GitHub Repo

Data Source: Sysmon EventID 26

Date: 2025-07-10

ID: 77f946e0-4afb-4789-8d9e-c29c1658f501

Author: Bhavin Patel, Splunk

Description

Data source object for Sysmon EventID 26

Details

Property Value
Source XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sourcetype XmlWinEventLog
Separator EventID
Name ▲▼ Technique ▲▼ Type ▲▼
Excessive File Deletion In WinDefender Folder Data Destruction TTP
Windows ConsoleHost History File Deletion Clear Command History Anomaly
Windows Data Destruction Recursive Exec Files Deletion Data Destruction TTP
Windows Default Rdp File Deletion File Deletion Anomaly
Windows High File Deletion Frequency Data Destruction Anomaly
Windows Rdp AutomaticDestinations Deletion File Deletion Anomaly
Windows RDP Cache File Deletion File Deletion Anomaly

Supported Apps

Event Fields

+ Fields 
  <span class="pill kill-chain">_time</span>
  
</div>

Required Output Fields

  • action

  • dest

  • dvc

  • file_path

  • file_hash

  • file_name

  • file_modify_time

  • process_exec

  • process_guid

  • process_id

  • process_name

  • process_path

  • signature

  • signature_id

  • user

  • user_id

  • vendor_product

Source: GitHub | Version: 2