Sysmon

Browse the Sysmon mappings on this page, download the mappings (in CSV/STIX format), or visualize the sensor coverage in ATT&CK Navigator.

Download CSV Download STIX Open in ATT&CK Navigator

Enterprise

EVENT ID	EVENT DESCRIPTION	ATT&CK DATA SOURCE	ATT&CK DATA COMPONENT
1	A new process has been created	Process	Process Creation
2	A process changed a file creation time	File	File Modification
3	Network connection	Network Traffic	Network Connection Creation
4	Sysmon service state changed.	Service	Service Metadata
5	Process terminated	Process	Process Termination
6	Driver loaded	Driver	Driver Load
7	Image Loaded	Module	Module Load
8	The CreateRemoteThread event detects when a process creates a thread in another process.	Process	Process Modification
9	The RawAccessRead event detects when a process conducts reading operations from the drive using the .denotation	File	File Access
10	ProcessAccess	Process	Process Access
11	FileCreate	File	File Creation
12	RegistryEvent (Object create and delete)	Windows Registry	Windows Registry Key Creation
12	RegistryEvent (Object create and delete)	Windows Registry	Windows Registry Key Deletion
13	RegistryEvent (Value Set)	Windows Registry	Windows Registry Key Modification
14	RegistryEvent (Key and Value Rename)	Windows Registry	Windows Registry Key Modification
15	FileCreateStreamHash	File	File Creation
17	PipeEvent (Pipe Created)	Named Pipe	Named Pipe Metadata
18	PipeEvent (Pipe Connected)	Named Pipe	Named Pipe Connection
18	PipeEvent (Pipe Connected)	Named Pipe	Named Pipe Metadata
19	WmiEvent (WmiEventFilter activity detected).	WMI	WMI Creation
19	WmiEvent (WmiEventFilter activity detected).	WMI	WMI Deletion
20	WmiEvent (WmiEventConsumer activity detected).	WMI	WMI Creation
20	WmiEvent (WmiEventConsumer activity detected).	WMI	WMI Deletion
23	FileDelete	File	File Deletion
26	File Delete logged.	File	File Deletion
30	EventID(30)	Process	Process Metadata