Sysmon v10.42 individual events

Sysmon is a great tool for detecting attacks and suspicious activities happening within a Windows environment. The latest release is v10.42 and can be downloaded from Microsoft here.

Sysmon v10.42 events

From a development point of view, probably one of the issues Sysmon has is the fact that it does not ship with an XML Schema Definition or XSD for short. Matt Graeber from specterops.io did a great analysis of this and he explains all the benefits an XSD could add.

Sysmon does have a schema though. However, I found that when you are learning how to use the tool, it is very annoying to start looking into the full schema. By running sysmon -s you can get the full schema.

I did create a small script that pulls out of the Sysmon schema every single individual event so it is easier to understand their anatomy as atomic units, it also enables us to understand better the fields and the possible relationships that can be created (from a graph point of view).

As shown below, this is how an individual Sysmon event looks like:

Sysmon individual event

In this case, we can see the properties and their datatypes, which can be used to create a lot of tools and detection rules.

You can find the list of events exported into individual XMLs from here.

I hope it helps!.