Windows Sysmon
Sysmon (System Monitor) operational channel — process creation with full command lines, network connections, file creates, registry modifications, DNS queries, and WMI events. SwiftOnSecurity-style tuning.
Quick Start
uv tool install eventum-generator
git clone https://github.com/eventum-generator/content-packs.git
cd content-packs
eventum generate \
--path generators/windows-sysmon/generator.yml \
--id sysmon \
--live-mode trueEvent Types
| Event ID | Description | Frequency | Category |
|---|---|---|---|
| 11 | File Created | ~25% | file |
| 13 | Registry Value Set | ~20% | registry |
| 22 | DNS Query | ~15% | network |
| 1 | Process Create | ~12% | process |
| 5 | Process Terminated | ~10% | process |
| 3 | Network Connection | ~8% | network |
| 12 | Registry Create/Delete | ~3% | registry |
| 15 | FileCreateStreamHash | ~2% | file |
| 23 | File Delete (Archived) | ~1.5% | file |
| 26 | File Delete (Logged) | ~1% | file |
| 17 | Named Pipe Created | ~0.5% | file |
| 18 | Named Pipe Connected | ~0.5% | file |
| 25 | Process Tampering | ~0.5% | process |
| 6 | Driver Loaded | rare | driver |
| 8 | CreateRemoteThread | rare | process |
Realism Features
- Process lifecycle correlation — Event 1 stores processes; Event 5 consumes with consistent ProcessGuid, PID, Image
- Process-to-activity linkage — DNS, file, network events reference active processes from the pool
- 25 Windows processes with correct parent-child relationships, PE metadata, and file hashes
- 30 real-world DNS domains with CNAME chains, resolved IPs, and NXDOMAIN distribution
- Registry path diversity — HKLM/HKU paths covering services, security, Explorer, Defender
- 120-host fleet with per-host record IDs and per-host process pool correlation
Sample Output
{
"@timestamp": "2026-02-21T14:30:22.150000+00:00",
"event": {
"action": "Process creation",
"category": ["process"],
"code": "1",
"module": "sysmon",
"type": ["start"]
},
"process": {
"executable": "C:\\Windows\\System32\\svchost.exe",
"name": "svchost.exe",
"pid": 6228,
"parent": {
"executable": "C:\\Windows\\System32\\services.exe",
"name": "services.exe"
}
},
"user": { "domain": "NT AUTHORITY", "name": "SYSTEM" },
"winlog": {
"channel": "Microsoft-Windows-Sysmon/Operational",
"event_id": "1"
}
}Parameters
| Parameter | Default | Description |
|---|---|---|
| domain | CONTOSO | NetBIOS domain name |
| fqdn_suffix | contoso.local | DNS domain suffix |
| domain_sid | S-1-5-21-3457937927-... | Domain SID prefix |
| agent_version | 8.17.0 | Agent version string |
Related Generators
Windows Security Event Log
The Security channel of Windows Event Log — logon/logoff sessions, process creation, privilege escalation, account management, and audit policy changes from a 120-host Active Directory fleet.
Windows PowerShell
PowerShell classic and operational channels — engine lifecycle, script block logging, module invocations, pipeline execution, and provider starts. Includes obfuscated command detection and suspicious script patterns.
Linux Auditd
Linux audit framework (auditd) — syscall tracing (execve, openat, connect), PAM authentication, credential changes, user login/logout, sudo privilege escalation, and systemd service management.