Elastic Windows Event Explorer


Publisher - Microsoft-Windows-Sysmon

Event ID 1 v5

Message:

Process Create:
RuleName: %{RuleName}
UtcTime: %{UtcTime}
ProcessGuid: %{ProcessGuid}
ProcessId: %{ProcessId}
Image: %{Image}
FileVersion: %{FileVersion}
Description: %{Description}
Product: %{Product}
Company: %{Company}
OriginalFileName: %{OriginalFileName}
CommandLine: %{CommandLine}
CurrentDirectory: %{CurrentDirectory}
User: %{User}
LogonGuid: %{LogonGuid}
LogonId: %{LogonId}
TerminalSessionId: %{TerminalSessionId}
IntegrityLevel: %{IntegrityLevel}
Hashes: %{Hashes}
ParentProcessGuid: %{ParentProcessGuid}
ParentProcessId: %{ParentProcessId}
ParentImage: %{ParentImage}
ParentCommandLine: %{ParentCommandLine}

Event Data:

# Name In Type
Out Type
1 RuleName win:UnicodeString xs:string
2 UtcTime win:UnicodeString xs:string
3 ProcessGuid win:GUID xs:GUID
4 ProcessId win:UInt32 win:PID
5 Image win:UnicodeString xs:string
6 FileVersion win:UnicodeString xs:string
7 Description win:UnicodeString xs:string
8 Product win:UnicodeString xs:string
9 Company win:UnicodeString xs:string
10 OriginalFileName win:UnicodeString xs:string
11 CommandLine win:UnicodeString xs:string
12 CurrentDirectory win:UnicodeString xs:string
13 User win:UnicodeString xs:string
14 LogonGuid win:GUID xs:GUID
15 LogonId win:HexInt64 win:HexInt64
16 TerminalSessionId win:UInt32 xs:unsignedInt
17 IntegrityLevel win:UnicodeString xs:string
18 Hashes win:UnicodeString xs:string
19 ParentProcessGuid win:GUID xs:GUID
20 ParentProcessId win:UInt32 win:PID
21 ParentImage win:UnicodeString xs:string
22 ParentCommandLine win:UnicodeString xs:string

Observed Windows Versions:

Version: 5

Fingerprint: PGKJDOHHSCPQM