Sysmon Events

System Monitor (Sysmon) is a Windows system service that monitors and logs system activity. It provides detailed information (events) about process creations, network connections, and changes to file creation time. Sysmon assigns specific event identifiers (IDs) to each activity it monitors. The F5 Distributed Cloud App Infrastructure Protection (AIP) Windows Agent ingests and allows for rule creation for the following Sysmon events:

Sysmon Process ID	Tag	Description
1	ProcessCreate	A process was created.
2	FileCreateTime	A process changed a file creation time
3	NetworkConnect	A network connection was established.
4	N/A	Sysmon service state changed. (This event cannot be filtered.)
5	ProcessTerminate	A process was terminated.
6	DriverLoad	A system driver was loaded.
7	ImageLoad	An image was loaded.
8	CreateRemoteThreat	A remote threat in another process was created.
9	RawAccessRead	A raw access read of a file was made.
10	ProcessAccess	A process accessed another process.
11	FileCreate	A file was created.
12	RegistryEvent	A registry object create and delete event was made.
13	RegistryEvent	A registry value was set.
13.10	FileDeleteDetected	A file was deleted.
14	RegistryEvent	A registry key and value pair was renamed.
15	FileCreateStreamHash	File create stream hash.
16	N/A	Sysmon configuration change. (This event cannot be filtered.)
17	PipeEvent	A named pipe was created.
18	PipeEvent	A named pipe connection was made.
19	WMIEvent	A WMI Event Filter was registered.
20	WMIEvent	A WMI Event Consumer was registered.
21	WMIEvent	A WMI Event Consumer binds to a filter.
22	DNSQuery	DNS query made.
23	FileDelete	A file delete was detected.
24	ClipboardChange	New content in the clipboard.
25	ProcessTampering	The image of a running process has changed.
255	Error	Sysmon error encountered.

Table of Contents

Related articles