess
RuleName security_result.rule_name
UtcTime metadata.event_timestamp
SourceProcessGUID principal.process.product_specific_process_id set to SYSMON:<SourceProcessGUID>
SourceProcessId principal.process.pid
SourceImage principal.process.file.full_path
TargetProcessGUID target.process.product_specific_process_id set to SYSMON:<TargetProcessGUID>
TargetProcessId target.process.pid
TargetImage target.process.file.full_path
GrantedAccess target.resource.name

Event Id: 11

NXLog field UDM field
metadata.event_type set to FILE_CREATION

target.resource.resource_subtype set to CreationUtcTime
RuleName security_result.rule_name
UtcTime metadata.event_timestamp
ProcessGuid principal.process.product_specific_process_id set to SYSMON:<ProcessGuid>
ProcessId principal.process.pid
IntegrityLevel The value for the field principal.process.integrity_level_rid is determined based on the value of the field IntegrityLevel as follows:
  • If the IntegrityLevel log field value matches the regular expression Untrusted, then the principal.process.integrity_level_rid UDM field is set to 0
  • If the IntegrityLevel log field value matches the regular expression Low, then the principal.process.integrity_level_rid UDM field is set to 4096
  • If the IntegrityLevel log field value matches the regular expression Medium, then the principal.process.integrity_level_rid UDM field is set to 8192
  • If the IntegrityLevel log field value matches the regular expression High, then the principal.process.integrity_level_rid UDM field is set to 12288
  • If the IntegrityLevel log field value matches the regular expression System, then the principal.process.integrity_level_rid UDM field is set to 16384
  • If the IntegrityLevel log field value matches the regular expression Protected, then the principal.process.integrity_level_rid UDM field is set to 20480
Image principal.process.file.full_path
TargetFilename target.file.full_path
CreationUtcTime target.resource.name

Event Id: 12

NXLog field UDM field
If the Message the field contains CreateKey|CreateValue, then metadata.event_type set to REGISTRY_CREATION

If the Message field contains DeleteKey|DeleteValue, then
metadata.event_type set to REGISTRY_DELETION

Otherwise, metadata.event_type set to REGISTRY_MODIFICATION
RuleName security_result.rule_name
UtcTime metadata.event_timestamp
ProcessGuid principal.process.product_specific_process_id set to SYSMON:<ProcessGuid>
ProcessId principal.process.pid
IntegrityLevel The value for the field principal.process.integrity_level_rid is determined based on the value of the field IntegrityLevel as follows:
  • If the IntegrityLevel log field value matches the regular expression Untrusted, then the principal.process.integrity_level_rid UDM field is set to 0
  • If the IntegrityLevel log field value matches the regular expression Low, then the principal.process.integrity_level_rid UDM field is set to 4096
  • If the IntegrityLevel log field value matches the regular expression Medium, then the principal.process.integrity_level_rid UDM field is set to 8192
  • If the IntegrityLevel log field value matches the regular expression High, then the principal.process.integrity_level_rid UDM field is set to 12288
  • If the IntegrityLevel log field value matches the regular expression System, then the principal.process.integrity_level_rid UDM field is set to 16384
  • If the IntegrityLevel log field value matches the regular expression Protected, then the principal.process.integrity_level_rid UDM field is set to 20480
Image principal.process.file.full_path
TargetObject target.registry.registry_key

Event Id: 13

NXLog field UDM field
metadata.event_type set to REGISTRY_MODIFICATION
RuleName security_result.rule_name
UtcTime metadata.event_timestamp
ProcessGuid principal.process.product_specific_process_id set to SYSMON:<ProcessGuid>
ProcessId principal.process.pid
IntegrityLevel The value for the field principal.process.integrity_level_rid is determined based on the value of the field IntegrityLevel as follows:
  • If the IntegrityLevel log field value matches the regular expression Untrusted, then the principal.process.integrity_level_rid UDM field is set to 0
  • If the IntegrityLevel log field value matches the regular expression Low, then the principal.process.integrity_level_rid UDM field is set to 4096
  • If the IntegrityLevel log field value matches the regular expression Medium, then the principal.process.integrity_level_rid UDM field is set to 8192
  • If the IntegrityLevel log field value matches the regular expression High, then the principal.process.integrity_level_rid UDM field is set to 12288
  • If the IntegrityLevel log field value matches the regular expression System, then the principal.process.integrity_level_rid UDM field is set to 16384
  • If the IntegrityLevel log field value matches the regular expression Protected, then the principal.process.integrity_level_rid UDM field is set to 20480
Image principal.process.file.full_path
TargetObject target.registry.registry_key
Details target.registry.registry_value_data

