Sysmon

Sysmon uses an XML configuration file with two main sections: HashAlgorithms and EventFiltering.

The HashAlgorithms section defines the hash algorithms to be used.
The EventFiltering section specifies events to monitor or exclude.

To control event logging, use include statements to monitor specific events and exclude statements to ignore them.

Event filtering entries

Tag

Event

ProcessCreate

Process Create

FileCreateTime

File creation time

NetworkConnect

Network connection detected

n/a

Sysmon service state change (cannot be filtered)

ProcessTerminate

Process terminated

DriverLoad

Driver Loaded

ImageLoad

Image loaded

CreateRemoteThread

CreateRemoteThread detected

RawAccessRead

RawAccessRead detected

ProcessAccess

Process accessed

FileCreate

File created

RegistryEvent

Registry object added or deleted

RegistryEvent

Registry value set

RegistryEvent

Registry object renamed

FileCreateStreamHash

File stream created

n/a

Sysmon configuration change (cannot be filtered)

PipeEvent

Named pipe created

PipeEvent

Named pipe connected

WmiEvent

WMI filter

WmiEvent

WMI consumer

WmiEvent

WMI consumer filter

DNSQuery

DNS query

FileDelete

File Delete archived

ClipboardChange

New content in the clipboard

ProcessTampering

Process image change

FileDeleteDetected

File Delete logged

FileBlockExecutable

File Block Executable

FileBlockShredding

File Block Shredding

FileExecutableDetected

File Executable Detected

"condition" type and features

Condition

Description

Default, values are equals

is any

The field is one of the ; delimited values

is not

Values are different

contains

The field contains this value

contains any

The field contains any of the ; delimited values

contains all

The field contains all of the ; delimited values

excludes

The field does not contain this value

excludes any

The field does not contain one or more of the ; delimited values

excludes all

The field does not contain any of the ; delimited values

begin with

The field begins with this value

end with

The field ends with this value

not begin with

The field does not begin with this value

not end with

The field does not end with this value

less than

Lexicographical comparison is less than zero

more than

Lexicographical comparison is more than zero

image

Match an image path (full path or only image name). For example: lsass.exe will match c:\windows\system32\lsass.exe

PreviousEvent Log NextRegistry

Last updated 7 months ago

Was this helpful?