Sysmon Events

System Monitor (Sysmon) is a Windows system service that monitors and logs system activity. It provides detailed information (events) about process creations, network connections, and changes to file creation time. Sysmon assigns specific event identifiers (IDs) to each activity it monitors. The F5 Distributed Cloud App Infrastructure Protection (AIP) Windows Agent ingests and allows for rule creation for the following Sysmon events:

Sysmon Process ID Tag Description
1 ProcessCreate A process was created.
2 FileCreateTime A process changed a file creation time
3 NetworkConnect A network connection was established.
4 N/A Sysmon service state changed. (This event cannot be filtered.)
5 ProcessTerminate A process was terminated.
6 DriverLoad A system driver was loaded.
7 ImageLoad An image was loaded.
8 CreateRemoteThreat A remote threat in another process was created.
9 RawAccessRead A raw access read of a file was made.
10 ProcessAccess A process accessed another process.
11 FileCreate A file was created.
12 RegistryEvent A registry object create and delete event was made.
13 RegistryEvent A registry value was set.
13.10 FileDeleteDetected A file was deleted.
14 RegistryEvent A registry key and value pair was renamed.
15 FileCreateStreamHash File create stream hash.
16 N/A Sysmon configuration change. (This event cannot be filtered.)
17 PipeEvent A named pipe was created.
18 PipeEvent A named pipe connection was made.
19 WMIEvent A WMI Event Filter was registered.
20 WMIEvent A WMI Event Consumer was registered.
21 WMIEvent A WMI Event Consumer binds to a filter.
22 DNSQuery DNS query made.
23 FileDelete A file delete was detected.
24 ClipboardChange New content in the clipboard.
25 ProcessTampering The image of a running process has changed.
255 Error Sysmon error encountered.
Was this article helpful?
0 out of 0 found this helpful