Collect Microsoft Windows Sysmon data

This document:

describes the deployment architecture and installation steps, plus any required configuration that produce logs supported by the Google Security Operations Parser for Microsoft Windows Sysmon events. For an overview of Google Security Operations data ingestion, see Data ingestion to Google Security Operations.
includes information about how the parser maps fields in the original log to Google Security Operations Unified Data Model fields.

Information in this document applies to the parser with the WINDOWS_SYSMON ingestion label. The ingestion label identifies which parser normalizes raw log data to structured UDM format.

Before you begin

Review the recommended deployment architecture

This diagram represents the recommended core components in a deployment architecture to collect and send Microsoft Windows Sysmon data to Google Security Operations. Compare this information with your environment to be sure these components are installed. Each customer deployment will differ from this representation and may be more complex. The following is required:

Systems in the deployment architecture are configured with the UTC time zone.
Sysmon is installed on servers, endpoints, and domain controllers.
The collector Microsoft Windows server receives logs from servers, endpoints, and domain controllers.
Microsoft Windows systems in the deployment architecture use:
- Source Initiated Subscriptions to collect events across multiple devices.
- WinRM service for remote system management.
NXLog is installed on the collector Window server to forward logs to Google Security Operations forwarder.
Google Security Operations forwarder is installed on a central Microsoft Windows server or Linux server.

Note: If you choose to deploy the Google Security Operations Linux forwarder, the central Linux server and collector Microsoft Windows server will be different systems. If you choose to deploy the Google Security Operations forwarder for Microsoft Windows, the central Microsoft Windows server and collector Microsoft Windows server can be the same system.

Review the supported devices and versions

The Google Security Operations parser supports logs generated by the following Microsoft Windows server versions. Microsoft Windows Server is released with the following editions: Foundation, Essentials, Standard, and Datacenter. The event schema of logs generated by each edition does not differ.

Microsoft Windows Server 2019
Microsoft Windows Server 2016
Microsoft Windows Server 2012

Google Security Operations parser supports logs generated by:

Microsoft Windows 7 and higher client systems
Sysmon version 13.24.

Google Security Operations parser supports logs collected by NXLog Community or Enterprise Edition.

Review the supported log types

The Google Security Operations parser supports the following log types generated by Microsoft Windows Sysmon. For more information about these log types, see the Microsoft Windows Sysmon documentation. It supports logs generated with English language text and is not supported with logs generated in non-English languages.

Log Type	Description
Sysmon Logs	Sysmon channel contains 27 Event Ids. (Event Id: 1 to 26, and 255). For a description of this log type, see the Microsoft Windows Sysmon Events documentation

Configure Microsoft Windows servers, endpoints, and domain controllers

Install and configure the servers, endpoints, and domain controllers. For information, see Microsoft Windows Sysmon Configuration documentation.
Set up a collector Microsoft Windows server to parse the collected logs from multiple systems.
Set up the central Microsoft Windows or Linux server
Configure all systems with the UTC time zone.
Configure the devices to forward logs to the collector Microsoft Windows server.
- Configure Source Initiated Subscriptions on Microsoft Windows systems. For information, see Setting up a Source Initiated Subscription.
- Enable WinRM on Microsoft Windows servers and clients. For information, see Installation and configuration for Microsoft Windows Remote Management.

Configure NXLog and Google Security Operations forwarder

Install NXLog on the collector Microsoft Windows server. Follow the NXLog documentation, including information about configuring NXLog to collect logs from Sysmon.

Create a configuration file for NXLog. Use the im_msvistalog input module. Here is an example NXLog configuration. Replace <hostname> and <port> values with information about the destination central Microsoft Windows or Linux server. For more information, see NXLog documentation about the om_tcp module.

define ROOT     C:\Program Files (x86)\nxlog
define SYSMON_OUTPUT_DESTINATION_ADDRESS <hostname>
define SYSMON_OUTPUT_DESTINATION_PORT <port>
define CERTDIR  %ROOT%\cert
define CONFDIR  %ROOT%\conf
define LOGDIR   %ROOT%\data
define LOGFILE  %LOGDIR%\nxlog.log
LogFile %LOGFILE%

Moduledir %ROOT%\modules
CacheDir  %ROOT%\data
Pidfile   %ROOT%\data\nxlog.pid
SpoolDir  %ROOT%\data

<Extension _json>
    Module      xm_json
</Extension>

<Input windows_sysmon_eventlog>
    Module  im_msvistalog
    <QueryXML>
        <QueryList>
            <Query Id="0">
                <Select Path="Microsoft-Windows-Sysmon/Operational">*</Select>
            </Query>
        </QueryList>
    </QueryXML>
    ReadFromLast  False 
    SavePos  False
</Input>

<Output out_chronicle_sysmon>
    Module      om_tcp
    Host        %SYSMON_OUTPUT_DESTINATION_ADDRESS%
    Port        %SYSMON_OUTPUT_DESTINATION_PORT%
    Exec        $EventTime = integer($EventTime) / 1000;
    Exec        $EventReceivedTime = integer($EventReceivedTime) / 1000;
    Exec        to_json();
</Output>

<Route r2>
    Path    windows_sysmon_eventlog => out_chronicle_sysmon
</Route>

Install the Google Security Operations forwarder on the central Microsoft Windows or Linux server. See the Installing and configuring the forwarder on Linux or Installing and configuring the forwarder on Microsoft Windows for information about installing and configuring the forwarder.

