Skip to content

Instantly share code, notes, and snippets.

@leechristensen

leechristensen/Sysmon XML Schema

Created September 25, 2015 20:38
Show Gist options
  • Save leechristensen/6deea8c90c3c13fa99f3 to your computer and use it in GitHub Desktop.
Save leechristensen/6deea8c90c3c13fa99f3 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
Sysmon XML Schema
Pulled it using strings.exe..... :)
<!DOCTYPE Sysmon [<!ELEMENT Sysmon (EventFiltering|HashAlgorithms)*>
<!ATTLIST Sysmon schemaversion CDATA #REQUIRED>
<!ELEMENT EventFiltering (ProcessCreate|FileCreateTime|NetworkConnect|ProcessTerminate|DriverLoad|ImageLoad|CreateRemoteThread)*>
<!ELEMENT ProcessCreate (SequenceNumber|UtcTime|ProcessGuid|ProcessId|Image|CommandLine|CurrentDirectory|User|LogonGuid|LogonId|TerminalSessionId|IntegrityLevel|Hashes|ParentProcessGuid|ParentProcessId|ParentImage|ParentCommandLine)*>
<!ATTLIST ProcessCreate onmatch (include|exclude) #IMPLIED>
<!ATTLIST ProcessCreate default (include|exclude) #IMPLIED>
<!ELEMENT SequenceNumber (#PCDATA)*>
<!ATTLIST SequenceNumber condition CDATA "is">
<!ELEMENT UtcTime (#PCDATA)*>
<!ATTLIST UtcTime condition CDATA "is">
<!ELEMENT ProcessGuid (#PCDATA)*>
<!ATTLIST ProcessGuid condition CDATA "is">
<!ELEMENT ProcessId (#PCDATA)*>
<!ATTLIST ProcessId condition CDATA "is">
<!ELEMENT Image (#PCDATA)*>
<!ATTLIST Image condition CDATA "is">
<!ELEMENT CommandLine (#PCDATA)*>
<!ATTLIST CommandLine condition CDATA "is">
<!ELEMENT CurrentDirectory (#PCDATA)*>
<!ATTLIST CurrentDirectory condition CDATA "is">
<!ELEMENT User (#PCDATA)*>
<!ATTLIST User condition CDATA "is">
<!ELEMENT LogonGuid (#PCDATA)*>
<!ATTLIST LogonGuid condition CDATA "is">
<!ELEMENT LogonId (#PCDATA)*>
<!ATTLIST LogonId condition CDATA "is">
<!ELEMENT TerminalSessionId (#PCDATA)*>
<!ATTLIST TerminalSessionId condition CDATA "is">
<!ELEMENT IntegrityLevel (#PCDATA)*>
<!ATTLIST IntegrityLevel condition CDATA "is">
<!ELEMENT Hashes (#PCDATA)*>
<!ATTLIST Hashes condition CDATA "is">
<!ELEMENT ParentProcessGuid (#PCDATA)*>
<!ATTLIST ParentProcessGuid condition CDATA "is">
<!ELEMENT ParentProcessId (#PCDATA)*>
<!ATTLIST ParentProcessId condition CDATA "is">
<!ELEMENT ParentImage (#PCDATA)*>
<!ATTLIST ParentImage condition CDATA "is">
<!ELEMENT ParentCommandLine (#PCDATA)*>
<!ATTLIST ParentCommandLine condition CDATA "is">
<!ELEMENT FileCreateTime (SequenceNumber|UtcTime|ProcessGuid|ProcessId|Image|TargetFilename|CreationUtcTime|PreviousCreationUtcTime)*>
<!ATTLIST FileCreateTime onmatch (include|exclude) #IMPLIED>
<!ATTLIST FileCreateTime default (include|exclude) #IMPLIED>
<!ELEMENT TargetFilename (#PCDATA)*>
<!ATTLIST TargetFilename condition CDATA "is">
<!ELEMENT CreationUtcTime (#PCDATA)*>
<!ATTLIST CreationUtcTime condition CDATA "is">
<!ELEMENT PreviousCreationUtcTime (#PCDATA)*>
<!ATTLIST PreviousCreationUtcTime condition CDATA "is">
<!ELEMENT NetworkConnect (SequenceNumber|UtcTime|ProcessGuid|ProcessId|Image|User|Protocol|Initiated|SourceIsIpv6|SourceIp|SourceHostname|SourcePort|SourcePortName|DestinationIsIpv6|DestinationIp|DestinationHostname|DestinationPort|DestinationPortName)*>
