Product
- - Splunk Case Study
    
    Featured Case Study
    
    Learn more
Company
- - About
  - Team
  - Integrations
  - News
  - Blog
  - Query of the Week
  - Careers
- - Add Threat Hunting to your SIEM with Gravwell
    
    Featured blog
    
    SIEMs have historically done well in helping organizations detect threats. Modern threat activity has shown, however, that tracking pre-selected data and relying on IOCs …
    
    Learn more
Pricing
Resources
- - Resources
  - Open Source
  - Kits
  - Knowledge Base
  - Documention
  - Support
  - Ingesters
- - Bridging the OT and IT Gap
    
    Featured Case Study
    
    Learn more
Customers
- - Industries
  - SecOps
  - ITOps
  - DevOps
- - SoCo Case Study
    
    Featured Case Study
    
    Learn more
Contact
Demo
Free Gravwell

Product
- - Splunk Case Study
    
    Featured Case Study
    
    Learn more
Company
- - About
  - Team
  - Integrations
  - News
  - Blog
  - Query of the Week
  - Careers
- - Add Threat Hunting to your SIEM with Gravwell
    
    Featured blog
    
    SIEMs have historically done well in helping organizations detect threats. Modern threat activity has shown, however, that tracking pre-selected data and relying on IOCs …
    
    Learn more
Pricing
Resources
- - Resources
  - Open Source
  - Kits
  - Knowledge Base
  - Documention
  - Support
  - Ingesters
- - Bridging the OT and IT Gap
    
    Featured Case Study
    
    Learn more
Customers
- - Industries
  - SecOps
  - ITOps
  - DevOps
- - SoCo Case Study
    
    Featured Case Study
    
    Learn more
Contact
Demo
Free Gravwell

Blog

Want deeper insights? Read exclusive commentary from the Gravwell team on the issues that matter most.

Filter By

What's in a Sysmon Event - Windows Registry EventIDs 12, 13, 14

Overview For this post we are going to be focusing on three EventIDs that pertain to the Windows Registry. These sysmon events occur when a registry key is created, updated, deleted, or renamed. ...

Microsoft , Security , Sysmon

Blog

11.02.2021

What's in a sysmon event - eventid 5, process termination

Sysmon Eventid 5 - Process Termination This article pairs especially well with the Sysmon Process Creation blog post. We recommend you start there.

Microsoft , Windows , Sysmon , compound queries

Blog

10.19.2021

Announcing the Gravwell Sysmon Kit

We are pleased to announce the immediate availability of the Gravwell Sysmon kit. This kit is designed to get you started quickly with Sysmon data and demonstrate the art of the possible. This post...

EventLog , Windows , Security , kits , Sysmon , DNS

Blog

03.10.2021

What's in a Sysmon Event Pt. 2 - Network Connections

We're building a Gravwell Kit for Sysmon! This blog series examines some of the event types that Sysmon generates to see what data they contain, opportunities for enhancing security, and example...

Windows , Sysmon

Blog

10.09.2020

What's in a Sysmon Event Pt. 1 - Process creation

I'm building a Gravwell Kit for Sysmon! This blog series follows the development of that kit for the awesome (free) sensor for Windows EDR, Sysmon. In this series we'll look at each event type that...

Windows , Sysmon

Blog

09.03.2020

Windows DNS threat hunting with Sysmon and Gravwell

This month has been a big deal for IT logging of windows endpoints. Sysmon v10 was released last Tuesday and it includes the major changes of DNS logging and OriginalFileName reporting for Windows...

Data Fusion , Microsoft , Windows , Logging , Security , Community Edition , Sysmon

Blog

06.20.2019

Subscribe for Gravel Updates

Signup for the Gravwell newsletter to be the first to hear about announcements, new product features, events, and more.

Gravwell is an enterprise data fusion platform that enables security teams to investigate, collaborate, and analyze data from any source, on demand, all with unlimited data collection and retention. Ingest everything. Investigate anything.

TOP