Configure the Google Security Operations forwarder to send logs to Google Security Operations. Here is an example forwarder configuration.

  - syslog:
      common:
        enabled: true
        data_type: WINDOWS_SYSMON
        Data_hint:
        batch_n_seconds: 10
        batch_n_bytes: 1048576
      tcp_address: 0.0.0.0:10518
      connection_timeout_sec: 60

Start the NXLog service.

Field mapping reference: device event fields to UDM fields

This section describes how the parser maps original device log fields to Unified Data Model (UDM) fields. The field mapping may differ by Event Id.

Common fields

NXLog field	UDM field
UtcTime	metadata.event_timestamp
Category	`security_result.summary` and `metadata.product_event_type`
AccountName	principal.user.userid
Domain	principal.administrative_domain
RecordNumber	metadata.product_log_id
HostName	principal.hostname
UserID	principal.user.windows_sid
SeverityValue	security_result.severity
ProcessID	observer.process.pid
ProviderGuid	observer.asset_id
LogonId	principal.network.session_id
ThreadID	`additional.fields.key` set to `thread_id` and value stored in `additional.fields.value.string_value`
Channel	`additional.fields.key` set to `channel` and value stored in `additional.fields.value.string_value`
EventID	`security_result.rule_name` set to `EventID: <EventID>` `metadata.product_event_type` set to `<Category> [<EventID>]`

Event Id: 1

NXLog field	UDM field
	`metadata.event_type` set to `PROCESS_LAUNCH`
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
ProcessGuid	`target.process.product_specific_process_id` set to `SYSMON:<ProcessGuid>`
ProcessId	target.process.pid
IntegrityLevel	The value for the field `target.process.integrity_level_rid` is determined based on the value of the field `IntegrityLevel` as follows: If the `IntegrityLevel` log field value matches the regular expression `Untrusted`, then the `target.process.integrity_level_rid` UDM field is set to `0` If the `IntegrityLevel` log field value matches the regular expression `Low`, then the `target.process.integrity_level_rid` UDM field is set to `4096` If the `IntegrityLevel` log field value matches the regular expression `Medium`, then the `target.process.integrity_level_rid` UDM field is set to `8192` If the `IntegrityLevel` log field value matches the regular expression `High`, then the `target.process.integrity_level_rid` UDM field is set to `12288` If the `IntegrityLevel` log field value matches the regular expression `System`, then the `target.process.integrity_level_rid` UDM field is set to `16384` If the `IntegrityLevel` log field value matches the regular expression `Protected`, then the `target.process.integrity_level_rid` UDM field is set to `20480`
Image	target.process.file.full_path
FileVersion	target.asset.software.version
Description	target.asset.software.description
Product	target.asset.software.name
Company	target.asset.software.vendor_name
CommandLine	target.process.command_line
CurrentDirectory	`additional.fields.key` set to `current_directory` and value stored in `additional.fields.value.string_value`
User	Domain stored in `principal.administrative_domain` Username stored in `principal.user.userid`
Hashes	Based on Hash algorithm. MD5 stored in `target.process.file.md5` SHA256 stored in `target.process.file.sha256` SHA1 stored in `target.process.file.sha1`
ParentProcessGuid	`principal.process.product_specific_process_id` set to `SYSMON:<ParentProcessGuid>`
ParentProcessId	principal.process.pid
ParentImage	principal.process.file.full_path
ParentCommandLine	principal.process.command_line

Event Id: 2

NXLog field	UDM field
	`metadata.event_type` set to `FILE_MODIFICATION`
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
ProcessGuid	`principal.process.product_specific_process_id` set to `SYSMON:<ProcessGuid>`
ProcessId	principal.process.pid
IntegrityLevel	The value for the field `principal.process.integrity_level_rid` is determined based on the value of the field `IntegrityLevel` as follows: If the `IntegrityLevel` log field value matches the regular expression `Untrusted`, then the `principal.process.integrity_level_rid` UDM field is set to `0` If the `IntegrityLevel` log field value matches the regular expression `Low`, then the `principal.process.integrity_level_rid` UDM field is set to `4096` If the `IntegrityLevel` log field value matches the regular expression `Medium`, then the `principal.process.integrity_level_rid` UDM field is set to `8192` If the `IntegrityLevel` log field value matches the regular expression `High`, then the `principal.process.integrity_level_rid` UDM field is set to `12288` If the `IntegrityLevel` log field value matches the regular expression `System`, then the `principal.process.integrity_level_rid` UDM field is set to `16384` If the `IntegrityLevel` log field value matches the regular expression `Protected`, then the `principal.process.integrity_level_rid` UDM field is set to `20480`
Image	principal.process.file.full_path
TargetFilename	target.file.full_path
CreationUtcTime	`target.resource.attribute.labels.key` set to `CreationUtcTime` and value stored in `target.resource.attribute.labels.value`
PreviousCreationUtcTime	`target.resource.attribute.labels.key` set to `PreviousCreationUtcTime` and value stored in `target.resource.attribute.labels.value`

