<span class="pill kill-chain">_time</span>
<span class="pill kill-chain">CallTrace</span>
<span class="pill kill-chain">Channel</span>
<span class="pill kill-chain">Computer</span>
<span class="pill kill-chain">EventChannel</span>
<span class="pill kill-chain">EventCode</span>
<span class="pill kill-chain">EventData_Xml</span>
<span class="pill kill-chain">EventDescription</span>
<span class="pill kill-chain">EventID</span>
<span class="pill kill-chain">EventRecordID</span>
<span class="pill kill-chain">GrantedAccess</span>
<span class="pill kill-chain">Guid</span>
<span class="pill kill-chain">Keywords</span>
<span class="pill kill-chain">Level</span>
<span class="pill kill-chain">Name</span>
<span class="pill kill-chain">Opcode</span>
<span class="pill kill-chain">ProcessID</span>
<span class="pill kill-chain">RecordID</span>
<span class="pill kill-chain">RecordNumber</span>
<span class="pill kill-chain">RuleName</span>
<span class="pill kill-chain">SecurityID</span>
<span class="pill kill-chain">SourceImage</span>
<span class="pill kill-chain">SourceProcessGUID</span>
<span class="pill kill-chain">SourceProcessId</span>
<span class="pill kill-chain">SourceThreadId</span>
<span class="pill kill-chain">SystemTime</span>
<span class="pill kill-chain">System_Props_Xml</span>
<span class="pill kill-chain">TargetImage</span>
<span class="pill kill-chain">TargetProcessGUID</span>
<span class="pill kill-chain">TargetProcessId</span>
<span class="pill kill-chain">Task</span>
<span class="pill kill-chain">ThreadID</span>
<span class="pill kill-chain">TimeCreated</span>
<span class="pill kill-chain">UserID</span>
<span class="pill kill-chain">UtcTime</span>
<span class="pill kill-chain">Version</span>
<span class="pill kill-chain">action</span>
<span class="pill kill-chain">date_hour</span>
<span class="pill kill-chain">date_mday</span>
<span class="pill kill-chain">date_minute</span>
<span class="pill kill-chain">date_month</span>
<span class="pill kill-chain">date_second</span>
<span class="pill kill-chain">date_wday</span>
<span class="pill kill-chain">date_year</span>
<span class="pill kill-chain">date_zone</span>
<span class="pill kill-chain">dest</span>
<span class="pill kill-chain">dvc</span>
<span class="pill kill-chain">dvc_nt_host</span>
<span class="pill kill-chain">event_id</span>
<span class="pill kill-chain">eventtype</span>
<span class="pill kill-chain">granted_access</span>
<span class="pill kill-chain">host</span>
<span class="pill kill-chain">id</span>
<span class="pill kill-chain">index</span>
<span class="pill kill-chain">linecount</span>
<span class="pill kill-chain">os</span>
<span class="pill kill-chain">parent_process_exec</span>
<span class="pill kill-chain">parent_process_guid</span>
<span class="pill kill-chain">parent_process_id</span>
<span class="pill kill-chain">parent_process_name</span>
<span class="pill kill-chain">parent_process_path</span>
<span class="pill kill-chain">process_exec</span>
<span class="pill kill-chain">process_guid</span>
<span class="pill kill-chain">process_id</span>
<span class="pill kill-chain">process_name</span>
<span class="pill kill-chain">process_path</span>
<span class="pill kill-chain">punct</span>
<span class="pill kill-chain">signature</span>
<span class="pill kill-chain">signature_id</span>
<span class="pill kill-chain">source</span>
<span class="pill kill-chain">sourcetype</span>
<span class="pill kill-chain">splunk_server</span>
<span class="pill kill-chain">tag</span>
<span class="pill kill-chain">tag::eventtype</span>
<span class="pill kill-chain">timeendpos</span>
<span class="pill kill-chain">timestartpos</span>
<span class="pill kill-chain">user_id</span>
<span class="pill kill-chain">vendor_product</span>
</div>
Data Source: Sysmon EventID 10
Description
Data source object for Sysmon EventID 10
Details
Property | Value |
---|---|
Source | XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
Sourcetype | xmlwineventlog |
Separator | EventID |
Supported Apps
- Splunk Add-on for Sysmon (version 4.0.1)
Event Fields
Example Log
1<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385F-C22A-43E0-BF4C-06F5698FFBD9}'/><EventID>10</EventID><Version>3</Version><Level>4</Level><Task>10</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2022-02-01T21:01:44.672666100Z'/><EventRecordID>150624412</EventRecordID><Correlation/><Execution ProcessID='2992' ThreadID='3220'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>win-dc-128.attackrange.local</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='RuleName'>-</Data><Data Name='UtcTime'>2022-02-01 21:01:44.670</Data><Data Name='SourceProcessGUID'>{3BF36828-9F6D-61F9-390A-02000000CF01}</Data><Data Name='SourceProcessId'>1272</Data><Data Name='SourceThreadId'>956</Data><Data Name='SourceImage'>C:\Tools\Rubeus.exe</Data><Data Name='TargetProcessGUID'>{3BF36828-4B37-61E8-0900-00000000CF01}</Data><Data Name='TargetProcessId'>572</Data><Data Name='TargetImage'>C:\Windows\system32\winlogon.exe</Data><Data Name='GrantedAccess'>0x1f3fff</Data><Data Name='CallTrace'>C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+381f60|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2f8cd5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c3b1e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c01f5|UNKNOWN(00007FFD8E245F0C)</Data></EventData></Event>
Source: GitHub | Version: 1