box.win_sysmon
- Juan Tomás Alonso Nieto (Deactivated)
Introduction
The tags beginning with box.win_sysmon identify events generated by Sysmon.
Valid tags and data tablesÂ
The full tag must have 2 levels, fixed as box.win_sysmon. These are the valid tags and corresponding data tables that will receive the parsers' data:
Product / Service | Tags | Data tables |
|---|---|---|
Windows System Monitor (Sysmon) |
|
|
For more information, read more About Devo tags.
Table structure
These are the fields displayed in this table:
box.win_sysmon
Field | Type | Source field name | Extra fields |
|---|---|---|---|
eventdate |
| Â | Â |
Machine |
| Â | Â |
Datetime |
| Â | Â |
EventID |
| Â | Â |
SourceName |
| Â | Â |
Authority |
| Â | Â |
LogLevel |
| Â | Â |
SourceURL |
| Â | Â |
Event |
| Â | Â |
Rule |
| Â | Â |
RuleName |
| Â | Â |
UtcTime |
| Â | Â |
ProcessGuid |
| Â | Â |
ProcessId |
| Â | Â |
Image |
| Â | Â |
FileVersion |
| Â | Â |
Description |
| Â | Â |
Product |
| Â | Â |
Company |
| Â | Â |
OriginalFileName |
| Â | Â |
CommandLine |
| Â | Â |
CurrentDirectory |
| Â | Â |
User |
| Â | Â |
LogonGuid |
| Â | Â |
LogonId |
| Â | Â |
TerminalSessionId |
| Â | Â |
IntegrityLevel |
| Â | Â |
Hashes |
| Â | Â |
ParentProcessGuid |
| Â | Â |
ParentProcessId |
| Â | Â |
ParentImage |
| Â | Â |
ParentCommandLine |
| Â | Â |
TargetFilename |
| Â | Â |
CreationUtcTime |
| Â | Â |
EventType |
| Â | Â |
TargetObject |
| Â | Â |
Details |
| Â | Â |
Protocol |
| Â | Â |
Initiated |
| Â | Â |
SourceIsIpv6 |
| Â | Â |
SourceIp |
| Â | Â |
SourceHostname |
| Â | Â |
SourcePort |
| Â | Â |
SourcePortName |
| Â | Â |
DestinationIsIpv6 |
| Â | Â |
DestinationIp |
| Â | Â |
DestinationHostname |
| Â | Â |
DestinationPort |
| Â | Â |
DestinationPortName |
| Â | Â |
QueryName |
| Â | Â |
QueryStatus |
| Â | Â |
QueryResults |
| Â | Â |
message |
| rawMessage | Â |
hostchain |
|  | ✓ |
tag |
|  | ✓ |
rawMessage |
|  | ✓ |