Request trial
Request Trial

Different ProcessID field values ​​in sysmon event

Tags: im_msvistalog | sysmon
#1 Alexander

Hello!

I noticed that the value of the ProcessID field in sysmon event does not match the value of the ProcessID field which is nested in the Message field. Is it normal?

The sample sysmon event from https://nxlog.co/documentation/nxlog-user-guide/sysmon.html is bellow

{
  "EventTime": "2015-04-27 15:23:46",
  "Hostname": "WIN-OUNNPISDHIG",
  "Keywords": -9223372036854776000,
  "EventType": "INFO",
  "SeverityValue": 2,
  "Severity": "INFO",
  "EventID": 1,
  "SourceName": "Microsoft-Windows-Sysmon",
  "ProviderGuid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}",
  "Version": 3,
  "Task": 1,
  "OpcodeValue": 0,
  "RecordNumber": 2335906,
  "ProcessID": 1680,
  "ThreadID": 1728,
  "Channel": "Microsoft-Windows-Sysmon/Operational",
  "Domain": "NT AUTHORITY",
  "AccountName": "SYSTEM",
  "UserID": "SYSTEM",
  "AccountType": "Well Known Group",
  "Message": "Process Create:\r\nUtcTime: 2015.04.27. 13:23\r\nProcessGuid: {00000000-3862-553E-0000-001051D40527}\r\nProcessId: 25848\r\nImage: c:\\Program Files (x86)\\nxlog\\nxlog.exe\r\nCommandLine: \"c:\\Program Files (x86)\\nxlog\\nxlog.exe\" -f\r\nUser: WIN-OUNNPISDHIG\\Administrator\r\nLogonGuid: {00000000-568E-5453-0000-0020D5ED0400}\r\nLogonId: 0x4edd5\r\nTerminalSessionId: 2\r\nIntegrityLevel: High\r\nHashType: SHA1\r\nHash: 1DCE4B0F24C40473CE7B2C57EB4F7E9E3E14BF94\r\nParentProcessGuid: {00000000-3862-553E-0000-001088D30527}\r\nParentProcessId: 26544\r\nParentImage: C:\\msys\\1.0\\bin\\sh.exe\r\nParentCommandLine: C:\\msys\\1.0\\bin\\sh.exe",
  "Opcode": "Info",
  "UtcTime": "2015.04.27. 13:23",
  "ProcessGuid": "{00000000-3862-553E-0000-001051D40527}",
  "Image": "c:\\Program Files (x86)\\nxlog\\nxlog.exe",
  "CommandLine": "\"c:\\Program Files (x86)\\nxlog\\nxlog.exe\" -f",
  "User": "WIN-OUNNPISDHIG\\Administrator",
  "LogonGuid": "{00000000-568E-5453-0000-0020D5ED0400}",
  "LogonId": "0x4edd5",
  "TerminalSessionId": "2",
  "IntegrityLevel": "High",
  "HashType": "SHA1",
  "Hash": "1DCE4B0F24C40473CE7B2C57EB4F7E9E3E14BF94",
  "ParentProcessGuid": "{00000000-3862-553E-0000-001088D30527}",
  "ParentProcessId": "26544",
  "ParentImage": "C:\\msys\\1.0\\bin\\sh.exe",
  "ParentCommandLine": "C:\\msys\\1.0\\bin\\sh.exe",
  "EventReceivedTime": "2015-04-27 15:23:47",
  "SourceModuleName": "in",
  "SourceModuleType": "im_msvistalog"
}
Permalink
#2 manuel.munozDeactivated Nxlog ✓
#1 Alexander
Hello! I noticed that the value of the ProcessID field in sysmon event does not match the value of the ProcessID field which is nested in the Message field. Is it normal? The sample sysmon event from https://nxlog.co/documentation/nxlog-user-guide/sysmon.html is bellow { "EventTime": "2015-04-27 15:23:46", "Hostname": "WIN-OUNNPISDHIG", "Keywords": -9223372036854776000, "EventType": "INFO", "SeverityValue": 2, "Severity": "INFO", "EventID": 1, "SourceName": "Microsoft-Windows-Sysmon", "ProviderGuid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "Version": 3, "Task": 1, "OpcodeValue": 0, "RecordNumber": 2335906, "ProcessID": 1680, "ThreadID": 1728, "Channel": "Microsoft-Windows-Sysmon/Operational", "Domain": "NT AUTHORITY", "AccountName": "SYSTEM", "UserID": "SYSTEM", "AccountType": "Well Known Group", "Message": "Process Create:\r\nUtcTime: 2015.04.27. 13:23\r\nProcessGuid: {00000000-3862-553E-0000-001051D40527}\r\nProcessId: 25848\r\nImage: c:\\Program Files (x86)\\nxlog\\nxlog.exe\r\nCommandLine: \"c:\\Program Files (x86)\\nxlog\\nxlog.exe\" -f\r\nUser: WIN-OUNNPISDHIG\\Administrator\r\nLogonGuid: {00000000-568E-5453-0000-0020D5ED0400}\r\nLogonId: 0x4edd5\r\nTerminalSessionId: 2\r\nIntegrityLevel: High\r\nHashType: SHA1\r\nHash: 1DCE4B0F24C40473CE7B2C57EB4F7E9E3E14BF94\r\nParentProcessGuid: {00000000-3862-553E-0000-001088D30527}\r\nParentProcessId: 26544\r\nParentImage: C:\\msys\\1.0\\bin\\sh.exe\r\nParentCommandLine: C:\\msys\\1.0\\bin\\sh.exe", "Opcode": "Info", "UtcTime": "2015.04.27. 13:23", "ProcessGuid": "{00000000-3862-553E-0000-001051D40527}", "Image": "c:\\Program Files (x86)\\nxlog\\nxlog.exe", "CommandLine": "\"c:\\Program Files (x86)\\nxlog\\nxlog.exe\" -f", "User": "WIN-OUNNPISDHIG\\Administrator", "LogonGuid": "{00000000-568E-5453-0000-0020D5ED0400}", "LogonId": "0x4edd5", "TerminalSessionId": "2", "IntegrityLevel": "High", "HashType": "SHA1", "Hash": "1DCE4B0F24C40473CE7B2C57EB4F7E9E3E14BF94", "ParentProcessGuid": "{00000000-3862-553E-0000-001088D30527}", "ParentProcessId": "26544", "ParentImage": "C:\\msys\\1.0\\bin\\sh.exe", "ParentCommandLine": "C:\\msys\\1.0\\bin\\sh.exe", "EventReceivedTime": "2015-04-27 15:23:47", "SourceModuleName": "in", "SourceModuleType": "im_msvistalog" }

The first id belongs to the nxlog process while the nested one belongs to the recently created process (described by the event itself).
Login to see more

Subscribe to our newsletter to get the latest updates, news, and products releases.

© Copyright 2024 NXLog Ltd.

PRIVACY POLICY GENERAL TERMS OF BUSINESS