sysmon
sysmon-linux
\pEventID\p(\d+)\p/EventID\p
system.eventId
sysmon-linux
\pKeywords\p(\.+)\p/Keywords\p
system.keywords
sysmon-linux
\pLevel\p(\d+)\p/Level\p
system.level
sysmon-linux
\pChannel\p(\.+)\p/Channel\p
system.channel
sysmon-linux
\pOpcode\p(\d+)\p/Opcode\p
system.opcode
sysmon-linux
\pVersion\p(\d+)\p/Version\p
system.version
sysmon-linux
\pTimeCreated SystemTime="(\d+-\d+-\d+T\d+:\d+:\d+.\d+\w)"
system.systemTime
sysmon-linux
\pEventRecordID\p(\d+)\p/EventRecordID\p
system.eventRecordID
sysmon-linux
"\sThreadID="(\d+)"/\p
system.threadID
sysmon-linux
\pComputer\p(\.+)\p/Computer\p
system.computer
sysmon-linux
\pTask\p(\d+)\p/Task\p
system.task
sysmon-linux
\pExecution\sProcessID="(\d+)"
system.processID
sysmon-linux
\pData Name="OriginalFileName"\p(\.+)\p/Data\p
eventdata.originalFileName
sysmon-linux
\pData Name="Image"\p(\.+)\p/Data\p
eventdata.image
sysmon-linux
\pData Name="Product"\p(\.+)\p/Data\p
eventdata.product
sysmon-linux
\pData Name="ParentProcessGuid"\p(\.+)\p/Data\p
eventdata.parentProcessGuid
sysmon-linux
\pData Name="Description"\p(\.+)\p/Data\p
eventdata.description
sysmon-linux
\pData Name="LogonGuid"\p(\.+)\p/Data\p
eventdata.logonGuid
sysmon-linux
\pData Name="ParentCommandLine"\p(\.+)\p/Data\p
eventdata.parentCommandLine
sysmon-linux
\pData Name="ProcessGuid"\p(\.+)\p/Data\p
eventdata.processGuid
sysmon-linux
\pData Name="LogonId"\p(\d+)\p/Data\p
eventdata.logonId
sysmon-linux
\pData Name="ParentProcessId"\p(\d+)\p/Data\p
eventdata.parentProcessId
sysmon-linux
\pData Name="ProcessId"\p(\d+)\p/Data\p
eventdata.processId
sysmon-linux
\pData Name="CurrentDirectory"\p(\.+)\p/Data\p
eventdata.currentDirectory
sysmon-linux
\pData Name="UtcTime"\p(\d+-\d+-\d+T\d+:\d+:\d+.\d+\w)\p/Data\p
eventdata.utcTime
sysmon-linux
\pData Name="Hashes"\p(\.+)\p/Data\p
eventdata.hashes
sysmon-linux
\pData Name="ParentImage"\p(\.+)\p/Data\p
eventdata.parentImage
sysmon-linux
\pData Name="RuleName"\p(\.+)\p/Data\p
eventdata.ruleName
sysmon-linux
\pData Name="Company"\p(\.+)\p/Data\p
eventdata.company
sysmon-linux
\pData Name="CommandLine"\p(\.+)\p/Data\p
eventdata.commandLine
sysmon-linux
\pData Name="IntegrityLevel"\p(\.+)\p/Data\p
eventdata.integrityLevel
sysmon-linux
\pData Name="FileVersion"\p(\.+)\p/Data\p
eventdata.fileVersion
sysmon-linux
\pData Name="User"\p(\.+)\p/Data\p
eventdata.user
sysmon-linux
\pData Name="TerminalSessionId"\p(\.+)\p/Data\p
eventdata.terminalSessionId
sysmon-linux
\pData Name="ParentUser"\p(\.+)\p/Data\p
eventdata.parentUser
sysmon-linux
\pData Name="Protocol"\p(\.+)\p/Data\p
eventdata.protocol
sysmon-linux
\pData Name="Initiated"\p(\.+)\p/Data\p
eventdata.initiated
sysmon-linux
\pData Name="SourceIsIpv6"\p(\.+)\p/Data\p
eventdata.sourceIsIpv6
sysmon-linux
\pData Name="SourceIp"\p(\.+)\p/Data\p
eventdata.sourceIp
sysmon-linux
\pData Name="SourceHostname"\p(\.+)\p/Data\p
eventdata.sourceHostname
sysmon-linux
\pData Name="SourcePort"\p(\.+)\p/Data\p
eventdata.sourcePort
sysmon-linux
\pData Name="SourcePortName"\p(\.+)\p/Data\p
eventdata.sourcePortName
sysmon-linux
\pData Name="DestinationIsIpv6"\p(\.+)\p/Data\p
eventdata.destinationIsIpv6
sysmon-linux
\pData Name="DestinationIp"\p(\.+)\p/Data\p
eventdata.DestinationIp
sysmon-linux
\pData Name="DestinationHostname"\p(\.+)\p/Data\p
eventdata.destinationHostname
sysmon-linux
\pData Name="DestinationPort"\p(\.+)\p/Data\p
eventdata.destinationPort
sysmon-linux
\pData Name="DestinationPortName"\p(\.+)\p/Data\p
eventdata.destinationPortName
sysmon-linux
\pData Name="State"\p(\.+)\p/Data\p
eventdata.state
sysmon-linux
\pData Name="Version"\p(\.+)\p/Data\p
eventdata.version
sysmon-linux
\pData Name="SchemaVersion"\p(\.+)\p/Data\p
eventdata.schemaVersion
sysmon-linux
\pData Name="Device"\p(\.+)\p/Data\p
eventdata.device
sysmon-linux
\pData Name="TargetFilename"\p(\.+)\p/Data\p
eventdata.targetFilename
sysmon-linux
\pData Name="CreationUtcTime"\p(\d+-\d+-\d+T\d+:\d+:\d+.\d+\w)\p/Data\p
eventdata.creationUtcTime
sysmon-linux
\pData Name="Configuration"\p(\.+)\p/Data\p
eventdata.configuration
sysmon-linux
\pData Name="ConfigurationFileHash"\p(\.+)\p/Data\p
eventdata.configurationFileHash
sysmon-linux
\pData Name="IsExecutable"\p(\.+)\p/Data\p
eventdata.isExecutable
sysmon-linux
\pData Name="Archived"\p(\.+)\p/Data\p
eventdata.archived