Common fields

NXLog field UDM field
UtcTime metadata.event_timestamp
Category security_result.summary and metadata.product_event_type
AccountName principal.user.userid
Domain principal.administrative_domain
RecordNumber metadata.product_log_id
HostName principal.hostname
UserID principal.user.windows_sid
SeverityValue security_result.severity
EventID security_result.rule_name set to "EventID: %{EventID}"

metadata.product_event_type set to "%{Category} [%{EventID}]"

Event Id: 1

NXLog field UDM field
metadata.event_type set to "PROCESS_LAUNCH"
RuleName security_result.rule_name
UtcTime metadata.event_timestamp
ProcessGuid target.process.product_specific_process_id set to "SYSMON:<ProcessGuid>"
ProcessId target.process.pid
Image target.process.file.full_path
Description metadata.description
CommandLine target.process.command_line
User Domain stored in principal.administrative_domain

Username stored in principal.user.userid
Hashes Based on Hash algorithm.
  • MD5 stored in target.process.file.md5
  • SHA256 stored in target.process.file.sha256
  • SHA1 stored in target.process.file.sha1
ParentProcessGuid principal.process.product_specific_process_id set to "SYSMON:<ParentProcessGuid>"
ParentProcessId principal.process.pid
ParentImage principal.process.file.full_path
ParentCommandLine principal.process.command_line

Event Id: 2

NXLog field UDM field
metadata.event_type set to "FILE_MODIFICATION"
RuleName security_result.rule_name
UtcTime metadata.event_timestamp
ProcessGuid principal.process.product_specific_process_id set to "SYSMON:<ProcessGuid>"
ProcessId principal.process.pid
Image principal.process.file.full_path
TargetFilename target.file.full_path
CreationUtcTime target.resource.attribute.labels.key set to "CreationUtcTime" and value stored in target.resource.attribute.labels.value
PreviousCreationUtcTime target.resource.attribute.labels.key set to "PreviousCreationUtcTime" and value stored in target.resource.attribute.labels.value

Event Id: 3

NXLog field UDM field
metadata.event_type set to "NETWORK_CONNECTION"

security_result.action set to "ALLOW"

network.direction" set to "OUTBOUND"
RuleName security_result.rule_name
UtcTime metadata.event_timestamp
ProcessGuid principal.process.product_specific_process_id set to "SYSMON:<ProcessGuid>"
ProcessId principal.process.pid
Image principal.process.file.full_path
User Domain stored in principal.administrative_domain

Username stored in principal.user.userid"
Protocol network.ip_protocol
SourceIp principal.ip
SourcePort principal.port
DestinationIp target.ip
DestinationHostname target.hostname
DestinationPort target.port

Event Id: 4

NXLog field UDM field
metadata.event_type set to "SETTING_MODIFICATION"

target.resource.resource_type set to "SETTING"

resource.resource_subtype set to "State"
UtcTime metadata.event_timestamp
State target.resource.name
Version metadata.product_version

Event Id: 5

NXLog field UDM field
metadata.event_type set to "PROCESS_TERMINATION"
RuleName security_result.rule_name
UtcTime metadata.event_timestamp
ProcessGuid principal.process.product_specific_process_id set to "SYSMON:<ProcessGuid>
ProcessId target.process.pid
Image target.process.file.full_path

Event Id: 6

NXLog field UDM field
metadata.event_type set to "PROCESS_MODULE_LOAD"
RuleName security_result.rule_name
UtcTime metadata.event_timestamp
ImageLoaded principal.process.file.full_path
Hashes The field populated is determined by the Hash algorithm.
  • MD5 stored in target.process.file.md5
  • SHA256 stored in target.process.file.sha256
  • SHA1 stored in target.process.file.sha1
Signed target.resource.attribute.labels.key set to "Signed" and value set to target.resource.attribute.labels.value
Signature target.resource.attribute.labels.key set to "Signature" and value stored in target.resource.attribute.labels.value
SignatureStatus target.resource.attribute.labels.key set to "SignatureStatus" and value stored in target.resource.attribute.labels.value

Event Id: 7

NXLog field UDM field
metadata.event_type set to "PROCESS_MODULE_LOAD"
RuleName security_result.rule_name
UtcTime metadata.event_timestamp
ProcessGuid principal.process.product_specific_process_id set to "SYSMON:<ProcessGuid>
ProcessId principal.process.pid
Image principal.process.file.full_path
ImageLoaded target.process.file.full_path
Description metadata.description
Hashes The field populated is determined by the Hash algorithm.
  • MD5 stored in target.process.file.md5
  • SHA256 stored in target.process.file.sha256
  • SHA1 stored in target.process.file.sha1
Signed target.resource.attribute.labels.key set to "Signed" and value stored in target.resource.attribute.labels.value
Signature target.resource.attribute.labels.key set to "Signature"
Signature value in target.resource.attribute.labels.value
SignatureStatus target.resource.attribute.labels.key set to "SignatureStatus" and value stored in target.resource.attribute.labels.value

Event Id: 8

NXLog field UDM field
metadata.event_type set to "PROCESS_MODULE_LOAD"
RuleName security_result.rule_name
UtcTime metadata.event_timestamp
SourceProcessGuid principal.process.product_specific_process_id set to "SYSMON:<SourceProcessGuid>"
SourceProcessId principal.process.pid
SourceImage principal.process.file.full_path
TargetProcessGuid target.process.product_specific_process_id set to "SYSMON:<TargetProcessGuid>"
TargetProcessId target.process.pid
TargetImage target.process.file.full_path

Event Id: 9

NXLog field UDM field
metadata.event_type set to "FILE_READ"

If the Device log field, which is required to validate the FILE_READ UDM event type, is not available, then metadata.event_type is set to "GENERIC_EVENT".

RuleName security_result.rule_name
UtcTime metadata.event_timestamp
ProcessGuid principal.process.product_specific_process_id set to "SYSMON:<ProcessGuid>
ProcessId principal.process.pid
Image principal.process.file.full_path
Device target.file.full_path

Event Id: 10

NXLog field UDM field
metadata.event_type set to "PROCESS_OPEN"

target.resource.resource_subtype set to "GrantedAccess"
RuleName security_result.rule_name
UtcTime metadata.event_timestamp
SourceProcessGUID principal.process.product_specific_process_id set to "SYSMON:<SourceProcessGuid>"
SourceProcessId principal.process.pid
SourceImage principal.process.file.full_path
TargetProcessGUID target.process.product_specific_process_id set to "SYSMON:<TargetProcessGuid>"
TargetProcessId target.process.pid
TargetImage target.process.file.full_path
GrantedAccess target.resource.name

Event Id: 11

NXLog field UDM field
metadata.event_type set to "FILE_CREATION"

target.resource.resource_subtype set to "CreationUtcTime"
RuleName security_result.rule_name
UtcTime metadata.event_timestamp
ProcessGuid principal.process.product_specific_process_id set to "SYSMON:<ProcessGuid>"
ProcessId principal.process.pid
Image principal.process.file.full_path
TargetFilename target.file.full_path
CreationUtcTime target.resource.name

Event Id: 12

NXLog field UDM field
If the Message the field contains "CreateKey|CreateValue", then metadata.event_type set to "REGISTRY_CREATION"

If the Message field contains "DeleteKey|DeleteValue", then
metadata.event_type set to REGISTRY_DELETION

Otherwise, metadata.event_type set to "REGISTRY_MODIFICATION"
RuleName security_result.rule_name
UtcTime metadata.event_timestamp
ProcessGuid principal.process.product_specific_process_id set to "SYSMON:<ProcessGuid>"
ProcessId principal.process.pid
Image principal.process.file.full_path
TargetObject target.registry.registry_key

Event Id: 13

NXLog field UDM field
metadata.event_type set to "REGISTRY_MODIFICATION"
RuleName security_result.rule_name
UtcTime metadata.event_timestamp
ProcessGuid principal.process.product_specific_process_id set to "SYSMON:<ProcessGuid>"
ProcessId principal.process.pid
Image principal.process.file.full_path
TargetObject target.registry.registry_key
Details target.registry.registry_value_data

Event Id: 14

NXLog field UDM field
metadata.event_type set to "REGISTRY_MODIFICATION"
RuleName security_result.rule_name
UtcTime metadata.event_timestamp
ProcessGuid principal.process.product_specific_process_id set to "SYSMON:<ProcessGuid>"
ProcessId principal.process.pid
Image principal.process.file.full_path
TargetObject src.registry.registry_key
NewName target.registry.registry_key

Event Id: 15

NXLog field UDM field
metadata.event_type set to FILE_CREATION
RuleName security_result.rule_name
UtcTime metadata.event_timestamp
ProcessGuid principal.process.product_specific_process_id set to "SYSMON:<ProcessGuid>"
ProcessId principal.process.pid
Image principal.process.file.full_path
TargetFilename target.file.full_path
CreationUtcTime target.resource.attribute.labels.key set to "CreationUtcTime" and value stored in target.resource.attribute.labels.value
Hash The field populated is determined by the Hash algorithm.
  • If MD5, the value is stored in target.process.file.md5
  • If SHA256 set to the value is stored in target.process.file.sha256
  • If SHA1, the value is stored in target.process.file.sha1

Event Id: 16

NXLog field UDM field
metadata.event_type set to "SETTING_MODIFICATION"
UtcTime metadata.event_timestamp
ProcessID target.process.pid
Configuration The value is stored in target.process.command_line when this field value contains any command line or process

The value is stored in target.process.file.full_path when this field value contains the configuration file path.
ConfigurationFileHash The field populated is determined by the Hash algorithm.
  • If MD5, the value is stored in target.process.file.md5
  • If SHA256 set to the value is stored in target.process.file.sha256
  • If SHA1, the value is stored in target.process.file.sha1

Event Id: 17

NXLog field UDM field
metadata.event_type set to "PROCESS_UNCATEGORIZED"

target.resource.resource_type set to "PIPE"
RuleName security_result.rule_name
UtcTime metadata.event_timestamp
ProcessGuid target.process.product_specific_process_id set to "SYSMON:<ProcessGuid>"
ProcessId target.process.pid
PipeName target.resource.name
Image target.process.file.full_path

Event Id: 18

NXLog field UDM field
metadata.event_type set to "PROCESS_UNCATEGORIZED"

target.resource.resource_type set to "PIPE"
RuleName security_result.rule_name
UtcTime metadata.event_timestamp
ProcessGuid target.process.product_specific_process_id set to "SYSMON:<ProcessGuid>"
ProcessId target.process.pid
PipeName target.resource.name
Image target.process.file.full_path

Event Id: 19

NXLog field UDM field
metadata.event_type set to USER_RESOURCE_ACCESS
RuleName security_result.rule_name
UtcTime metadata.event_timestamp
Operation
User The Domain is stored in principal.administrative_domain

The Username is stored in principal.user.userid
EventNamespace target.file.full_path
Name target.application
Query target.resource.name

Event Id: 20

NXLog field UDM field
metadata.event_type set to "USER_RESOURCE_ACCESS"
RuleName security_result.rule_name
UtcTime metadata.event_timestamp
Operation target.resource.attribute.labels.key set to "Operation" and the value is stored in target.resource.attribute.labels.value
User The domain is stored in principal.administrative_domain

The Username is stored in principal.user.userid
Name target.resource.attribute.labels.key set to "Name"
Name value in target.resource.attribute.labels.value
Type target.resource.attribute.labels.key set to "Type" and the value is stored in target.resource.attribute.labels.value
Destination target.resource.name

Event Id: 21

NXLog field UDM field
metadata.event_type set to "USER_RESOURCE_ACCESS"
RuleName security_result.rule_name
UtcTime metadata.event_timestamp
Operation target.resource.attribute.labels.key set to "Operation" and the value is stored in target.resource.attribute.labels.value
User The domain is stored in principal.administrative_domain

The username is stored in principal.user.userid
Consumer target.resource.attribute.labels.key set to "Consumer" and the value is stored in target.resource.attribute.labels.value
Filter target.resource.name

Event Id: 22

NXLog field UDM field
metadata.event_type set to "NETWORK_DNS"

network.application_protocol set to "DNS"
RuleName security_result.rule_name
UtcTime metadata.event_timestamp
ProcessGuid principal.process.product_specific_process_id set to "SYSMON:<ProcessGuid>"
ProcessId principal.process.pid
QueryName network.dns.questions
QueryStatus Stored in security_result.summary as "Query Status: "
QueryResults Type is saved to network.dns.answers.type with values separated by a semicolon (;)
Data is saved to network.dns.answers.data
Values that do not have type are mapped to network.dns.answers.data.
Image principal.process.file.full_path

Event Id: 23

NXLog field UDM field
metadata.event_type set to "FILE_DELETION"
RuleName security_result.rule_name
UtcTime metadata.event_timestamp
ProcessGuid principal.process.product_specific_process_id set to "SYSMON:<ProcessGuid>"
ProcessId principal.process.pid
User Domain stored into principal.administrative_domain

Username stored in principal.user.userid
Image principal.process.file.full_path
TargetFilename target.file.full_path
Hashes The field populated is determined by the Hash algorithm.
  • MD5 set to target.process.file.md5
  • SHA256 set to target.process.file.sha256
  • SHA1 set to target.process.file.sha1
IsExecutable Field target.resource.attribute.labels.key set to "IsExecutable" and the value is stored in target.resource.attribute.labels.value
Archived target.resource.attribute.labels.key set to "Archived" and the value is stored in target.resource.attribute.labels.value

Event Id: 24

NXLog field UDM field
metadata.event_type set to "RESOURCE_READ"
RuleName security_result.rule_name
UtcTime metadata.event_timestamp
ProcessGuid target.process.product_specific_process_id set to "SYSMON:<ProcessGuid>"
ProcessId principal.process.pid
Image target.process.file.full_path

target.resource.name
ClientInfo ip stored in target.ip
hostname stored in target.hostname
user stored in principal.user.userid
Hashes The field populated is determined by the Hash algorithm.
  • If MD5, value stored in target.process.file.md5
  • If SHA256, value stored in target.process.file.sha256
  • If SHA1, value stored in target.process.file.sha1
Archived target.resource.attribute.labels.key set to "Archived" and value stored in target.resource.attribute.labels.value

Event Id: 25

NXLog field UDM field
metadata.event_type set to "PROCESS_LAUNCH"
RuleName security_result.rule_name
UtcTime metadata.event_timestamp
ProcessGuid target.process.product_specific_process_id stored as "SYSMON:<ProcessGuid>"
ProcessId principal.process.pid
Image target.process.file.full_path

Event Id: 26

NXLog field UDM field
metadata.event_type set to FILE_DELETION
RuleName security_result.rule_name
UtcTime metadata.event_timestamp
ProcessGuid principal.process.product_specific_process_id set to "SYSMON:%{ProcessGuid}
ProcessId principal.process.pid
User Domain set to principal.administrative_domain

Username set to principal.user.userid
Image principal.process.file.full_path
TargetFilename target.file.full_path
Hashes Based on Hash algorithm.
MD5 set to target.process.file.md5
SHA256 set to target.process.file.sha256
SHA1 set to target.process.file.sha1
IsExecutable target.resource.attribute.labels.key set to "IsExecutable" & value in target.resource.attribute.labels.value

Event Id: 255

NXLog field UDM field
metadata.event_type set to SERVICE_UNSPECIFIED

metadata.product_event_type set to "Error - [255]"

target.application set to "Microsoft Sysmon"
UtcTime metadata.event_timestamp
ID security_result.summary
Description security_result.description