Event Id: 3

NXLog field	UDM field
	`metadata.event_type` set to `NETWORK_CONNECTION` `security_result.action` set to `ALLOW` `network.direction` set to `OUTBOUND`
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
ProcessGuid	`principal.process.product_specific_process_id` set to `SYSMON:<ProcessGuid>`
ProcessId	principal.process.pid
IntegrityLevel	The value for the field `principal.process.integrity_level_rid` is determined based on the value of the field `IntegrityLevel` as follows: If the `IntegrityLevel` log field value matches the regular expression `Untrusted`, then the `principal.process.integrity_level_rid` UDM field is set to `0` If the `IntegrityLevel` log field value matches the regular expression `Low`, then the `principal.process.integrity_level_rid` UDM field is set to `4096` If the `IntegrityLevel` log field value matches the regular expression `Medium`, then the `principal.process.integrity_level_rid` UDM field is set to `8192` If the `IntegrityLevel` log field value matches the regular expression `High`, then the `principal.process.integrity_level_rid` UDM field is set to `12288` If the `IntegrityLevel` log field value matches the regular expression `System`, then the `principal.process.integrity_level_rid` UDM field is set to `16384` If the `IntegrityLevel` log field value matches the regular expression `Protected`, then the `principal.process.integrity_level_rid` UDM field is set to `20480`
Image	principal.process.file.full_path
User	Domain stored in `principal.administrative_domain` Username stored in `principal.user.userid`
Protocol	network.ip_protocol
SourceIp	principal.ip
SourcePort	principal.port
DestinationIp	target.ip
DestinationHostname	target.hostname
DestinationPort	target.port

Event Id: 4

NXLog field	UDM field
	`metadata.event_type` set to `SETTING_MODIFICATION` `target.resource.resource_type` set to `SETTING` `target.resource.resource_subtype` set to `State`
UtcTime	metadata.event_timestamp
State	target.resource.name
Version	metadata.product_version

Event Id: 5

NXLog field	UDM field
	`metadata.event_type` set to `PROCESS_TERMINATION`
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
ProcessGuid	`principal.process.product_specific_process_id` set to `SYSMON:<ProcessGuid>`
ProcessId	target.process.pid
IntegrityLevel	The value for the field `target.process.integrity_level_rid` is determined based on the value of the field `IntegrityLevel` as follows: If the `IntegrityLevel` log field value matches the regular expression `Untrusted`, then the `target.process.integrity_level_rid` UDM field is set to `0` If the `IntegrityLevel` log field value matches the regular expression `Low`, then the `target.process.integrity_level_rid` UDM field is set to `4096` If the `IntegrityLevel` log field value matches the regular expression `Medium`, then the `target.process.integrity_level_rid` UDM field is set to `8192` If the `IntegrityLevel` log field value matches the regular expression `High`, then the `target.process.integrity_level_rid` UDM field is set to `12288` If the `IntegrityLevel` log field value matches the regular expression `System`, then the `target.process.integrity_level_rid` UDM field is set to `16384` If the `IntegrityLevel` log field value matches the regular expression `Protected`, then the `target.process.integrity_level_rid` UDM field is set to `20480`
Image	target.process.file.full_path

Event Id: 6

NXLog field	UDM field
	`metadata.event_type` set to `PROCESS_MODULE_LOAD`
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
ImageLoaded	principal.process.file.full_path
Hashes	The field populated is determined by the Hash algorithm. MD5 stored in `target.process.file.md5` SHA256 stored in `target.process.file.sha256` SHA1 stored in `target.process.file.sha1`
Signed	`target.resource.attribute.labels.key` set to `Signed` and value set to `target.resource.attribute.labels.value`
Signature	`target.resource.attribute.labels.key` set to `Signature` and value stored in `target.resource.attribute.labels.value`
SignatureStatus	`target.resource.attribute.labels.key` set to `SignatureStatus` and value stored in `target.resource.attribute.labels.value`

Event Id: 7

NXLog field	UDM field
	`metadata.event_type` set to `PROCESS_MODULE_LOAD`
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
ProcessGuid	`principal.process.product_specific_process_id` set to `SYSMON:<ProcessGuid>`
ProcessId	principal.process.pid
IntegrityLevel	The value for the field `principal.process.integrity_level_rid` is determined based on the value of the field `IntegrityLevel` as follows: If the `IntegrityLevel` log field value matches the regular expression `Untrusted`, then the `principal.process.integrity_level_rid` UDM field is set to `0` If the `IntegrityLevel` log field value matches the regular expression `Low`, then the `principal.process.integrity_level_rid` UDM field is set to `4096` If the `IntegrityLevel` log field value matches the regular expression `Medium`, then the `principal.process.integrity_level_rid` UDM field is set to `8192` If the `IntegrityLevel` log field value matches the regular expression `High`, then the `principal.process.integrity_level_rid` UDM field is set to `12288` If the `IntegrityLevel` log field value matches the regular expression `System`, then the `principal.process.integrity_level_rid` UDM field is set to `16384` If the `IntegrityLevel` log field value matches the regular expression `Protected`, then the `principal.process.integrity_level_rid` UDM field is set to `20480`
Image	principal.process.file.full_path
ImageLoaded	target.process.file.full_path
FileVersion	target.asset.software.version
Description	target.asset.software.description
Product	target.asset.software.name
Company	target.asset.software.vendor_name
Hashes	The field populated is determined by the Hash algorithm. MD5 stored in `target.process.file.md5` SHA256 stored in `target.process.file.sha256` SHA1 stored in `target.process.file.sha1`
Signed	`target.resource.attribute.labels.key` set to `Signed` and value stored in `target.resource.attribute.labels.value`
Signature	`target.resource.attribute.labels.key` set to `Signature` Signature value in `target.resource.attribute.labels.value`
SignatureStatus	`target.resource.attribute.labels.key` set to `SignatureStatus` and value stored in `target.resource.attribute.labels.value`

