• Manufacturer: Microsoft Corporation
  • Version: 2.0
  • Website: https://technet.microsoft.com/en-us/sysinternals/sysmon

Description

Sysmon is a freely available program from Microsoft that is provided as part of the Windows Sysinternals suite of tools. It collects system information while running in the background and supports storing it in the Windows Event Log.

Data Model Coverage

driver

  base_address fqdn hostname image_path md5_hash module_name sha1_hash sha256_hash signer
load    
unload                  

file

  company creation_time file_name file_path fqdn hostname image_path md5_hash pid ppid previous_creation_time sha1_hash sha256_hash signer user
create                              
delete                              
modify                              
read                              
timestomp                 :✓
write                              

flow

  content dest_fqdn dest_hostname dest_ip dest_port end_time exe flags fqdn hostname image_path packet_count pid ppid proto_info protocol src_fqdn src_hostname src_ip src_port start_time user
end                                            
message                                            
start                      

module

  base_address fqdn hostname image_path md5_hash module_name module_path pid sha1_hash sha256_hash signer tid
load        
unload                        

process

  command_line exe fqdn hostname image_path md5_hash parent_exe parent_image_path pid ppid sha1_hash sha256_hash sid signer user
create    
terminate                      

thread

  hostname src_pid src_tid stack_base stack_limit start_address start_function start_module start_module_name subprocess_tag tgt_pid tgt_tid user user_stack_base user_stack_limit
create                              
remote_create          
suspend                              
terminate                              

Analytic Coverage