Data Source: Sysmon EventID 3

Date: 2025-07-10

ID: 01d84dff-4e26-422c-9389-6a579ee6e75b

Author: Patrick Bareiss, Splunk

Description

Logs details of network connections initiated by processes, including source and destination IPs, ports, protocols, and the associated process metadata.

Details

Property	Value
Source	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sourcetype	`XmlWinEventLog`
Separator	EventID

Name ▲▼	Technique ▲▼	Type ▲▼
Detect Regasm with Network Connection	Regsvcs/Regasm	TTP
Detect Regsvcs with Network Connection	Regsvcs/Regasm	TTP
DLLHost with no Command Line Arguments with Network	Process Injection	TTP
GPUpdate with no Command Line Arguments with Network	Process Injection	TTP
LOLBAS With Network Traffic	Ingress Tool Transfer, Exfiltration Over Web Service, System Binary Proxy Execution	TTP
Network Traffic to Active Directory Web Services Protocol	Local Groups, Domain Groups, Local Account, Domain Account, Domain Trust Discovery	Hunting
Outbound Network Connection from Java Using Default Ports	Exploit Public-Facing Application, External Remote Services	TTP
Rundll32 with no Command Line Arguments with Network	Rundll32	TTP
SearchProtocolHost with no Command Line with Network	Process Injection	TTP
Unknown Process Using The Kerberos Protocol	Use Alternate Authentication Material	TTP
Windows Detect Network Scanner Behavior	Scanning IP Blocks, Vulnerability Scanning	Anomaly
Windows File Transfer Protocol In Non-Common Process Path	Mail Protocols	Anomaly
Windows HTTP Network Communication From MSIExec	Msiexec	Anomaly
Windows InstallUtil Remote Network Connection	InstallUtil	Anomaly
Windows Mail Protocol In Non-Common Process Path	Mail Protocols	Anomaly
Windows Rundll32 WebDav With Network Connection	Exfiltration Over Unencrypted Non-C2 Protocol	TTP
Windows Suspect Process With Authentication Traffic	Domain Account, Malicious File	Anomaly
Windows WinLogon with Public Network Connection	Bootkit	Hunting
Windows Remote Desktop Network Bruteforce Attempt	Password Guessing	Anomaly

Supported Apps

Splunk Add-on for Sysmon (version 5.0.0)

