Data Source: Sysmon EventID 3

Date: 2026-05-13

ID: 01d84dff-4e26-422c-9389-6a579ee6e75b

Author: Patrick Bareiss, Splunk

Description

Logs details of network connections initiated by processes, including source and destination IPs, ports, protocols, and the associated process metadata.

Details

Property	Value
Source	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sourcetype	`XmlWinEventLog`
Separator	EventID

Name ▲▼	Technique ▲▼	Type ▲▼
Windows Potential Cloudflared Network Connection	Protocol Tunneling	Hunting
Outbound Network Connection from Java Using Default Ports	External Remote Services, Exploit Public-Facing Application	TTP
Network Traffic to Active Directory Web Services Protocol	Local Groups, Domain Groups, Local Account, Domain Account, Domain Trust Discovery	Hunting
Windows HTTP Network Communication From MSIExec	Msiexec	Anomaly
LOLBAS With Network Traffic	Ingress Tool Transfer, System Binary Proxy Execution, Exfiltration Over Web Service	TTP
Windows Mail Protocol In Non-Common Process Path	Mail Protocols	Anomaly
SearchProtocolHost with no Command Line with Network	Process Injection	TTP
Windows Network Connection From Program In Suspect Location	Exfiltration Over Other Network Medium	Anomaly
Detect Regsvcs with Network Connection	Regsvcs/Regasm	TTP
Windows WinLogon with Public Network Connection	Bootkit	Hunting
Rundll32 with no Command Line Arguments with Network	Rundll32	TTP
Windows File Transfer Protocol In Non-Common Process Path	Mail Protocols	Anomaly
Detect Regasm with Network Connection	Regsvcs/Regasm	TTP
Windows Rundll32 WebDav With Network Connection	Exfiltration Over Unencrypted Non-C2 Protocol	TTP
Windows Detect Network Scanner Behavior	Scanning IP Blocks, Vulnerability Scanning	Anomaly
Windows Suspect Process With Authentication Traffic	Domain Account, Malicious File	Anomaly
DLLHost with no Command Line Arguments with Network	Process Injection	TTP
GPUpdate with no Command Line Arguments with Network	Process Injection	TTP
Windows InstallUtil Remote Network Connection	InstallUtil	Anomaly
Unknown Process Using The Kerberos Protocol	Use Alternate Authentication Material	TTP
Windows Remote Desktop Network Bruteforce Attempt	Password Guessing	Anomaly

Supported Apps

Splunk Add-on for Sysmon (version 5.0.0)

