List of Sysmon Event IDs for Threat Hunting

<h1>List of Sysmon Event IDs:</h1> <h2>Event ID 1: Process creation</h2> <p>The process creation event provides extended information about a newly created process. The full command line provides context on the process execution. The ProcessGUID field is a unique value for this process across a domain to make event correlation easier. The hash is a full hash of the file with the algorithms in the HashType field.</p> <h2>Event ID 2: A process changed a file creation time</h2> <p>The change file creation time event is registered when a file creation time is explicitly modified by a process. This event helps tracking the real creation time of a file. Attackers may change the file creation time of a backdoor to make it look like it was installed with the operating system. Note that many processes legitimately change the creation time of a file; it does not necessarily indicate malicious activity.</p> <p><a href="https://systemweakness.com/list-of-sysmon-event-ids-for-threat-hunting-4250b47cd567"><strong>Website</strong></a></p>