[get_parent_process_create]
display_location = both
eventtypes = ms-sysmon-*
fields = ParentProcessGuid, host
label = Get parent process creation event
search.app = search
search.search_string = source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1 host=$host$ ProcessGuid=$ParentProcessGuid$ $ParentProcessGuid$ | head 1 | table _time host EventCode EventDescription LogonId User IntegrityLevel process ProcessId Image CommandLine CurrentDirectory Hashes ParentImage ParentCommandLine | transpose
search.target = blank
type = search
search.earliest = -35d@d
search.latest = now

[get_process_create]
display_location = both
eventtypes = ms-sysmon-*
fields = ProcessGuid, host
label = Get process creation event
search.app = search
search.search_string = source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1 host=$host$ ProcessGuid=$ProcessGuid$ $ProcessGuid$ | head 1 | table _time host EventCode EventDescription LogonId User IntegrityLevel process ProcessId Image CommandLine CurrentDirectory Hashes ParentImage ParentCommandLine | transpose
search.target = blank
type = search
search.earliest = -35d@d
search.latest = now

[get_process_create_sysmon_create_remote_thread]
display_location = both
eventtypes = ms-sysmon-*
fields = SourceProcessGuid, host
label = Get process creation event
search.app = search
search.search_string = source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1 host=$host$ ProcessGuid=$SourceProcessGuid$ $SourceProcessGuid$ | head 1 | table _time host EventCode EventDescription LogonId User IntegrityLevel process ProcessId Image CommandLine CurrentDirectory Hashes ParentImage ParentCommandLine | transpose
search.target = blank
type = search
search.earliest = -35d@d
search.latest = now

[get_process_create_sysmon_process_access]
display_location = both
eventtypes = ms-sysmon-*
fields = SourceProcessGUID, host
label = Get process creation event
search.app = search
search.search_string = source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1 host=$host$ ProcessGuid=$SourceProcessGUID$ $SourceProcessGUID$ | head 1 | table _time host EventCode EventDescription LogonId User IntegrityLevel process ProcessId Image CommandLine CurrentDirectory Hashes ParentImage ParentCommandLine | transpose
search.target = blank
type = search
search.earliest = -35d@d
search.latest = now