Event Fields

+ Fields

  <span class="pill kill-chain">_time</span>
  
  <span class="pill kill-chain">Channel</span>
  
  <span class="pill kill-chain">Computer</span>
  
  <span class="pill kill-chain">DestinationHostname</span>
  
  <span class="pill kill-chain">DestinationIp</span>
  
  <span class="pill kill-chain">DestinationIsIpv6</span>
  
  <span class="pill kill-chain">DestinationPort</span>
  
  <span class="pill kill-chain">DestinationPortName</span>
  
  <span class="pill kill-chain">EventChannel</span>
  
  <span class="pill kill-chain">EventCode</span>
  
  <span class="pill kill-chain">EventData_Xml</span>
  
  <span class="pill kill-chain">EventDescription</span>
  
  <span class="pill kill-chain">EventID</span>
  
  <span class="pill kill-chain">EventRecordID</span>
  
  <span class="pill kill-chain">Guid</span>
  
  <span class="pill kill-chain">Image</span>
  
  <span class="pill kill-chain">Initiated</span>
  
  <span class="pill kill-chain">Keywords</span>
  
  <span class="pill kill-chain">Level</span>
  
  <span class="pill kill-chain">Name</span>
  
  <span class="pill kill-chain">Opcode</span>
  
  <span class="pill kill-chain">ProcessGuid</span>
  
  <span class="pill kill-chain">ProcessID</span>
  
  <span class="pill kill-chain">ProcessId</span>
  
  <span class="pill kill-chain">Protocol</span>
  
  <span class="pill kill-chain">RecordID</span>
  
  <span class="pill kill-chain">RecordNumber</span>
  
  <span class="pill kill-chain">RuleName</span>
  
  <span class="pill kill-chain">SecurityID</span>
  
  <span class="pill kill-chain">SourceHostname</span>
  
  <span class="pill kill-chain">SourceIp</span>
  
  <span class="pill kill-chain">SourceIsIpv6</span>
  
  <span class="pill kill-chain">SourcePort</span>
  
  <span class="pill kill-chain">SourcePortName</span>
  
  <span class="pill kill-chain">SystemTime</span>
  
  <span class="pill kill-chain">System_Props_Xml</span>
  
  <span class="pill kill-chain">Task</span>
  
  <span class="pill kill-chain">ThreadID</span>
  
  <span class="pill kill-chain">TimeCreated</span>
  
  <span class="pill kill-chain">User</span>
  
  <span class="pill kill-chain">UserID</span>
  
  <span class="pill kill-chain">UtcTime</span>
  
  <span class="pill kill-chain">Version</span>
  
  <span class="pill kill-chain">action</span>
  
  <span class="pill kill-chain">app</span>
  
  <span class="pill kill-chain">creation_time</span>
  
  <span class="pill kill-chain">date_hour</span>
  
  <span class="pill kill-chain">date_mday</span>
  
  <span class="pill kill-chain">date_minute</span>
  
  <span class="pill kill-chain">date_month</span>
  
  <span class="pill kill-chain">date_second</span>
  
  <span class="pill kill-chain">date_wday</span>
  
  <span class="pill kill-chain">date_year</span>
  
  <span class="pill kill-chain">date_zone</span>
  
  <span class="pill kill-chain">dest</span>
  
  <span class="pill kill-chain">dest_ip</span>
  
  <span class="pill kill-chain">dest_port</span>
  
  <span class="pill kill-chain">direction</span>
  
  <span class="pill kill-chain">dvc</span>
  
  <span class="pill kill-chain">dvc_ip</span>
  
  <span class="pill kill-chain">dvc_nt_host</span>
  
  <span class="pill kill-chain">event_id</span>
  
  <span class="pill kill-chain">eventtype</span>
  
  <span class="pill kill-chain">host</span>
  
  <span class="pill kill-chain">id</span>
  
  <span class="pill kill-chain">index</span>
  
  <span class="pill kill-chain">linecount</span>
  
  <span class="pill kill-chain">process_exec</span>
  
  <span class="pill kill-chain">process_guid</span>
  
  <span class="pill kill-chain">process_id</span>
  
  <span class="pill kill-chain">process_name</span>
  
  <span class="pill kill-chain">protocol</span>
  
  <span class="pill kill-chain">protocol_version</span>
  
  <span class="pill kill-chain">punct</span>
  
  <span class="pill kill-chain">signature</span>
  
  <span class="pill kill-chain">signature_id</span>
  
  <span class="pill kill-chain">source</span>
  
  <span class="pill kill-chain">sourcetype</span>
  
  <span class="pill kill-chain">splunk_server</span>
  
  <span class="pill kill-chain">src</span>
  
  <span class="pill kill-chain">src_host</span>
  
  <span class="pill kill-chain">src_ip</span>
  
  <span class="pill kill-chain">src_port</span>
  
  <span class="pill kill-chain">state</span>
  
  <span class="pill kill-chain">tag</span>
  
  <span class="pill kill-chain">tag::eventtype</span>
  
  <span class="pill kill-chain">timeendpos</span>
  
  <span class="pill kill-chain">timestartpos</span>
  
  <span class="pill kill-chain">transport</span>
  
  <span class="pill kill-chain">transport_dest_port</span>
  
  <span class="pill kill-chain">user</span>
  
  <span class="pill kill-chain">user_id</span>
  
  <span class="pill kill-chain">vendor_product</span>
  
</div>

Example Log

1<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385F-C22A-43E0-BF4C-06F5698FFBD9}'/><EventID>3</EventID><Version>5</Version><Level>4</Level><Task>3</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2022-09-15T12:56:22.958249300Z'/><EventRecordID>156837</EventRecordID><Correlation/><Execution ProcessID='2684' ThreadID='1380'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>win-dc-ctus-attack-range-403.attackrange.local</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='RuleName'>-</Data><Data Name='UtcTime'>2022-09-15 12:56:19.679</Data><Data Name='ProcessGuid'>{6820D070-1F1B-6323-E113-000000007402}</Data><Data Name='ProcessId'>5728</Data><Data Name='Image'>C:\Temp\agent_tesla-deob.exe</Data><Data Name='User'>ATTACKRANGE\Administrator</Data><Data Name='Protocol'>tcp</Data><Data Name='Initiated'>true</Data><Data Name='SourceIsIpv6'>false</Data><Data Name='SourceIp'>10.0.1.14</Data><Data Name='SourceHostname'>win-dc-ctus-attack-range-403.attackrange.local</Data><Data Name='SourcePort'>61722</Data><Data Name='SourcePortName'>-</Data><Data Name='DestinationIsIpv6'>false</Data><Data Name='DestinationIp'>41.77.117.236</Data><Data Name='DestinationHostname'>youssef5.genious.net</Data><Data Name='DestinationPort'>21</Data><Data Name='DestinationPortName'>ftp</Data></EventData></Event>

Required Output Fields

action
app
dest
dest_ip
dest_port
direction
dvc
protocol
protocol_version
src
src_ip
src_port
transport
user
vendor_product

Source: GitHub | Version: 4