Event Id: 8

NXLog field	UDM field
	`metadata.event_type` set to `PROCESS_MODULE_LOAD`
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
SourceProcessGuid	`principal.process.product_specific_process_id` set to `SYSMON:<SourceProcessGuid>`
SourceProcessId	principal.process.pid
SourceImage	principal.process.file.full_path
TargetProcessGuid	`target.process.product_specific_process_id` set to `SYSMON:<TargetProcessGuid>`
TargetProcessId	target.process.pid
TargetImage	target.process.file.full_path

Event Id: 9

NXLog field	UDM field
	`metadata.event_type` set to `FILE_READ` If the `Device` log field, which is required to validate the `FILE_READ` UDM event type, is not available, then `metadata.event_type` is set to `GENERIC_EVENT`.
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
ProcessGuid	`principal.process.product_specific_process_id` set to `SYSMON:<ProcessGuid>`
ProcessId	principal.process.pid
IntegrityLevel	The value for the field `principal.process.integrity_level_rid` is determined based on the value of the field `IntegrityLevel` as follows: If the `IntegrityLevel` log field value matches the regular expression `Untrusted`, then the `principal.process.integrity_level_rid` UDM field is set to `0` If the `IntegrityLevel` log field value matches the regular expression `Low`, then the `principal.process.integrity_level_rid` UDM field is set to `4096` If the `IntegrityLevel` log field value matches the regular expression `Medium`, then the `principal.process.integrity_level_rid` UDM field is set to `8192` If the `IntegrityLevel` log field value matches the regular expression `High`, then the `principal.process.integrity_level_rid` UDM field is set to `12288` If the `IntegrityLevel` log field value matches the regular expression `System`, then the `principal.process.integrity_level_rid` UDM field is set to `16384` If the `IntegrityLevel` log field value matches the regular expression `Protected`, then the `principal.process.integrity_level_rid` UDM field is set to `20480`
Image	principal.process.file.full_path
Device	target.file.full_path

Event Id: 10

NXLog field	UDM field
	`metadata.event_type` set to `PROCESS_OPEN` `target.resource.resource_subtype` set to `GrantedAccess`
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
SourceProcessGUID	`principal.process.product_specific_process_id` set to `SYSMON:<SourceProcessGUID>`
SourceProcessId	principal.process.pid
SourceImage	principal.process.file.full_path
TargetProcessGUID	`target.process.product_specific_process_id` set to `SYSMON:<TargetProcessGUID>`
TargetProcessId	target.process.pid
TargetImage	target.process.file.full_path
GrantedAccess	target.resource.name

Event Id: 11

NXLog field	UDM field
	`metadata.event_type` set to `FILE_CREATION` `target.resource.resource_subtype` set to `CreationUtcTime`
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
ProcessGuid	`principal.process.product_specific_process_id` set to `SYSMON:<ProcessGuid>`
ProcessId	principal.process.pid
IntegrityLevel	The value for the field `principal.process.integrity_level_rid` is determined based on the value of the field `IntegrityLevel` as follows: If the `IntegrityLevel` log field value matches the regular expression `Untrusted`, then the `principal.process.integrity_level_rid` UDM field is set to `0` If the `IntegrityLevel` log field value matches the regular expression `Low`, then the `principal.process.integrity_level_rid` UDM field is set to `4096` If the `IntegrityLevel` log field value matches the regular expression `Medium`, then the `principal.process.integrity_level_rid` UDM field is set to `8192` If the `IntegrityLevel` log field value matches the regular expression `High`, then the `principal.process.integrity_level_rid` UDM field is set to `12288` If the `IntegrityLevel` log field value matches the regular expression `System`, then the `principal.process.integrity_level_rid` UDM field is set to `16384` If the `IntegrityLevel` log field value matches the regular expression `Protected`, then the `principal.process.integrity_level_rid` UDM field is set to `20480`
Image	principal.process.file.full_path
TargetFilename	target.file.full_path
CreationUtcTime	target.resource.name

Event Id: 12

NXLog field	UDM field
	If the Message the field contains `CreateKey\|CreateValue`, then `metadata.event_type` set to `REGISTRY_CREATION` If the Message field contains `DeleteKey\|DeleteValue`, then `metadata.event_type` set to `REGISTRY_DELETION` Otherwise, `metadata.event_type` set to `REGISTRY_MODIFICATION`
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
ProcessGuid	`principal.process.product_specific_process_id` set to `SYSMON:<ProcessGuid>`
ProcessId	principal.process.pid
IntegrityLevel	The value for the field `principal.process.integrity_level_rid` is determined based on the value of the field `IntegrityLevel` as follows: If the `IntegrityLevel` log field value matches the regular expression `Untrusted`, then the `principal.process.integrity_level_rid` UDM field is set to `0` If the `IntegrityLevel` log field value matches the regular expression `Low`, then the `principal.process.integrity_level_rid` UDM field is set to `4096` If the `IntegrityLevel` log field value matches the regular expression `Medium`, then the `principal.process.integrity_level_rid` UDM field is set to `8192` If the `IntegrityLevel` log field value matches the regular expression `High`, then the `principal.process.integrity_level_rid` UDM field is set to `12288` If the `IntegrityLevel` log field value matches the regular expression `System`, then the `principal.process.integrity_level_rid` UDM field is set to `16384` If the `IntegrityLevel` log field value matches the regular expression `Protected`, then the `principal.process.integrity_level_rid` UDM field is set to `20480`
Image	principal.process.file.full_path
TargetObject	target.registry.registry_key

Event Id: 13

NXLog field	UDM field
	`metadata.event_type` set to `REGISTRY_MODIFICATION`
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
ProcessGuid	`principal.process.product_specific_process_id` set to `SYSMON:<ProcessGuid>`
ProcessId	principal.process.pid
IntegrityLevel	The value for the field `principal.process.integrity_level_rid` is determined based on the value of the field `IntegrityLevel` as follows: If the `IntegrityLevel` log field value matches the regular expression `Untrusted`, then the `principal.process.integrity_level_rid` UDM field is set to `0` If the `IntegrityLevel` log field value matches the regular expression `Low`, then the `principal.process.integrity_level_rid` UDM field is set to `4096` If the `IntegrityLevel` log field value matches the regular expression `Medium`, then the `principal.process.integrity_level_rid` UDM field is set to `8192` If the `IntegrityLevel` log field value matches the regular expression `High`, then the `principal.process.integrity_level_rid` UDM field is set to `12288` If the `IntegrityLevel` log field value matches the regular expression `System`, then the `principal.process.integrity_level_rid` UDM field is set to `16384` If the `IntegrityLevel` log field value matches the regular expression `Protected`, then the `principal.process.integrity_level_rid` UDM field is set to `20480`
Image	principal.process.file.full_path
TargetObject	target.registry.registry_key
Details	target.registry.registry_value_data

Event Id: 14

NXLog field	UDM field
	`metadata.event_type` set to `REGISTRY_MODIFICATION`
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
ProcessGuid	`principal.process.product_specific_process_id` set to `SYSMON:<ProcessGuid>`
ProcessId	principal.process.pid
IntegrityLevel	The value for the field `principal.process.integrity_level_rid` is determined based on the value of the field `IntegrityLevel` as follows: If the `IntegrityLevel` log field value matches the regular expression `Untrusted`, then the `principal.process.integrity_level_rid` UDM field is set to `0` If the `IntegrityLevel` log field value matches the regular expression `Low`, then the `principal.process.integrity_level_rid` UDM field is set to `4096` If the `IntegrityLevel` log field value matches the regular expression `Medium`, then the `principal.process.integrity_level_rid` UDM field is set to `8192` If the `IntegrityLevel` log field value matches the regular expression `High`, then the `principal.process.integrity_level_rid` UDM field is set to `12288` If the `IntegrityLevel` log field value matches the regular expression `System`, then the `principal.process.integrity_level_rid` UDM field is set to `16384` If the `IntegrityLevel` log field value matches the regular expression `Protected`, then the `principal.process.integrity_level_rid` UDM field is set to `20480`
Image	principal.process.file.full_path
TargetObject	src.registry.registry_key
NewName	target.registry.registry_key

Event Id: 15

NXLog field	UDM field
	`metadata.event_type` set to `FILE_CREATION`
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
ProcessGuid	`principal.process.product_specific_process_id` set to `SYSMON:<ProcessGuid>`
ProcessId	principal.process.pid
IntegrityLevel	The value for the field `principal.process.integrity_level_rid` is determined based on the value of the field `IntegrityLevel` as follows: If the `IntegrityLevel` log field value matches the regular expression `Untrusted`, then the `principal.process.integrity_level_rid` UDM field is set to `0` If the `IntegrityLevel` log field value matches the regular expression `Low`, then the `principal.process.integrity_level_rid` UDM field is set to `4096` If the `IntegrityLevel` log field value matches the regular expression `Medium`, then the `principal.process.integrity_level_rid` UDM field is set to `8192` If the `IntegrityLevel` log field value matches the regular expression `High`, then the `principal.process.integrity_level_rid` UDM field is set to `12288` If the `IntegrityLevel` log field value matches the regular expression `System`, then the `principal.process.integrity_level_rid` UDM field is set to `16384` If the `IntegrityLevel` log field value matches the regular expression `Protected`, then the `principal.process.integrity_level_rid` UDM field is set to `20480`
Image	principal.process.file.full_path
TargetFilename	target.file.full_path
CreationUtcTime	`target.resource.attribute.labels.key` set to `CreationUtcTime` and value stored in `target.resource.attribute.labels.value`
Hash	The field populated is determined by the Hash algorithm. If MD5, the value is stored in `target.process.file.md5` If SHA256 set to the value is stored in `target.process.file.sha256` If SHA1, the value is stored in `target.process.file.sha1`

Event Id: 16

NXLog field	UDM field
	`metadata.event_type` set to `SETTING_MODIFICATION`
UtcTime	metadata.event_timestamp
ProcessID	target.process.pid
Configuration	The value is stored in `target.process.command_line` when this field value contains any command line or process The value is stored in `target.process.file.full_path` when this field value contains the configuration file path.
ConfigurationFileHash	The field populated is determined by the Hash algorithm. If MD5, the value is stored in `target.process.file.md5` If SHA256 set to the value is stored in `target.process.file.sha256` If SHA1, the value is stored in `target.process.file.sha1`

Event Id: 17

NXLog field	UDM field
	`metadata.event_type` set to `PROCESS_UNCATEGORIZED` `target.resource.resource_type` set to `PIPE`
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
ProcessGuid	`target.process.product_specific_process_id` set to `SYSMON:<ProcessGuid>`
ProcessId	target.process.pid
IntegrityLevel	The value for the field `target.process.integrity_level_rid` is determined based on the value of the field `IntegrityLevel` as follows: If the `IntegrityLevel` log field value matches the regular expression `Untrusted`, then the `target.process.integrity_level_rid` UDM field is set to `0` If the `IntegrityLevel` log field value matches the regular expression `Low`, then the `target.process.integrity_level_rid` UDM field is set to `4096` If the `IntegrityLevel` log field value matches the regular expression `Medium`, then the `target.process.integrity_level_rid` UDM field is set to `8192` If the `IntegrityLevel` log field value matches the regular expression `High`, then the `target.process.integrity_level_rid` UDM field is set to `12288` If the `IntegrityLevel` log field value matches the regular expression `System`, then the `target.process.integrity_level_rid` UDM field is set to `16384` If the `IntegrityLevel` log field value matches the regular expression `Protected`, then the `target.process.integrity_level_rid` UDM field is set to `20480`
PipeName	target.resource.name
Image	target.process.file.full_path

Event Id: 18

NXLog field	UDM field
	`metadata.event_type` set to `PROCESS_UNCATEGORIZED` `target.resource.resource_type` set to `PIPE`
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
ProcessGuid	`target.process.product_specific_process_id` set to `SYSMON:<ProcessGuid>`
ProcessId	target.process.pid
IntegrityLevel	The value for the field `target.process.integrity_level_rid` is determined based on the value of the field `IntegrityLevel` as follows: If the `IntegrityLevel` log field value matches the regular expression `Untrusted`, then the `target.process.integrity_level_rid` UDM field is set to `0` If the `IntegrityLevel` log field value matches the regular expression `Low`, then the `target.process.integrity_level_rid` UDM field is set to `4096` If the `IntegrityLevel` log field value matches the regular expression `Medium`, then the `target.process.integrity_level_rid` UDM field is set to `8192` If the `IntegrityLevel` log field value matches the regular expression `High`, then the `target.process.integrity_level_rid` UDM field is set to `12288` If the `IntegrityLevel` log field value matches the regular expression `System`, then the `target.process.integrity_level_rid` UDM field is set to `16384` If the `IntegrityLevel` log field value matches the regular expression `Protected`, then the `target.process.integrity_level_rid` UDM field is set to `20480`
PipeName	target.resource.name
Image	target.process.file.full_path

Event Id: 19

NXLog field	UDM field
	`metadata.event_type` set to `USER_RESOURCE_ACCESS`
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
Operation
User	The Domain is stored in `principal.administrative_domain` The Username is stored in `principal.user.userid`
EventNamespace	target.file.full_path
Name	target.application
Query	target.resource.name

Event Id: 20

NXLog field	UDM field
	`metadata.event_type` set to `USER_RESOURCE_ACCESS`
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
Operation	`target.resource.attribute.labels.key` set to `Operation` and the value is stored in `target.resource.attribute.labels.value`
User	The domain is stored in `principal.administrative_domain` The Username is stored in `principal.user.userid`
Name	`target.resource.attribute.labels.key` set to `Name` Name value in `target.resource.attribute.labels.value`
Type	`target.resource.attribute.labels.key` set to `Type` and the value is stored in `target.resource.attribute.labels.value`
Destination	target.resource.name

Event Id: 21

NXLog field	UDM field
	`metadata.event_type` set to `USER_RESOURCE_ACCESS`
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
Operation	`target.resource.attribute.labels.key` set to `Operation` and the value is stored in `target.resource.attribute.labels.value`
User	The domain is stored in `principal.administrative_domain` The username is stored in `principal.user.userid`
Consumer	`target.resource.attribute.labels.key` set to `Consumer` and the value is stored in `target.resource.attribute.labels.value`
Filter	target.resource.name

Event Id: 22

NXLog field	UDM field
	`metadata.event_type` set to `NETWORK_DNS` `network.application_protocol` set to `DNS`
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
ProcessGuid	`principal.process.product_specific_process_id` set to `SYSMON:<ProcessGuid>`
ProcessId	principal.process.pid
IntegrityLevel	The value for the field `principal.process.integrity_level_rid` is determined based on the value of the field `IntegrityLevel` as follows: If the `IntegrityLevel` log field value matches the regular expression `Untrusted`, then the `principal.process.integrity_level_rid` UDM field is set to `0` If the `IntegrityLevel` log field value matches the regular expression `Low`, then the `principal.process.integrity_level_rid` UDM field is set to `4096` If the `IntegrityLevel` log field value matches the regular expression `Medium`, then the `principal.process.integrity_level_rid` UDM field is set to `8192` If the `IntegrityLevel` log field value matches the regular expression `High`, then the `principal.process.integrity_level_rid` UDM field is set to `12288` If the `IntegrityLevel` log field value matches the regular expression `System`, then the `principal.process.integrity_level_rid` UDM field is set to `16384` If the `IntegrityLevel` log field value matches the regular expression `Protected`, then the `principal.process.integrity_level_rid` UDM field is set to `20480`
QueryName	network.dns.questions
QueryStatus	Stored in `security_result.summary` as `Query Status: <QueryStatus>`
QueryResults	Type is saved to `network.dns.answers.type` with values separated by a semicolon (;) Data is saved to `network.dns.answers.data` Values that do not have type are mapped to `network.dns.answers.data`.
Image	principal.process.file.full_path

Event Id: 23

NXLog field	UDM field
	`metadata.event_type` set to `FILE_DELETION`
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
ProcessGuid	`principal.process.product_specific_process_id` set to `SYSMON:<ProcessGuid>`
ProcessId	principal.process.pid
IntegrityLevel	The value for the field `principal.process.integrity_level_rid` is determined based on the value of the field `IntegrityLevel` as follows: If the `IntegrityLevel` log field value matches the regular expression `Untrusted`, then the `principal.process.integrity_level_rid` UDM field is set to `0` If the `IntegrityLevel` log field value matches the regular expression `Low`, then the `principal.process.integrity_level_rid` UDM field is set to `4096` If the `IntegrityLevel` log field value matches the regular expression `Medium`, then the `principal.process.integrity_level_rid` UDM field is set to `8192` If the `IntegrityLevel` log field value matches the regular expression `High`, then the `principal.process.integrity_level_rid` UDM field is set to `12288` If the `IntegrityLevel` log field value matches the regular expression `System`, then the `principal.process.integrity_level_rid` UDM field is set to `16384` If the `IntegrityLevel` log field value matches the regular expression `Protected`, then the `principal.process.integrity_level_rid` UDM field is set to `20480`
User	Domain stored into `principal.administrative_domain` Username stored in `principal.user.userid`
Image	principal.process.file.full_path
TargetFilename	target.file.full_path
Hashes	The field populated is determined by the Hash algorithm. MD5 set to `target.process.file.md5` SHA256 set to `target.process.file.sha256` SHA1 set to `target.process.file.sha1`
IsExecutable	Field `target.resource.attribute.labels.key` set to `IsExecutable` and the value is stored in `target.resource.attribute.labels.value`
Archived	`target.resource.attribute.labels.key` set to `Archived` and the value is stored in `target.resource.attribute.labels.value`

Event Id: 24

NXLog field	UDM field
	`metadata.event_type` set to `RESOURCE_READ`
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
ProcessGuid	`target.process.product_specific_process_id` set to `SYSMON:<ProcessGuid>`
ProcessId	principal.process.pid
IntegrityLevel	The value for the field `principal.process.integrity_level_rid` is determined based on the value of the field `IntegrityLevel` as follows: If the `IntegrityLevel` log field value matches the regular expression `Untrusted`, then the `principal.process.integrity_level_rid` UDM field is set to `0` If the `IntegrityLevel` log field value matches the regular expression `Low`, then the `principal.process.integrity_level_rid` UDM field is set to `4096` If the `IntegrityLevel` log field value matches the regular expression `Medium`, then the `principal.process.integrity_level_rid` UDM field is set to `8192` If the `IntegrityLevel` log field value matches the regular expression `High`, then the `principal.process.integrity_level_rid` UDM field is set to `12288` If the `IntegrityLevel` log field value matches the regular expression `System`, then the `principal.process.integrity_level_rid` UDM field is set to `16384` If the `IntegrityLevel` log field value matches the regular expression `Protected`, then the `principal.process.integrity_level_rid` UDM field is set to `20480`
Image	target.process.file.full_path target.resource.name
ClientInfo	ip stored in `target.ip` hostname stored in `target.hostname` user stored in `principal.user.userid`
Hashes	The field populated is determined by the Hash algorithm. If MD5, value stored in `target.process.file.md5` If SHA256, value stored in `target.process.file.sha256` If SHA1, value stored in `target.process.file.sha1`
Archived	`target.resource.attribute.labels.key` set to `Archived` and value stored in `target.resource.attribute.labels.value`

