Contents

Event ID 1: Process creation

Event ID 1: Process creation

Version: 4.81

Description

The process creation event provides extended information about a newly created process. The full command line provides context on the process execution. The ProcessGUID field is a unique value for this process across a domain to make event correlation easier.

Data Dictionary

Field Name

Type

Description

Sample Value

RuleName

string

custom tag mapped to event. i.e ATT&CK technique ID

T1114

UtcTime

date

Time in UTC when event was created

2021-10-13T20:06:22.6500000Z

ProcessGuid

string

Process Guid of the process that got spawned/created (child)

{844e14fa-3c3e-6167-98ab-cd236b550000}

ProcessId

integer

Process ID used by the os to identify the created process (child)

5079

Image

string

File path of the process being spawned/created. Considered also the child or source process

/usr/sbin/rsyslogd

FileVersion

string

Version of the image associated with the main process (child)

``

Description

string

Description of the image associated with the main process (child)

``

Product

string

Product name the image associated with the main process (child) belongs to

``

Company

string

Company name the image associated with the main process (child) belongs to

``

OriginalFileName

string

original file name

``

CommandLine

string

Arguments which were passed to the executable associated with the main process

/usr/sbin/rsyslogd -n

CurrentDirectory

string

Current working directory from which the main process executed.

``

IntegrityLevel

string

Integrity label assigned to a process

no level

User

string

Name of the account who created the process (child) .

root

LogonGuid

string

Logon GUID of the user who created the new process. Value that can help you correlate this event with others that contain the same Logon GUID (Sysmon Events)

{844e14fa-0000-0000-0000-000000000000}

LogonId

integer

Login ID of the user who created the new process. Value that can help you correlate this event with others that contain the same Logon ID

0xf6219

TerminalSessionId

integer

ID of the session the user belongs to

4294967295

Hashes

string

Hashes captured by sysmon driver

``

ParentUser

string

Name of the account who created the process that spawned/created the main process (child)

root

ParentProcessGuid

string

ProcessGUID of the process that spawned/created the main process (child)

{A98268C1-9C2E-5ACD-0000-00100266AB00}

ParentProcessId

integer

Process ID of the process that spawned/created the main process (child)

240

ParentImage

string

File path that spawned/created the main process

/lib/systemd/systemd

ParentCommandLine

string

Arguments which were passed to the executable associated with the parent process

/sbin/init

previous

sysmon events

next

Event ID 11: FileCreate