Event Id: 14

NXLog field UDM field
metadata.event_type set to REGISTRY_MODIFICATION
RuleName security_result.rule_name
UtcTime metadata.event_timestamp
ProcessGuid principal.process.product_specific_process_id set to SYSMON:<ProcessGuid>
ProcessId principal.process.pid
IntegrityLevel The value for the field principal.process.integrity_level_rid is determined based on the value of the field IntegrityLevel as follows:
  • If the IntegrityLevel log field value matches the regular expression Untrusted, then the principal.process.integrity_level_rid UDM field is set to 0
  • If the IntegrityLevel log field value matches the regular expression Low, then the principal.process.integrity_level_rid UDM field is set to 4096
  • If the IntegrityLevel log field value matches the regular expression Medium, then the principal.process.integrity_level_rid UDM field is set to 8192
  • If the IntegrityLevel log field value matches the regular expression High, then the principal.process.integrity_level_rid UDM field is set to 12288
  • If the IntegrityLevel log field value matches the regular expression System, then the principal.process.integrity_level_rid UDM field is set to 16384
  • If the IntegrityLevel log field value matches the regular expression Protected, then the principal.process.integrity_level_rid UDM field is set to 20480
Image principal.process.file.full_path
TargetObject src.registry.registry_key
NewName target.registry.registry_key

Event Id: 15

NXLog field UDM field
metadata.event_type set to FILE_CREATION
RuleName security_result.rule_name
UtcTime metadata.event_timestamp
ProcessGuid principal.process.product_specific_process_id set to SYSMON:<ProcessGuid>
ProcessId principal.process.pid
IntegrityLevel The value for the field principal.process.integrity_level_rid is determined based on the value of the field IntegrityLevel as follows:
  • If the IntegrityLevel log field value matches the regular expression Untrusted, then the principal.process.integrity_level_rid UDM field is set to 0
  • If the IntegrityLevel log field value matches the regular expression Low, then the principal.process.integrity_level_rid UDM field is set to 4096
  • If the IntegrityLevel log field value matches the regular expression Medium, then the principal.process.integrity_level_rid UDM field is set to 8192
  • If the IntegrityLevel log field value matches the regular expression High, then the principal.process.integrity_level_rid UDM field is set to 12288
  • If the IntegrityLevel log field value matches the regular expression System, then the principal.process.integrity_level_rid UDM field is set to 16384
  • If the IntegrityLevel log field value matches the regular expression Protected, then the principal.process.integrity_level_rid UDM field is set to 20480
Image principal.process.file.full_path
TargetFilename target.file.full_path
CreationUtcTime target.resource.attribute.labels.key set to CreationUtcTime and value stored in target.resource.attribute.labels.value
Hash The field populated is determined by the Hash algorithm.
  • If MD5, the value is stored in target.process.file.md5
  • If SHA256 set to the value is stored in target.process.file.sha256
  • If SHA1, the value is stored in target.process.file.sha1

Event Id: 16

NXLog field UDM field
metadata.event_type set to SETTING_MODIFICATION
UtcTime metadata.event_timestamp
ProcessID target.process.pid
Configuration The value is stored in target.process.command_line when this field value contains any command line or process

The value is stored in target.process.file.full_path when this field value contains the configuration file path.
ConfigurationFileHash The field populated is determined by the Hash algorithm.
  • If MD5, the value is stored in target.process.file.md5
  • If SHA256 set to the value is stored in target.process.file.sha256
  • If SHA1, the value is stored in target.process.file.sha1