Event Id: 25

NXLog field	UDM field
	`metadata.event_type` set to `PROCESS_LAUNCH`
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
ProcessGuid	`target.process.product_specific_process_id` stored as `SYSMON:<ProcessGuid>`
ProcessId	principal.process.pid
IntegrityLevel	The value for the field `principal.process.integrity_level_rid` is determined based on the value of the field `IntegrityLevel` as follows: If the `IntegrityLevel` log field value matches the regular expression `Untrusted`, then the `principal.process.integrity_level_rid` UDM field is set to `0` If the `IntegrityLevel` log field value matches the regular expression `Low`, then the `principal.process.integrity_level_rid` UDM field is set to `4096` If the `IntegrityLevel` log field value matches the regular expression `Medium`, then the `principal.process.integrity_level_rid` UDM field is set to `8192` If the `IntegrityLevel` log field value matches the regular expression `High`, then the `principal.process.integrity_level_rid` UDM field is set to `12288` If the `IntegrityLevel` log field value matches the regular expression `System`, then the `principal.process.integrity_level_rid` UDM field is set to `16384` If the `IntegrityLevel` log field value matches the regular expression `Protected`, then the `principal.process.integrity_level_rid` UDM field is set to `20480`
Image	target.process.file.full_path

Event Id: 26

NXLog field	UDM field
	`metadata.event_type` set to `FILE_DELETION`
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
ProcessGuid	`principal.process.product_specific_process_id` set to `SYSMON:<%{ProcessGuid}>`
ProcessId	principal.process.pid
IntegrityLevel	The value for the field `principal.process.integrity_level_rid` is determined based on the value of the field `IntegrityLevel` as follows: If the `IntegrityLevel` log field value matches the regular expression `Untrusted`, then the `principal.process.integrity_level_rid` UDM field is set to `0` If the `IntegrityLevel` log field value matches the regular expression `Low`, then the `principal.process.integrity_level_rid` UDM field is set to `4096` If the `IntegrityLevel` log field value matches the regular expression `Medium`, then the `principal.process.integrity_level_rid` UDM field is set to `8192` If the `IntegrityLevel` log field value matches the regular expression `High`, then the `principal.process.integrity_level_rid` UDM field is set to `12288` If the `IntegrityLevel` log field value matches the regular expression `System`, then the `principal.process.integrity_level_rid` UDM field is set to `16384` If the `IntegrityLevel` log field value matches the regular expression `Protected`, then the `principal.process.integrity_level_rid` UDM field is set to `20480`
User	Domain set to `principal.administrative_domain` Username set to `principal.user.userid`
Image	principal.process.file.full_path
TargetFilename	target.file.full_path
Hashes	Based on Hash algorithm. MD5 set to `target.process.file.md5` SHA256 set to `target.process.file.sha256` SHA1 set to `target.process.file.sha1`
IsExecutable	`target.resource.attribute.labels.key` set to `IsExecutable` & value in `target.resource.attribute.labels.value`

Event Id: 29

NXLog field	UDM field
	`metadata.event_type` set to `FILE_CREATION`
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
ProcessGuid	`principal.process.product_specific_process_id` is set to `SYSMON:<PROCESS_GUID>` `PROCESS_GUID` is the `ProcessGuid`. The `ProcessGuid` field is a unique value for this process across a domain to make event correlation easier.
ProcessId	principal.process.pid
IntegrityLevel	The value for the field `principal.process.integrity_level_rid` is determined based on the value of the field `IntegrityLevel` as follows: If the `IntegrityLevel` log field value matches the regular expression `Untrusted`, then the `principal.process.integrity_level_rid` UDM field is set to `0` If the `IntegrityLevel` log field value matches the regular expression `Low`, then the `principal.process.integrity_level_rid` UDM field is set to `4096` If the `IntegrityLevel` log field value matches the regular expression `Medium`, then the `principal.process.integrity_level_rid` UDM field is set to `8192` If the `IntegrityLevel` log field value matches the regular expression `High`, then the `principal.process.integrity_level_rid` UDM field is set to `12288` If the `IntegrityLevel` log field value matches the regular expression `System`, then the `principal.process.integrity_level_rid` UDM field is set to `16384` If the `IntegrityLevel` log field value matches the regular expression `Protected`, then the `principal.process.integrity_level_rid` UDM field is set to `20480`
User	Domain is set to `principal.administrative_domain` Username is set to `principal.user.userid`
Image	principal.process.file.full_path
TargetFilename	target.file.full_path
Hashes	Based on the hash algorithm, the following values are set: MD5 is set to `target.process.file.md5` SHA256 is set to `target.process.file.sha256` SHA1 is set to `target.process.file.sha1`

Event Id: 255

NXLog field	UDM field
	`metadata.event_type` set to `SERVICE_UNSPECIFIED` `metadata.product_event_type` set to `Error - [255]` `target.application` set to `Microsoft Sysmon`
UtcTime	metadata.event_timestamp
ID	security_result.summary
Description	security_result.description