# Sysmon

Sysmon uses an XML configuration file with two main sections: **HashAlgorithms** and **EventFiltering**.

* The **HashAlgorithms** section defines the hash algorithms to be used.
* The **EventFiltering** section specifies events to monitor or exclude.

To control event logging, use **include** statements to monitor specific events and **exclude** statements to ignore them.

### [Event filtering entries](https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events) <a href="#event-filtering-entries" id="event-filtering-entries"></a>

<table><thead><tr><th width="147">ID</th><th>Tag</th><th>Event</th></tr></thead><tbody><tr><td><strong>1</strong></td><td>ProcessCreate</td><td>Process Create</td></tr><tr><td><strong>2</strong></td><td>FileCreateTime</td><td>File creation time</td></tr><tr><td><strong>3</strong></td><td>NetworkConnect</td><td>Network connection detected</td></tr><tr><td><strong>4</strong></td><td>n/a</td><td>Sysmon service state change (cannot be filtered)</td></tr><tr><td><strong>5</strong></td><td>ProcessTerminate</td><td>Process terminated</td></tr><tr><td><strong>6</strong></td><td>DriverLoad</td><td>Driver Loaded</td></tr><tr><td><strong>7</strong></td><td>ImageLoad</td><td>Image loaded</td></tr><tr><td><strong>8</strong></td><td>CreateRemoteThread</td><td>CreateRemoteThread detected</td></tr><tr><td><strong>9</strong></td><td>RawAccessRead</td><td>RawAccessRead detected</td></tr><tr><td><strong>10</strong></td><td>ProcessAccess</td><td>Process accessed</td></tr><tr><td><strong>11</strong></td><td>FileCreate</td><td>File created</td></tr><tr><td><strong>12</strong></td><td>RegistryEvent</td><td>Registry object added or deleted</td></tr><tr><td><strong>13</strong></td><td>RegistryEvent</td><td>Registry value set</td></tr><tr><td><strong>14</strong></td><td>RegistryEvent</td><td>Registry object renamed</td></tr><tr><td><strong>15</strong></td><td>FileCreateStreamHash</td><td>File stream created. <br><em>Capturing browser downloads that are based on the browser attaching a Zone.Identifier "mark of the web" stream</em></td></tr><tr><td><strong>16</strong></td><td>n/a</td><td>Sysmon configuration change (cannot be filtered)</td></tr><tr><td><strong>17</strong></td><td>PipeEvent</td><td>Named pipe created</td></tr><tr><td><strong>18</strong></td><td>PipeEvent</td><td>Named pipe connected</td></tr><tr><td><strong>19</strong></td><td>WmiEvent</td><td>WMI filter</td></tr><tr><td><strong>20</strong></td><td>WmiEvent</td><td>WMI consumer</td></tr><tr><td><strong>21</strong></td><td>WmiEvent</td><td>WMI consumer filter</td></tr><tr><td><strong>22</strong></td><td>DNSQuery</td><td>DNS query</td></tr><tr><td><strong>23</strong></td><td>FileDelete</td><td>File Delete archived</td></tr><tr><td><strong>24</strong></td><td>ClipboardChange</td><td>New content in the clipboard</td></tr><tr><td><strong>25</strong></td><td>ProcessTampering</td><td>Process image change</td></tr><tr><td><strong>26</strong></td><td>FileDeleteDetected</td><td>File Delete logged</td></tr><tr><td><strong>27</strong></td><td>FileBlockExecutable</td><td>File Block Executable</td></tr><tr><td><strong>28</strong></td><td>FileBlockShredding</td><td>File Block Shredding</td></tr><tr><td><strong>29</strong></td><td>FileExecutableDetected</td><td>File Executable Detected</td></tr></tbody></table>

***

### "condition" type and features

| **Condition**      | **Description**                                                                                                         |
| ------------------ | ----------------------------------------------------------------------------------------------------------------------- |
| **is**             | Default, values are equals                                                                                              |
| **is any**         | The field is one of the `;` delimited values                                                                            |
| **is not**         | Values are different                                                                                                    |
| **contains**       | The field contains this value                                                                                           |
| **contains any**   | The field contains any of the `;` delimited values                                                                      |
| **contains all**   | The field contains all of the `;` delimited values                                                                      |
| **excludes**       | The field does not contain this value                                                                                   |
| **excludes any**   | The field does not contain one or more of the `;` delimited values                                                      |
| **excludes all**   | The field does not contain any of the `;` delimited values                                                              |
| **begin with**     | The field begins with this value                                                                                        |
| **end with**       | The field ends with this value                                                                                          |
| **not begin with** | The field does not begin with this value                                                                                |
| **not end with**   | The field does not end with this value                                                                                  |
| **less than**      | Lexicographical comparison is less than zero                                                                            |
| **more than**      | Lexicographical comparison is more than zero                                                                            |
| **image**          | Match an image path (full path or only image name). For example: `lsass.exe` will match `c:\windows\system32\lsass.exe` |