Elastic Windows Event Explorer


Publisher - Microsoft-Windows-Sysmon

Event ID 10 v3

Message:

Process accessed:
RuleName: %{RuleName}
UtcTime: %{UtcTime}
SourceProcessGUID: %{SourceProcessGUID}
SourceProcessId: %{SourceProcessId}
SourceThreadId: %{SourceThreadId}
SourceImage: %{SourceImage}
TargetProcessGUID: %{TargetProcessGUID}
TargetProcessId: %{TargetProcessId}
TargetImage: %{TargetImage}
GrantedAccess: %{GrantedAccess}
CallTrace: %{CallTrace}

Event Data:

# Name In Type
Out Type
1 RuleName win:UnicodeString xs:string
2 UtcTime win:UnicodeString xs:string
3 SourceProcessGUID win:GUID xs:GUID
4 SourceProcessId win:UInt32 win:PID
5 SourceThreadId win:UInt32 xs:unsignedInt
6 SourceImage win:UnicodeString xs:string
7 TargetProcessGUID win:GUID xs:GUID
8 TargetProcessId win:UInt32 win:PID
9 TargetImage win:UnicodeString xs:string
10 GrantedAccess win:HexInt32 win:HexInt32
11 CallTrace win:UnicodeString xs:string

Observed Windows Versions:

Version: 3

Fingerprint: 5E4LRRCLSGGOS