• Manufacturer: Microsoft
  • Version: 11.0
  • Website: https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon

Description

Sysmon is a freely available program from Microsoft that is provided as part of the Windows Sysinternals suite of tools. It collects system information while running in the background and supports storing it in the Windows Event Log.

Data Model Coverage

thread

  hostname src_pid src_tid stack_base stack_limit start_address start_function start_module start_module_name tgt_pid tgt_tid user user_stack_base user_stack_limit
create              
remote_create              
suspend                            
terminate                            

registry

  data fqdn hive hostname image_path key pid type user value
add        
edit        
remove        

file

  company creation_time file_name file_path fqdn hostname image_path md5_hash pid ppid previous_creation_time sha1_hash sha256_hash signer user
create                    
delete              
modify                              
read                              
timestomp                  
write                              

driver

  base_address fqdn hostname image_path md5_hash module_name sha1_hash sha256_hash signer
load      
unload                  

module

  base_address fqdn hostname image_path md5_hash module_name module_path pid sha1_hash sha256_hash signer signer
load        
unload                        

flow

  content dest_fqdn dest_hostname dest_ip dest_port end_time exe flags fqdn hostname image_path packet_count pid ppid proto_info protocol src_fqdn src_hostname src_ip src_port start_time user
end                                            
message                                            
start                    

process

  command_line current_working_directory env_vars exe fqdn hostname image_path integrity_level md5_hash parent_command_line parent_exe parent_image_path pid ppid sha1_hash sha256_hash sid signer user
create          
terminate                                

Analytic Coverage