GitHub Repo

Data Source: Sysmon for Linux EventID 11

Date: 2026-05-13

ID: 14672fed-235a-411f-8062-ace9696fb2af

Author: Patrick Bareiss, Splunk

Description

Logs the creation of a new file on a Linux system, including details about the file path, file type, and associated process.

Details

Property Value
Source Syslog:Linux-Sysmon/Operational
Sourcetype sysmon:linux
Separator EventID
Name ▲▼ Technique ▲▼ Type ▲▼
Java Writing JSP File External Remote Services, Exploit Public-Facing Application TTP
Linux Account Manipulation Of SSH Config and Keys File Deletion, Data Destruction Anomaly
Linux Service File Created In Systemd Directory Systemd Timers Anomaly
Linux Doas Conf File Creation Sudo and Sudo Caching Anomaly
Linux Deletion Of Cron Jobs File Deletion, Data Destruction Anomaly
Linux File Creation In Init Boot Directory RC Scripts Anomaly
Linux Deletion Of Services File Deletion, Data Destruction TTP
Linux Deletion of SSL Certificate File Deletion, Data Destruction Anomaly
Linux Sudoers Tmp File Creation Sudo and Sudo Caching Anomaly
Linux Deletion Of Init Daemon Script File Deletion, Data Destruction TTP
Linux File Created In Kernel Driver Directory Kernel Modules and Extensions Anomaly
Linux File Creation In Profile Directory Unix Shell Configuration Modification Anomaly
Linux Add Files In Known Crontab Directories Cron Anomaly
GitHub Workflow File Creation or Modification Supply Chain Compromise, Compromise Host Software Binary, Dynamic Linker Hijacking Hunting
Linux High Frequency Of File Deletion In Etc Folder File Deletion, Data Destruction Anomaly
Linux At Allow Config File Creation Cron Anomaly
Linux High Frequency Of File Deletion In Boot Folder File Deletion, Data Destruction TTP
Shai-Hulud 2 Exfiltration Artifact Files Local Data Staging, Compromise Software Supply Chain, Credentials In Files TTP
Shai-Hulud Workflow File Creation or Modification Supply Chain Compromise, Compromise Host Software Binary, Dynamic Linker Hijacking TTP
Linux Medusa Rootkit Rootkit, Credentials TTP
Linux Possible Ssh Key File Creation SSH Authorized Keys Anomaly

Supported Apps

Event Fields

+ Fields 
  <span class="pill kill-chain">_time</span>
  
  <span class="pill kill-chain">Channel</span>
  
  <span class="pill kill-chain">Computer</span>
  
  <span class="pill kill-chain">CreationUtcTime</span>
  
  <span class="pill kill-chain">EventChannel</span>
  
  <span class="pill kill-chain">EventCode</span>
  
  <span class="pill kill-chain">EventData_Xml</span>
  
  <span class="pill kill-chain">EventDescription</span>
  
  <span class="pill kill-chain">EventID</span>
  
  <span class="pill kill-chain">EventRecordID</span>
  
  <span class="pill kill-chain">Guid</span>
  
  <span class="pill kill-chain">Image</span>
  
  <span class="pill kill-chain">Keywords</span>
  
  <span class="pill kill-chain">Level</span>
  
  <span class="pill kill-chain">Name</span>
  
  <span class="pill kill-chain">Opcode</span>
  
  <span class="pill kill-chain">ProcessGuid</span>
  
  <span class="pill kill-chain">ProcessID</span>
  
  <span class="pill kill-chain">ProcessId</span>
  
  <span class="pill kill-chain">RecordID</span>
  
  <span class="pill kill-chain">RuleName</span>
  
  <span class="pill kill-chain">SystemTime</span>
  
  <span class="pill kill-chain">System_Props_Xml</span>
  
  <span class="pill kill-chain">TargetFilename</span>
  
  <span class="pill kill-chain">Task</span>
  
  <span class="pill kill-chain">ThreadID</span>
  
  <span class="pill kill-chain">User</span>
  
  <span class="pill kill-chain">UserId</span>
  
  <span class="pill kill-chain">UtcTime</span>
  
  <span class="pill kill-chain">Version</span>
  
  <span class="pill kill-chain">action</span>
  
  <span class="pill kill-chain">date_hour</span>
  
  <span class="pill kill-chain">date_mday</span>
  
  <span class="pill kill-chain">date_minute</span>
  
  <span class="pill kill-chain">date_month</span>
  
  <span class="pill kill-chain">date_second</span>
  
  <span class="pill kill-chain">date_wday</span>
  
  <span class="pill kill-chain">date_year</span>
  
  <span class="pill kill-chain">date_zone</span>
  
  <span class="pill kill-chain">dest</span>
  
  <span class="pill kill-chain">eventtype</span>
  
  <span class="pill kill-chain">file_create_time</span>
  
  <span class="pill kill-chain">file_name</span>
  
  <span class="pill kill-chain">file_path</span>
  
  <span class="pill kill-chain">host</span>
  
  <span class="pill kill-chain">index</span>
  
  <span class="pill kill-chain">linecount</span>
  
  <span class="pill kill-chain">object_category</span>
  
  <span class="pill kill-chain">process_exec</span>
  
  <span class="pill kill-chain">process_guid</span>
  
  <span class="pill kill-chain">process_id</span>
  
  <span class="pill kill-chain">process_name</span>
  
  <span class="pill kill-chain">process_path</span>
  
  <span class="pill kill-chain">punct</span>
  
  <span class="pill kill-chain">signature</span>
  
  <span class="pill kill-chain">signature_id</span>
  
  <span class="pill kill-chain">source</span>
  
  <span class="pill kill-chain">sourcetype</span>
  
  <span class="pill kill-chain">splunk_server</span>
  
  <span class="pill kill-chain">tag</span>
  
  <span class="pill kill-chain">tag::eventtype</span>
  
  <span class="pill kill-chain">tag::object_category</span>
  
  <span class="pill kill-chain">timeendpos</span>
  
  <span class="pill kill-chain">timestartpos</span>
  
  <span class="pill kill-chain">user</span>
  
  <span class="pill kill-chain">vendor_product</span>
  
</div>

Example Log

1<Event><System><Provider Name="Linux-Sysmon" Guid="{ff032593-a8d3-4f13-b0d6-01fc615a0f97}"/><EventID>11</EventID><Version>2</Version><Level>4</Level><Task>11</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime="2021-12-20T16:07:17.927963000Z"/><EventRecordID>792913</EventRecordID><Correlation/><Execution ProcessID="4372" ThreadID="4372"/><Channel>Linux-Sysmon/Operational</Channel><Computer>sysmonlinux-tcontreras-attack-range-4134</Computer><Security UserId="0"/></System><EventData><Data Name="RuleName">-</Data><Data Name="UtcTime">2021-12-20 16:07:17.929</Data><Data Name="ProcessGuid">{ec2c97d1-6aa9-61c0-3038-618238560000}</Data><Data Name="ProcessId">5256</Data><Data Name="Image">/opt/splunkforwarder/bin/splunkd</Data><Data Name="TargetFilename">/opt/splunkforwarder/var/lib/splunk/modinputs/journald/sysmon.checkpoint.tmp.dbed9d351dcc1806</Data><Data Name="CreationUtcTime">2021-12-20 16:07:17.929</Data><Data Name="User">root</Data></EventData></Event>

Required Output Fields

  • action

  • dest

  • file_access_time

  • file_create_time

  • file_hash

  • file_modify_time

  • file_name

  • file_path

  • file_acl

  • file_size

  • process_guid

  • process_id

  • user

  • vendor_product

Source: GitHub | Version: 3