Event Fields

+ Fields

  <span class="pill kill-chain">_time</span>
  
  <span class="pill kill-chain">Channel</span>
  
  <span class="pill kill-chain">Computer</span>
  
  <span class="pill kill-chain">DestinationHostname</span>
  
  <span class="pill kill-chain">DestinationIp</span>
  
  <span class="pill kill-chain">DestinationIsIpv6</span>
  
  <span class="pill kill-chain">DestinationPort</span>
  
  <span class="pill kill-chain">DestinationPortName</span>
  
  <span class="pill kill-chain">EventChannel</span>
  
  <span class="pill kill-chain">EventCode</span>
  
  <span class="pill kill-chain">EventData_Xml</span>
  
  <span class="pill kill-chain">EventDescription</span>
  
  <span class="pill kill-chain">EventID</span>
  
  <span class="pill kill-chain">EventRecordID</span>
  
  <span class="pill kill-chain">Guid</span>
  
  <span class="pill kill-chain">Image</span>
  
  <span class="pill kill-chain">Initiated</span>
  
  <span class="pill kill-chain">Keywords</span>
  
  <span class="pill kill-chain">Level</span>
  
  <span class="pill kill-chain">Name</span>
  
  <span class="pill kill-chain">Opcode</span>
  
  <span class="pill kill-chain">ProcessGuid</span>
  
  <span class="pill kill-chain">ProcessID</span>
  
  <span class="pill kill-chain">ProcessId</span>
  
  <span class="pill kill-chain">Protocol</span>
  
  <span class="pill kill-chain">RecordID</span>
  
  <span class="pill kill-chain">RecordNumber</span>
  
  <span class="pill kill-chain">RuleName</span>
  
  <span class="pill kill-chain">SecurityID</span>
  
  <span class="pill kill-chain">SourceHostname</span>
  
  <span class="pill kill-chain">SourceIp</span>
  
  <span class="pill kill-chain">SourceIsIpv6</span>
  
  <span class="pill kill-chain">SourcePort</span>
  
  <span class="pill kill-chain">SourcePortName</span>
  
  <span class="pill kill-chain">SystemTime</span>
  
  <span class="pill kill-chain">System_Props_Xml</span>
  
  <span class="pill kill-chain">Task</span>
  
  <span class="pill kill-chain">ThreadID</span>
  
  <span class="pill kill-chain">TimeCreated</span>
  
  <span class="pill kill-chain">User</span>
  
  <span class="pill kill-chain">UserID</span>
  
  <span class="pill kill-chain">UtcTime</span>
  
  <span class="pill kill-chain">Version</span>
  
  <span class="pill kill-chain">action</span>
  
  <span class="pill kill-chain">app</span>
  
  <span class="pill kill-chain">creation_time</span>
  
  <span class="pill kill-chain">date_hour</span>
  
  <span class="pill kill-chain">date_mday</span>
  
  <span class="pill kill-chain">date_minute</span>
  
  <span class="pill kill-chain">date_month</span>
  
  <span class="pill kill-chain">date_second</span>
  
  <span class="pill kill-chain">date_wday</span>
  
  <span class="pill kill-chain">date_year</span>
  
  <span class="pill kill-chain">date_zone</span>
  
  <span class="pill kill-chain">dest</span>
  
  <span class="pill kill-chain">dest_ip</span>
  
  <span class="pill kill-chain">dest_port</span>
  
  <span class="pill kill-chain">direction</span>
  
  <span class="pill kill-chain">dvc</span>
  
  <span class="pill kill-chain">dvc_ip</span>
  
  <span class="pill kill-chain">dvc_nt_host</span>
  
  <span class="pill kill-chain">event_id</span>
  
  <span class="pill kill-chain">eventtype</span>
  
  <span class="pill kill-chain">host</span>
  
  <span class="pill kill-chain">id</span>
  
  <span class="pill kill-chain">index</span>
  
  <span class="pill kill-chain">linecount</span>
  
  <span class="pill kill-chain">process_exec</span>
  
  <span class="pill kill-chain">process_guid</span>
  
  <span class="pill kill-chain">process_id</span>
  
  <span class="pill kill-chain">process_name</span>
  
  <span class="pill kill-chain">protocol</span>
  
  <span class="pill kill-chain">protocol_version</span>
  
  <span class="pill kill-chain">punct</span>
  
  <span class="pill kill-chain">signature</span>
  
  <span class="pill kill-chain">signature_id</span>
  
  <span class="pill kill-chain">source</span>
  
  <span class="pill kill-chain">sourcetype</span>
  
  <span class="pill kill-chain">splunk_server</span>
  
  <span class="pill kill-chain">src</span>
  
  <span class="pill kill-chain">src_host</span>
  
  <span class="pill kill-chain">src_ip</span>
  
  <span class="pill kill-chain">src_port</span>
  
  <span class="pill kill-chain">state</span>
  
  <span class="pill kill-chain">tag</span>
  
  <span class="pill kill-chain">tag::eventtype</span>
  
  <span class="pill kill-chain">timeendpos</span>
  
  <span class="pill kill-chain">timestartpos</span>
  
  <span class="pill kill-chain">transport</span>
  
  <span class="pill kill-chain">transport_dest_port</span>
  
  <span class="pill kill-chain">user</span>
  
  <span class="pill kill-chain">user_id</span>
  
  <span class="pill kill-chain">vendor_product</span>
  
</div>

Example Log

1<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385F-C22A-43E0-BF4C-06F5698FFBD9}'/><EventID>3</EventID><Version>5</Version><Level>4</Level><Task>3</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2022-09-15T12:56:22.958249300Z'/><EventRecordID>156837</EventRecordID><Correlation/><Execution ProcessID='2684' ThreadID='1380'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>win-dc-ctus-attack-range-403.attackrange.local</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='RuleName'>-</Data><Data Name='UtcTime'>2022-09-15 12:56:19.679</Data><Data Name='ProcessGuid'>{6820D070-1F1B-6323-E113-000000007402}</Data><Data Name='ProcessId'>5728</Data><Data Name='Image'>C:\Temp\agent_tesla-deob.exe</Data><Data Name='User'>ATTACKRANGE\Administrator</Data><Data Name='Protocol'>tcp</Data><Data Name='Initiated'>true</Data><Data Name='SourceIsIpv6'>false</Data><Data Name='SourceIp'>10.0.1.14</Data><Data Name='SourceHostname'>win-dc-ctus-attack-range-403.attackrange.local</Data><Data Name='SourcePort'>61722</Data><Data Name='SourcePortName'>-</Data><Data Name='DestinationIsIpv6'>false</Data><Data Name='DestinationIp'>41.77.117.236</Data><Data Name='DestinationHostname'>youssef5.genious.net</Data><Data Name='DestinationPort'>21</Data><Data Name='DestinationPortName'>ftp</Data></EventData></Event>

Required Output Fields

action
app
dest
dest_ip
dest_port
direction
dvc
protocol
protocol_version
src
src_ip
src_port
transport
user
vendor_product

Source: GitHub | Version: 3