<!ATTLIST NetworkConnect onmatch (include|exclude) #IMPLIED>
<!ATTLIST NetworkConnect default (include|exclude) #IMPLIED>
<!ELEMENT Protocol (#PCDATA)*>
<!ATTLIST Protocol condition CDATA "is">
<!ELEMENT Initiated (#PCDATA)*>
<!ATTLIST Initiated condition CDATA "is">
<!ELEMENT SourceIsIpv6 (#PCDATA)*>
<!ATTLIST SourceIsIpv6 condition CDATA "is">
<!ELEMENT SourceIp (#PCDATA)*>
<!ATTLIST SourceIp condition CDATA "is">
<!ELEMENT SourceHostname (#PCDATA)*>
<!ATTLIST SourceHostname condition CDATA "is">
<!ELEMENT SourcePort (#PCDATA)*>
<!ATTLIST SourcePort condition CDATA "is">
<!ELEMENT SourcePortName (#PCDATA)*>
<!ATTLIST SourcePortName condition CDATA "is">
<!ELEMENT DestinationIsIpv6 (#PCDATA)*>
<!ATTLIST DestinationIsIpv6 condition CDATA "is">
<!ELEMENT DestinationIp (#PCDATA)*>
<!ATTLIST DestinationIp condition CDATA "is">
<!ELEMENT DestinationHostname (#PCDATA)*>
<!ATTLIST DestinationHostname condition CDATA "is">
<!ELEMENT DestinationPort (#PCDATA)*>
<!ATTLIST DestinationPort condition CDATA "is">
<!ELEMENT DestinationPortName (#PCDATA)*>
<!ATTLIST DestinationPortName condition CDATA "is">
<!ELEMENT ProcessTerminate (SequenceNumber|UtcTime|ProcessGuid|ProcessId|Image)*>
<!ATTLIST ProcessTerminate onmatch (include|exclude) #IMPLIED>
<!ATTLIST ProcessTerminate default (include|exclude) #IMPLIED>
<!ELEMENT DriverLoad (SequenceNumber|UtcTime|ImageLoaded|Hashes|Signed|Signature)*>
<!ATTLIST DriverLoad onmatch (include|exclude) #IMPLIED>
<!ATTLIST DriverLoad default (include|exclude) #IMPLIED>
<!ELEMENT ImageLoaded (#PCDATA)*>
<!ATTLIST ImageLoaded condition CDATA "is">
<!ELEMENT Signed (#PCDATA)*>
<!ATTLIST Signed condition CDATA "is">
<!ELEMENT Signature (#PCDATA)*>
<!ATTLIST Signature condition CDATA "is">
<!ELEMENT ImageLoad (SequenceNumber|UtcTime|ProcessGuid|ProcessId|Image|ImageLoaded|Hashes|Signed|Signature)*>
<!ATTLIST ImageLoad onmatch (include|exclude) #IMPLIED>
<!ATTLIST ImageLoad default (include|exclude) #IMPLIED>
<!ELEMENT CreateRemoteThread (SequenceNumber|UtcTime|SourceProcessGuid|SourceProcessId|SourceImage|TargetProcessGuid|TargetProcessId|TargetImage|NewThreadId)*>
<!ATTLIST CreateRemoteThread onmatch (include|exclude) #IMPLIED>
<!ATTLIST CreateRemoteThread default (include|exclude) #IMPLIED>
<!ELEMENT SourceProcessGuid (#PCDATA)*>
<!ATTLIST SourceProcessGuid condition CDATA "is">
<!ELEMENT SourceProcessId (#PCDATA)*>
<!ATTLIST SourceProcessId condition CDATA "is">
<!ELEMENT SourceImage (#PCDATA)*>
<!ATTLIST SourceImage condition CDATA "is">
<!ELEMENT TargetProcessGuid (#PCDATA)*>
<!ATTLIST TargetProcessGuid condition CDATA "is">
<!ELEMENT TargetProcessId (#PCDATA)*>
<!ATTLIST TargetProcessId condition CDATA "is">
<!ELEMENT TargetImage (#PCDATA)*>
<!ATTLIST TargetImage condition CDATA "is">
<!ELEMENT NewThreadId (#PCDATA)*>
<!ATTLIST NewThreadId condition CDATA "is">
<!ELEMENT HashAlgorithms (#PCDATA)>]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment