Google Cloud

English
Deutsch
Español – América Latina
Français
Português – Brasil
中文 – 简体
日本語
한국어

Common fields

NXLog field	UDM field
UtcTime	metadata.event_timestamp
Category	security_result.summary and metadata.product_event_type
AccountName	principal.user.userid
Domain	principal.administrative_domain
RecordNumber	metadata.product_log_id
HostName	principal.hostname
UserID	principal.user.windows_sid
SeverityValue	security_result.severity
EventID	security_result.rule_name set to "EventID: %{EventID}" metadata.product_event_type set to "%{Category} [%{EventID}]"

Event Id: 1

NXLog field	UDM field
	metadata.event_type set to "PROCESS_LAUNCH"
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
ProcessGuid	target.process.product_specific_process_id set to "SYSMON:`<ProcessGuid>`"
ProcessId	target.process.pid
Image	target.process.file.full_path
Description	metadata.description
CommandLine	target.process.command_line
User	Domain stored in principal.administrative_domain Username stored in principal.user.userid
Hashes	Based on Hash algorithm. MD5 stored in target.process.file.md5 SHA256 stored in target.process.file.sha256 SHA1 stored in target.process.file.sha1
ParentProcessGuid	principal.process.product_specific_process_id set to "SYSMON:`<ParentProcessGuid>`"
ParentProcessId	principal.process.pid
ParentImage	principal.process.file.full_path
ParentCommandLine	principal.process.command_line

Event Id: 2

NXLog field	UDM field
	metadata.event_type set to "FILE_MODIFICATION"
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
ProcessGuid	principal.process.product_specific_process_id set to "SYSMON:`<ProcessGuid>`"
ProcessId	principal.process.pid
Image	principal.process.file.full_path
TargetFilename	target.file.full_path
CreationUtcTime	target.resource.attribute.labels.key set to "CreationUtcTime" and value stored in target.resource.attribute.labels.value
PreviousCreationUtcTime	target.resource.attribute.labels.key set to "PreviousCreationUtcTime" and value stored in target.resource.attribute.labels.value

Event Id: 3

NXLog field	UDM field
	metadata.event_type set to "NETWORK_CONNECTION" security_result.action set to "ALLOW" network.direction" set to "OUTBOUND"
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
ProcessGuid	principal.process.product_specific_process_id set to "SYSMON:`<ProcessGuid>`"
ProcessId	principal.process.pid
Image	principal.process.file.full_path
User	Domain stored in principal.administrative_domain Username stored in principal.user.userid"
Protocol	network.ip_protocol
SourceIp	principal.ip
SourcePort	principal.port
DestinationIp	target.ip
DestinationHostname	target.hostname
DestinationPort	target.port

Event Id: 4

NXLog field	UDM field
	metadata.event_type set to "SETTING_MODIFICATION" target.resource.resource_type set to "SETTING" resource.resource_subtype set to "State"
UtcTime	metadata.event_timestamp
State	target.resource.name
Version	metadata.product_version

Event Id: 5

NXLog field	UDM field
	metadata.event_type set to "PROCESS_TERMINATION"
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
ProcessGuid	principal.process.product_specific_process_id set to "SYSMON:`<ProcessGuid>`
ProcessId	target.process.pid
Image	target.process.file.full_path

Event Id: 6

NXLog field	UDM field
	metadata.event_type set to "PROCESS_MODULE_LOAD"
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
ImageLoaded	principal.process.file.full_path
Hashes	The field populated is determined by the Hash algorithm. MD5 stored in target.process.file.md5 SHA256 stored in target.process.file.sha256 SHA1 stored in target.process.file.sha1
Signed	target.resource.attribute.labels.key set to "Signed" and value set to target.resource.attribute.labels.value
Signature	target.resource.attribute.labels.key set to "Signature" and value stored in target.resource.attribute.labels.value
SignatureStatus	target.resource.attribute.labels.key set to "SignatureStatus" and value stored in target.resource.attribute.labels.value

Event Id: 7

NXLog field	UDM field
	metadata.event_type set to "PROCESS_MODULE_LOAD"
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
ProcessGuid	principal.process.product_specific_process_id set to "SYSMON:`<ProcessGuid>`
ProcessId	principal.process.pid
Image	principal.process.file.full_path
ImageLoaded	target.process.file.full_path
Description	metadata.description
Hashes	The field populated is determined by the Hash algorithm. MD5 stored in target.process.file.md5 SHA256 stored in target.process.file.sha256 SHA1 stored in target.process.file.sha1
Signed	target.resource.attribute.labels.key set to "Signed" and value stored in target.resource.attribute.labels.value
Signature	target.resource.attribute.labels.key set to "Signature" Signature value in target.resource.attribute.labels.value
SignatureStatus	target.resource.attribute.labels.key set to "SignatureStatus" and value stored in target.resource.attribute.labels.value

Event Id: 8

NXLog field	UDM field
	metadata.event_type set to "PROCESS_MODULE_LOAD"
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
SourceProcessGuid	principal.process.product_specific_process_id set to "SYSMON:`<SourceProcessGuid>`"
SourceProcessId	principal.process.pid
SourceImage	principal.process.file.full_path
TargetProcessGuid	target.process.product_specific_process_id set to "SYSMON:`<TargetProcessGuid>`"
TargetProcessId	target.process.pid
TargetImage	target.process.file.full_path

Event Id: 9

NXLog field	UDM field
	metadata.event_type set to "FILE_READ" If the Device log field, which is required to validate the FILE_READ UDM event type, is not available, then metadata.event_type is set to "GENERIC_EVENT".
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
ProcessGuid	principal.process.product_specific_process_id set to "SYSMON:`<ProcessGuid>`
ProcessId	principal.process.pid
Image	principal.process.file.full_path
Device	target.file.full_path

Event Id: 10

NXLog field	UDM field
	metadata.event_type set to "PROCESS_OPEN" target.resource.resource_subtype set to "GrantedAccess"
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
SourceProcessGUID	principal.process.product_specific_process_id set to "SYSMON:`<SourceProcessGuid>`"
SourceProcessId	principal.process.pid
SourceImage	principal.process.file.full_path
TargetProcessGUID	target.process.product_specific_process_id set to "SYSMON:`<TargetProcessGuid>`"
TargetProcessId	target.process.pid
TargetImage	target.process.file.full_path
GrantedAccess	target.resource.name

Event Id: 11

NXLog field	UDM field
	metadata.event_type set to "FILE_CREATION" target.resource.resource_subtype set to "CreationUtcTime"
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
ProcessGuid	principal.process.product_specific_process_id set to "SYSMON:`<ProcessGuid>`"
ProcessId	principal.process.pid
Image	principal.process.file.full_path
TargetFilename	target.file.full_path
CreationUtcTime	target.resource.name

Event Id: 12

NXLog field	UDM field
	If the Message the field contains "CreateKey\|CreateValue", then metadata.event_type set to "REGISTRY_CREATION" If the Message field contains "DeleteKey\|DeleteValue", then metadata.event_type set to REGISTRY_DELETION Otherwise, metadata.event_type set to "REGISTRY_MODIFICATION"
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
ProcessGuid	principal.process.product_specific_process_id set to "SYSMON:`<ProcessGuid>`"
ProcessId	principal.process.pid
Image	principal.process.file.full_path
TargetObject	target.registry.registry_key

Event Id: 13

NXLog field	UDM field
	metadata.event_type set to "REGISTRY_MODIFICATION"
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
ProcessGuid	principal.process.product_specific_process_id set to "SYSMON:`<ProcessGuid>`"
ProcessId	principal.process.pid
Image	principal.process.file.full_path
TargetObject	target.registry.registry_key
Details	target.registry.registry_value_data

Event Id: 14

NXLog field	UDM field
	metadata.event_type set to "REGISTRY_MODIFICATION"
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
ProcessGuid	principal.process.product_specific_process_id set to "SYSMON:`<ProcessGuid>`"
ProcessId	principal.process.pid
Image	principal.process.file.full_path
TargetObject	src.registry.registry_key
NewName	target.registry.registry_key

Event Id: 15

NXLog field	UDM field
	metadata.event_type set to FILE_CREATION
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
ProcessGuid	principal.process.product_specific_process_id set to "SYSMON:`<ProcessGuid>`"
ProcessId	principal.process.pid
Image	principal.process.file.full_path
TargetFilename	target.file.full_path
CreationUtcTime	target.resource.attribute.labels.key set to "CreationUtcTime" and value stored in target.resource.attribute.labels.value
Hash	The field populated is determined by the Hash algorithm. If MD5, the value is stored in target.process.file.md5 If SHA256 set to the value is stored in target.process.file.sha256 If SHA1, the value is stored in target.process.file.sha1

Event Id: 16

NXLog field	UDM field
	metadata.event_type set to "SETTING_MODIFICATION"
UtcTime	metadata.event_timestamp
ProcessID	target.process.pid
Configuration	The value is stored in target.process.command_line when this field value contains any command line or process The value is stored in target.process.file.full_path when this field value contains the configuration file path.
ConfigurationFileHash	The field populated is determined by the Hash algorithm. If MD5, the value is stored in target.process.file.md5 If SHA256 set to the value is stored in target.process.file.sha256 If SHA1, the value is stored in target.process.file.sha1

Event Id: 17

NXLog field	UDM field
	metadata.event_type set to "PROCESS_UNCATEGORIZED" target.resource.resource_type set to "PIPE"
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
ProcessGuid	target.process.product_specific_process_id set to "SYSMON:`<ProcessGuid>`"
ProcessId	target.process.pid
PipeName	target.resource.name
Image	target.process.file.full_path

Event Id: 18

NXLog field	UDM field
	metadata.event_type set to "PROCESS_UNCATEGORIZED" target.resource.resource_type set to "PIPE"
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
ProcessGuid	target.process.product_specific_process_id set to "SYSMON:`<ProcessGuid>`"
ProcessId	target.process.pid
PipeName	target.resource.name
Image	target.process.file.full_path

