Different ProcessID field values in sysmon event
#1
Alexander
Hello!
I noticed that the value of the ProcessID field in sysmon event does not match the value of the ProcessID field which is nested in the Message field. Is it normal?
The sample sysmon event from https://nxlog.co/documentation/nxlog-user-guide/sysmon.html is bellow
{
"EventTime": "2015-04-27 15:23:46",
"Hostname": "WIN-OUNNPISDHIG",
"Keywords": -9223372036854776000,
"EventType": "INFO",
"SeverityValue": 2,
"Severity": "INFO",
"EventID": 1,
"SourceName": "Microsoft-Windows-Sysmon",
"ProviderGuid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}",
"Version": 3,
"Task": 1,
"OpcodeValue": 0,
"RecordNumber": 2335906,
"ProcessID": 1680,
"ThreadID": 1728,
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Domain": "NT AUTHORITY",
"AccountName": "SYSTEM",
"UserID": "SYSTEM",
"AccountType": "Well Known Group",
"Message": "Process Create:\r\nUtcTime: 2015.04.27. 13:23\r\nProcessGuid: {00000000-3862-553E-0000-001051D40527}\r\nProcessId: 25848\r\nImage: c:\\Program Files (x86)\\nxlog\\nxlog.exe\r\nCommandLine: \"c:\\Program Files (x86)\\nxlog\\nxlog.exe\" -f\r\nUser: WIN-OUNNPISDHIG\\Administrator\r\nLogonGuid: {00000000-568E-5453-0000-0020D5ED0400}\r\nLogonId: 0x4edd5\r\nTerminalSessionId: 2\r\nIntegrityLevel: High\r\nHashType: SHA1\r\nHash: 1DCE4B0F24C40473CE7B2C57EB4F7E9E3E14BF94\r\nParentProcessGuid: {00000000-3862-553E-0000-001088D30527}\r\nParentProcessId: 26544\r\nParentImage: C:\\msys\\1.0\\bin\\sh.exe\r\nParentCommandLine: C:\\msys\\1.0\\bin\\sh.exe",
"Opcode": "Info",
"UtcTime": "2015.04.27. 13:23",
"ProcessGuid": "{00000000-3862-553E-0000-001051D40527}",
"Image": "c:\\Program Files (x86)\\nxlog\\nxlog.exe",
"CommandLine": "\"c:\\Program Files (x86)\\nxlog\\nxlog.exe\" -f",
"User": "WIN-OUNNPISDHIG\\Administrator",
"LogonGuid": "{00000000-568E-5453-0000-0020D5ED0400}",
"LogonId": "0x4edd5",
"TerminalSessionId": "2",
"IntegrityLevel": "High",
"HashType": "SHA1",
"Hash": "1DCE4B0F24C40473CE7B2C57EB4F7E9E3E14BF94",
"ParentProcessGuid": "{00000000-3862-553E-0000-001088D30527}",
"ParentProcessId": "26544",
"ParentImage": "C:\\msys\\1.0\\bin\\sh.exe",
"ParentCommandLine": "C:\\msys\\1.0\\bin\\sh.exe",
"EventReceivedTime": "2015-04-27 15:23:47",
"SourceModuleName": "in",
"SourceModuleType": "im_msvistalog"
}
#1
Alexander
Hello!
I noticed that the value of the ProcessID field in sysmon event does not match the value of the ProcessID field which is nested in the Message field.
Is it normal?
The sample sysmon event from https://nxlog.co/documentation/nxlog-user-guide/sysmon.html is bellow
{
"EventTime": "2015-04-27 15:23:46",
"Hostname": "WIN-OUNNPISDHIG",
"Keywords": -9223372036854776000,
"EventType": "INFO",
"SeverityValue": 2,
"Severity": "INFO",
"EventID": 1,
"SourceName": "Microsoft-Windows-Sysmon",
"ProviderGuid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}",
"Version": 3,
"Task": 1,
"OpcodeValue": 0,
"RecordNumber": 2335906,
"ProcessID": 1680,
"ThreadID": 1728,
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Domain": "NT AUTHORITY",
"AccountName": "SYSTEM",
"UserID": "SYSTEM",
"AccountType": "Well Known Group",
"Message": "Process Create:\r\nUtcTime: 2015.04.27. 13:23\r\nProcessGuid: {00000000-3862-553E-0000-001051D40527}\r\nProcessId: 25848\r\nImage: c:\\Program Files (x86)\\nxlog\\nxlog.exe\r\nCommandLine: \"c:\\Program Files (x86)\\nxlog\\nxlog.exe\" -f\r\nUser: WIN-OUNNPISDHIG\\Administrator\r\nLogonGuid: {00000000-568E-5453-0000-0020D5ED0400}\r\nLogonId: 0x4edd5\r\nTerminalSessionId: 2\r\nIntegrityLevel: High\r\nHashType: SHA1\r\nHash: 1DCE4B0F24C40473CE7B2C57EB4F7E9E3E14BF94\r\nParentProcessGuid: {00000000-3862-553E-0000-001088D30527}\r\nParentProcessId: 26544\r\nParentImage: C:\\msys\\1.0\\bin\\sh.exe\r\nParentCommandLine: C:\\msys\\1.0\\bin\\sh.exe",
"Opcode": "Info",
"UtcTime": "2015.04.27. 13:23",
"ProcessGuid": "{00000000-3862-553E-0000-001051D40527}",
"Image": "c:\\Program Files (x86)\\nxlog\\nxlog.exe",
"CommandLine": "\"c:\\Program Files (x86)\\nxlog\\nxlog.exe\" -f",
"User": "WIN-OUNNPISDHIG\\Administrator",
"LogonGuid": "{00000000-568E-5453-0000-0020D5ED0400}",
"LogonId": "0x4edd5",
"TerminalSessionId": "2",
"IntegrityLevel": "High",
"HashType": "SHA1",
"Hash": "1DCE4B0F24C40473CE7B2C57EB4F7E9E3E14BF94",
"ParentProcessGuid": "{00000000-3862-553E-0000-001088D30527}",
"ParentProcessId": "26544",
"ParentImage": "C:\\msys\\1.0\\bin\\sh.exe",
"ParentCommandLine": "C:\\msys\\1.0\\bin\\sh.exe",
"EventReceivedTime": "2015-04-27 15:23:47",
"SourceModuleName": "in",
"SourceModuleType": "im_msvistalog"
}
The first id belongs to the nxlog process while the nested one belongs to the recently created process (described by the event itself).
