EVID 5 : Process Terminated (Sysmon)
Event Details
| Event Type | Process Terminated |
|---|---|
| Event Description | 5 : Reports when a process terminates. |
| Event ID | 5 |
Log Fields and Parsing
This section details the log fields available in this log message type, along with values parsed for both LogRhythm Default and LogRhythm Default v2.0 policies. A value of "N/A" (not applicable) means that there is no value parsed for a specified log field.
| Log Field | LogRhythm Default | LogRhythm Default v2.0 | |||
|---|---|---|---|---|---|
| Provider | N/A | N/A | |||
| EventID | <vmid> | <vmid><tag1> | |||
| Version | N/A | N/A | |||
| Level | <severity> | <severity> | |||
| Task | <vendorinfo> | <vendorinfo> | |||
| Opcode | N/A | N/A | |||
| Keywords | N/A | <result> | |||
| TimeCreated | N/A | N/A | |||
| EventRecordID | N/A | N/A | |||
| Correlation | N/A | N/A | |||
| Execution | N/A | N/A | |||
| Channel | N/A | N/A | |||
| Computer | <sname> | <dname> | |||
| Security | N/A | N/A | |||
| ProcessGuid | N/A | N/A | |||
| ProcessId | <processid> | <processid> | |||
| Image | <object>, <objectname> | <process> | |||
| CommandLine | N/A | <command> | |||
| CurrentDirectory | N/A | N/A | |||
| User | N/A | <login>, <domainorigin> | |||
| Logonid | N/A | <session> | |||
| TerminalSessionId | N/A | N/A | |||
| IntegrityLevel | N/A | N/A | |||
| Hashes | N/A | <hash> | |||
| ParentProcessGuid | N/A | N/A | |||
| ParentProcessId | N/A | <parentprocessid> | |||
| ParentImage | N/A | <parentprocesspath><parentprocessname> | |||
| ParentCommandLine | N/A | <object> | |||
Log Processing Settings
This section details log processing changes made from the LogRhythm Default policy to LogRhythm Default v2.0. In some cases, base rules are broken down into sub-rules to appropriately parse log message types by their event types.
LogRhythm Default
| Regex ID | Rule Name | Rule Type | Common Events | Classifications |
|---|---|---|---|---|
| 1007452 | EVID 5 : Process Terminated | Base Rule | Process/Service Stopped | Startup and Shutdown |
LogRhythm Default v2.0
| Regex ID | Rule Name | Rule Type | Common Events | Classifications |
|---|---|---|---|---|
| 1011218 | V 2.0 : Process Start/Stop Events | Base Rule | General Process Information | Information |
| V 2.0 : EVID 1 : Process Creation | Sub Rule | Process/Service Started | ||
| V 2.0 : EVID 5 : Process Termination | Sub Rule | Process/Service Stopped | Startup and Shutdown |