Event Id: 17

NXLog field UDM field
metadata.event_type set to PROCESS_UNCATEGORIZED

target.resource.resource_type set to PIPE
RuleName security_result.rule_name
UtcTime metadata.event_timestamp
ProcessGuid target.process.product_specific_process_id set to SYSMON:<ProcessGuid>
ProcessId target.process.pid
IntegrityLevel The value for the field target.process.integrity_level_rid is determined based on the value of the field IntegrityLevel as follows:
  • If the IntegrityLevel log field value matches the regular expression Untrusted, then the target.process.integrity_level_rid UDM field is set to 0
  • If the IntegrityLevel log field value matches the regular expression Low, then the target.process.integrity_level_rid UDM field is set to 4096
  • If the IntegrityLevel log field value matches the regular expression Medium, then the target.process.integrity_level_rid UDM field is set to 8192
  • If the IntegrityLevel log field value matches the regular expression High, then the target.process.integrity_level_rid UDM field is set to 12288
  • If the IntegrityLevel log field value matches the regular expression System, then the target.process.integrity_level_rid UDM field is set to 16384
  • If the IntegrityLevel log field value matches the regular expression Protected, then the target.process.integrity_level_rid UDM field is set to 20480
PipeName target.resource.name
Image target.process.file.full_path

Event Id: 18

NXLog field UDM field
metadata.event_type set to PROCESS_UNCATEGORIZED

target.resource.resource_type set to PIPE
RuleName security_result.rule_name
UtcTime metadata.event_timestamp
ProcessGuid target.process.product_specific_process_id set to SYSMON:<ProcessGuid>
ProcessId target.process.pid
IntegrityLevel The value for the field target.process.integrity_level_rid is determined based on the value of the field IntegrityLevel as follows:
  • If the IntegrityLevel log field value matches the regular expression Untrusted, then the target.process.integrity_level_rid UDM field is set to 0
  • If the IntegrityLevel log field value matches the regular expression Low, then the target.process.integrity_level_rid UDM field is set to 4096
  • If the IntegrityLevel log field value matches the regular expression Medium, then the target.process.integrity_level_rid UDM field is set to 8192
  • If the IntegrityLevel log field value matches the regular expression High, then the target.process.integrity_level_rid UDM field is set to 12288
  • If the IntegrityLevel log field value matches the regular expression System, then the target.process.integrity_level_rid UDM field is set to 16384
  • If the IntegrityLevel log field value matches the regular expression Protected, then the target.process.integrity_level_rid UDM field is set to 20480
PipeName target.resource.name
Image target.process.file.full_path

Event Id: 19

NXLog field UDM field
metadata.event_type set to USER_RESOURCE_ACCESS
RuleName security_result.rule_name
UtcTime metadata.event_timestamp
Operation
User The Domain is stored in principal.administrative_domain

The Username is stored in principal.user.userid
EventNamespace target.file.full_path
Name target.application
Query target.resource.name

Event Id: 20

NXLog field UDM field
metadata.event_type set to USER_RESOURCE_ACCESS
RuleName security_result.rule_name
UtcTime metadata.event_timestamp
Operation target.resource.attribute.labels.key set to Operation and the value is stored in target.resource.attribute.labels.value
User The domain is stored in principal.administrative_domain

The Username is stored in principal.user.userid
Name target.resource.attribute.labels.key set to Name
Name value in target.resource.attribute.labels.value
Type target.resource.attribute.labels.key set to Type and the value is stored in target.resource.attribute.labels.value
Destination target.resource.name

Event Id: 21

NXLog field UDM field
metadata.event_type set to USER_RESOURCE_ACCESS
RuleName security_result.rule_name
UtcTime metadata.event_timestamp
Operation target.resource.attribute.labels.key set to Operation and the value is stored in target.resource.attribute.labels.value
User The domain is stored in principal.administrative_domain

The username is stored in principal.user.userid
Consumer target.resource.attribute.labels.key set to Consumer and the value is stored in target.resource.attribute.labels.value
Filter target.resource.name

Event Id: 22

NXLog field UDM field
metadata.event_type set to NETWORK_DNS

network.application_protocol set to DNS
RuleName security_result.rule_name
UtcTime metadata.event_timestamp
ProcessGuid principal.process.product_specific_process_id set to SYSMON:<ProcessGuid>
ProcessId principal.process.pid
IntegrityLevel The value for the field principal.process.integrity_level_rid is determined based on the value of the field IntegrityLevel as follows:
  • If the IntegrityLevel log field value matches the regular expression Untrusted, then the principal.process.integrity_level_rid UDM field is set to 0
  • If the IntegrityLevel log field value matches the regular expression Low, then the principal.process.integrity_level_rid UDM field is set to 4096
  • If the IntegrityLevel log field value matches the regular expression Medium, then the principal.process.integrity_level_rid UDM field is set to 8192
  • If the IntegrityLevel log field value matches the regular expression High, then the principal.process.integrity_level_rid UDM field is set to 12288
  • If the IntegrityLevel log field value matches the regular expression System, then the principal.process.integrity_level_rid UDM field is set to 16384
  • If the IntegrityLevel log field value matches the regular expression Protected, then the principal.process.integrity_level_rid UDM field is set to 20480
QueryName network.dns.questions
QueryStatus Stored in security_result.summary as Query Status: <QueryStatus>
QueryResults Type is saved to network.dns.answers.type with values separated by a semicolon (;)
Data is saved to network.dns.answers.data
Values that do not have type are mapped to network.dns.answers.data.
Image principal.process.file.full_path

Event Id: 23

NXLog field UDM field
metadata.event_type set to FILE_DELETION
RuleName security_result.rule_name
UtcTime metadata.event_timestamp
ProcessGuid principal.process.product_specific_process_id set to SYSMON:<ProcessGuid>
ProcessId principal.process.pid
IntegrityLevel The value for the field principal.process.integrity_level_rid is determined based on the value of the field IntegrityLevel as follows:
  • If the IntegrityLevel log field value matches the regular expression Untrusted, then the principal.process.integrity_level_rid UDM field is set to 0
  • If the IntegrityLevel log field value matches the regular expression Low, then the principal.process.integrity_level_rid UDM field is set to 4096
  • If the IntegrityLevel log field value matches the regular expression Medium, then the principal.process.integrity_level_rid UDM field is set to 8192
  • If the IntegrityLevel log field value matches the regular expression High, then the principal.process.integrity_level_rid UDM field is set to 12288
  • If the IntegrityLevel log field value matches the regular expression System, then the principal.process.integrity_level_rid UDM field is set to 16384
  • If the IntegrityLevel log field value matches the regular expression Protected, then the principal.process.integrity_level_rid UDM field is set to 20480
User Domain stored into principal.administrative_domain

Username stored in principal.user.userid
Image principal.process.file.full_path
TargetFilename target.file.full_path
Hashes The field populated is determined by the Hash algorithm.
  • MD5 set to target.process.file.md5
  • SHA256 set to target.process.file.sha256
  • SHA1 set to target.process.file.sha1
IsExecutable Field target.resource.attribute.labels.key set to IsExecutable and the value is stored in target.resource.attribute.labels.value
Archived target.resource.attribute.labels.key set to Archived and the value is stored in target.resource.attribute.labels.value

Event Id: 24

NXLog field UDM field
metadata.event_type set to RESOURCE_READ
RuleName security_result.rule_name
UtcTime metadata.event_timestamp
ProcessGuid target.process.product_specific_process_id set to SYSMON:<ProcessGuid>
ProcessId principal.process.pid
IntegrityLevel The value for the field principal.process.integrity_level_rid is determined based on the value of the field IntegrityLevel as follows:
  • If the IntegrityLevel log field value matches the regular expression Untrusted, then the principal.process.integrity_level_rid UDM field is set to 0
  • If the IntegrityLevel log field value matches the regular expression Low, then the principal.process.integrity_level_rid UDM field is set to 4096
  • If the IntegrityLevel log field value matches the regular expression Medium, then the principal.process.integrity_level_rid UDM field is set to 8192
  • If the IntegrityLevel log field value matches the regular expression High, then the principal.process.integrity_level_rid UDM field is set to 12288
  • If the IntegrityLevel log field value matches the regular expression System, then the principal.process.integrity_level_rid UDM field is set to 16384
  • If the IntegrityLevel log field value matches the regular expression Protected, then the principal.process.integrity_level_rid UDM field is set to 20480
Image target.process.file.full_path

target.resource.name
ClientInfo ip stored in target.ip
hostname stored in target.hostname
user stored in principal.user.userid
Hashes The field populated is determined by the Hash algorithm.
  • If MD5, value stored in target.process.file.md5
  • If SHA256, value stored in target.process.file.sha256
  • If SHA1, value stored in target.process.file.sha1
Archived target.resource.attribute.labels.key set to Archived and value stored in target.resource.attribute.labels.value

Event Id: 25

NXLog field UDM field
metadata.event_type set to PROCESS_LAUNCH
RuleName security_result.rule_name
UtcTime metadata.event_timestamp
ProcessGuid target.process.product_specific_process_id stored as SYSMON:<ProcessGuid>
ProcessId principal.process.pid
IntegrityLevel The value for the field principal.process.integrity_level_rid is determined based on the value of the field IntegrityLevel as follows:
  • If the IntegrityLevel log field value matches the regular expression Untrusted, then the principal.process.integrity_level_rid UDM field is set to 0
  • If the IntegrityLevel log field value matches the regular expression Low, then the principal.process.integrity_level_rid UDM field is set to 4096
  • If the IntegrityLevel log field value matches the regular expression Medium, then the principal.process.integrity_level_rid UDM field is set to 8192
  • If the IntegrityLevel log field value matches the regular expression High, then the principal.process.integrity_level_rid UDM field is set to 12288
  • If the IntegrityLevel log field value matches the regular expression System, then the principal.process.integrity_level_rid UDM field is set to 16384
  • If the IntegrityLevel log field value matches the regular expression Protected, then the principal.process.integrity_level_rid UDM field is set to 20480
Image target.process.file.full_path

Event Id: 26

NXLog field UDM field
metadata.event_type set to FILE_DELETION
RuleName security_result.rule_name
UtcTime metadata.event_timestamp
ProcessGuid principal.process.product_specific_process_id set to SYSMON:<%{ProcessGuid}>
ProcessId principal.process.pid
IntegrityLevel The value for the field principal.process.integrity_level_rid is determined based on the value of the field IntegrityLevel as follows:
  • If the IntegrityLevel log field value matches the regular expression Untrusted, then the principal.process.integrity_level_rid UDM field is set to 0
  • If the IntegrityLevel log field value matches the regular expression Low, then the principal.process.integrity_level_rid UDM field is set to 4096
  • If the IntegrityLevel log field value matches the regular expression Medium, then the principal.process.integrity_level_rid UDM field is set to 8192
  • If the IntegrityLevel log field value matches the regular expression High, then the principal.process.integrity_level_rid UDM field is set to 12288
  • If the IntegrityLevel log field value matches the regular expression System, then the principal.process.integrity_level_rid UDM field is set to 16384
  • If the IntegrityLevel log field value matches the regular expression Protected, then the principal.process.integrity_level_rid UDM field is set to 20480
User Domain set to principal.administrative_domain

Username set to principal.user.userid
Image principal.process.file.full_path
TargetFilename target.file.full_path
Hashes Based on Hash algorithm.
MD5 set to target.process.file.md5
SHA256 set to target.process.file.sha256
SHA1 set to target.process.file.sha1
IsExecutable target.resource.attribute.labels.key set to IsExecutable & value in target.resource.attribute.labels.value

Event Id: 29

NXLog field UDM field
metadata.event_type set to FILE_CREATION
RuleName security_result.rule_name
UtcTime metadata.event_timestamp
ProcessGuid principal.process.product_specific_process_id is set to SYSMON:<PROCESS_GUID> PROCESS_GUID is the ProcessGuid. The ProcessGuid field is a unique value for this process across a domain to make event correlation easier.
ProcessId principal.process.pid
IntegrityLevel The value for the field principal.process.integrity_level_rid is determined based on the value of the field IntegrityLevel as follows:
  • If the IntegrityLevel log field value matches the regular expression Untrusted, then the principal.process.integrity_level_rid UDM field is set to 0
  • If the IntegrityLevel log field value matches the regular expression Low, then the principal.process.integrity_level_rid UDM field is set to 4096
  • If the IntegrityLevel log field value matches the regular expression Medium, then the principal.process.integrity_level_rid UDM field is set to 8192
  • If the IntegrityLevel log field value matches the regular expression High, then the principal.process.integrity_level_rid UDM field is set to 12288
  • If the IntegrityLevel log field value matches the regular expression System, then the principal.process.integrity_level_rid UDM field is set to 16384
  • If the IntegrityLevel log field value matches the regular expression Protected, then the principal.process.integrity_level_rid UDM field is set to 20480
User Domain is set to principal.administrative_domain

Username is set to principal.user.userid
Image principal.process.file.full_path
TargetFilename target.file.full_path
Hashes Based on the hash algorithm, the following values are set:
  • MD5 is set to target.process.file.md5
  • SHA256 is set to target.process.file.sha256
  • SHA1 is set to target.process.file.sha1

Event Id: 255

NXLog field UDM field
metadata.event_type set to SERVICE_UNSPECIFIED

metadata.product_event_type set to Error - [255]

target.application set to Microsoft Sysmon
UtcTime metadata.event_timestamp
ID security_result.summary
Description security_result.description