Elastic Windows Event Explorer


Publisher - Microsoft-Windows-Sysmon

Event ID 2 v5

Message:

File creation time changed:
RuleName: %{RuleName}
UtcTime: %{UtcTime}
ProcessGuid: %{ProcessGuid}
ProcessId: %{ProcessId}
Image: %{Image}
TargetFilename: %{TargetFilename}
CreationUtcTime: %{CreationUtcTime}
PreviousCreationUtcTime: %{PreviousCreationUtcTime}

Event Data:

# Name In Type
Out Type
1 RuleName win:UnicodeString xs:string
2 UtcTime win:UnicodeString xs:string
3 ProcessGuid win:GUID xs:GUID
4 ProcessId win:UInt32 win:PID
5 Image win:UnicodeString xs:string
6 TargetFilename win:UnicodeString xs:string
7 CreationUtcTime win:UnicodeString xs:string
8 PreviousCreationUtcTime win:UnicodeString xs:string

Observed Windows Versions:

Version: 5

Fingerprint: CDP7L33KSOCR2