Event Id: 19

NXLog field	UDM field
	metadata.event_type set to USER_RESOURCE_ACCESS
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
Operation
User	The Domain is stored in principal.administrative_domain The Username is stored in principal.user.userid
EventNamespace	target.file.full_path
Name	target.application
Query	target.resource.name

Event Id: 20

NXLog field	UDM field
	metadata.event_type set to "USER_RESOURCE_ACCESS"
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
Operation	target.resource.attribute.labels.key set to "Operation" and the value is stored in target.resource.attribute.labels.value
User	The domain is stored in principal.administrative_domain The Username is stored in principal.user.userid
Name	target.resource.attribute.labels.key set to "Name" Name value in target.resource.attribute.labels.value
Type	target.resource.attribute.labels.key set to "Type" and the value is stored in target.resource.attribute.labels.value
Destination	target.resource.name

Event Id: 21

NXLog field	UDM field
	metadata.event_type set to "USER_RESOURCE_ACCESS"
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
Operation	target.resource.attribute.labels.key set to "Operation" and the value is stored in target.resource.attribute.labels.value
User	The domain is stored in principal.administrative_domain The username is stored in principal.user.userid
Consumer	target.resource.attribute.labels.key set to "Consumer" and the value is stored in target.resource.attribute.labels.value
Filter	target.resource.name

Event Id: 22

NXLog field	UDM field
	metadata.event_type set to "NETWORK_DNS" network.application_protocol set to "DNS"
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
ProcessGuid	principal.process.product_specific_process_id set to "SYSMON:`<ProcessGuid>`"
ProcessId	principal.process.pid
QueryName	network.dns.questions
QueryStatus	Stored in security_result.summary as "Query Status: "
QueryResults	Type is saved to network.dns.answers.type with values separated by a semicolon (;) Data is saved to network.dns.answers.data Values that do not have type are mapped to network.dns.answers.data.
Image	principal.process.file.full_path

Event Id: 23

NXLog field	UDM field
	metadata.event_type set to "FILE_DELETION"
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
ProcessGuid	principal.process.product_specific_process_id set to "SYSMON:`<ProcessGuid>`"
ProcessId	principal.process.pid
User	Domain stored into principal.administrative_domain Username stored in principal.user.userid
Image	principal.process.file.full_path
TargetFilename	target.file.full_path
Hashes	The field populated is determined by the Hash algorithm. MD5 set to target.process.file.md5 SHA256 set to target.process.file.sha256 SHA1 set to target.process.file.sha1
IsExecutable	Field target.resource.attribute.labels.key set to "IsExecutable" and the value is stored in target.resource.attribute.labels.value
Archived	target.resource.attribute.labels.key set to "Archived" and the value is stored in target.resource.attribute.labels.value

Event Id: 24

NXLog field	UDM field
	metadata.event_type set to "RESOURCE_READ"
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
ProcessGuid	target.process.product_specific_process_id set to "SYSMON:`<ProcessGuid>`"
ProcessId	principal.process.pid
Image	target.process.file.full_path target.resource.name
ClientInfo	ip stored in target.ip hostname stored in target.hostname user stored in principal.user.userid
Hashes	The field populated is determined by the Hash algorithm. If MD5, value stored in target.process.file.md5 If SHA256, value stored in target.process.file.sha256 If SHA1, value stored in target.process.file.sha1
Archived	target.resource.attribute.labels.key set to "Archived" and value stored in target.resource.attribute.labels.value

Event Id: 25

NXLog field	UDM field
	metadata.event_type set to "PROCESS_LAUNCH"
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
ProcessGuid	target.process.product_specific_process_id stored as "SYSMON:`<ProcessGuid>`"
ProcessId	principal.process.pid
Image	target.process.file.full_path

Event Id: 26

NXLog field	UDM field
	metadata.event_type set to FILE_DELETION
RuleName	security_result.rule_name
UtcTime	metadata.event_timestamp
ProcessGuid	principal.process.product_specific_process_id set to "SYSMON:%{ProcessGuid}
ProcessId	principal.process.pid
User	Domain set to principal.administrative_domain Username set to principal.user.userid
Image	principal.process.file.full_path
TargetFilename	target.file.full_path
Hashes	Based on Hash algorithm. MD5 set to target.process.file.md5 SHA256 set to target.process.file.sha256 SHA1 set to target.process.file.sha1
IsExecutable	target.resource.attribute.labels.key set to "IsExecutable" & value in target.resource.attribute.labels.value

Event Id: 255

NXLog field	UDM field
	metadata.event_type set to SERVICE_UNSPECIFIED metadata.product_event_type set to "Error - [255]" target.application set to "Microsoft Sysmon"
UtcTime	metadata.event_timestamp
ID	security_result.summary
Description	security_result.description

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2022-04-14 UTC.