sysmon sysmon-linux \pEventID\p(\d+)\p/EventID\p system.eventId sysmon-linux \pKeywords\p(\.+)\p/Keywords\p system.keywords sysmon-linux \pLevel\p(\d+)\p/Level\p system.level sysmon-linux \pChannel\p(\.+)\p/Channel\p system.channel sysmon-linux \pOpcode\p(\d+)\p/Opcode\p system.opcode sysmon-linux \pVersion\p(\d+)\p/Version\p system.version sysmon-linux \pTimeCreated SystemTime="(\d+-\d+-\d+T\d+:\d+:\d+.\d+\w)" system.systemTime sysmon-linux \pEventRecordID\p(\d+)\p/EventRecordID\p system.eventRecordID sysmon-linux "\sThreadID="(\d+)"/\p system.threadID sysmon-linux \pComputer\p(\.+)\p/Computer\p system.computer sysmon-linux \pTask\p(\d+)\p/Task\p system.task sysmon-linux \pExecution\sProcessID="(\d+)" system.processID sysmon-linux \pData Name="OriginalFileName"\p(\.+)\p/Data\p eventdata.originalFileName sysmon-linux \pData Name="Image"\p(\.+)\p/Data\p eventdata.image sysmon-linux \pData Name="Product"\p(\.+)\p/Data\p eventdata.product sysmon-linux \pData Name="ParentProcessGuid"\p(\.+)\p/Data\p eventdata.parentProcessGuid sysmon-linux \pData Name="Description"\p(\.+)\p/Data\p eventdata.description sysmon-linux \pData Name="LogonGuid"\p(\.+)\p/Data\p eventdata.logonGuid sysmon-linux \pData Name="ParentCommandLine"\p(\.+)\p/Data\p eventdata.parentCommandLine sysmon-linux \pData Name="ProcessGuid"\p(\.+)\p/Data\p eventdata.processGuid sysmon-linux \pData Name="LogonId"\p(\d+)\p/Data\p eventdata.logonId sysmon-linux \pData Name="ParentProcessId"\p(\d+)\p/Data\p eventdata.parentProcessId sysmon-linux \pData Name="ProcessId"\p(\d+)\p/Data\p eventdata.processId sysmon-linux \pData Name="CurrentDirectory"\p(\.+)\p/Data\p eventdata.currentDirectory sysmon-linux \pData Name="UtcTime"\p(\d+-\d+-\d+T\d+:\d+:\d+.\d+\w)\p/Data\p eventdata.utcTime sysmon-linux \pData Name="Hashes"\p(\.+)\p/Data\p eventdata.hashes sysmon-linux \pData Name="ParentImage"\p(\.+)\p/Data\p eventdata.parentImage sysmon-linux \pData Name="RuleName"\p(\.+)\p/Data\p eventdata.ruleName sysmon-linux \pData Name="Company"\p(\.+)\p/Data\p eventdata.company sysmon-linux \pData Name="CommandLine"\p(\.+)\p/Data\p eventdata.commandLine sysmon-linux \pData Name="IntegrityLevel"\p(\.+)\p/Data\p eventdata.integrityLevel sysmon-linux \pData Name="FileVersion"\p(\.+)\p/Data\p eventdata.fileVersion sysmon-linux \pData Name="User"\p(\.+)\p/Data\p eventdata.user sysmon-linux \pData Name="TerminalSessionId"\p(\.+)\p/Data\p eventdata.terminalSessionId sysmon-linux \pData Name="ParentUser"\p(\.+)\p/Data\p eventdata.parentUser sysmon-linux \pData Name="Protocol"\p(\.+)\p/Data\p eventdata.protocol sysmon-linux \pData Name="Initiated"\p(\.+)\p/Data\p eventdata.initiated sysmon-linux \pData Name="SourceIsIpv6"\p(\.+)\p/Data\p eventdata.sourceIsIpv6 sysmon-linux \pData Name="SourceIp"\p(\.+)\p/Data\p eventdata.sourceIp sysmon-linux \pData Name="SourceHostname"\p(\.+)\p/Data\p eventdata.sourceHostname sysmon-linux \pData Name="SourcePort"\p(\.+)\p/Data\p eventdata.sourcePort sysmon-linux \pData Name="SourcePortName"\p(\.+)\p/Data\p eventdata.sourcePortName sysmon-linux \pData Name="DestinationIsIpv6"\p(\.+)\p/Data\p eventdata.destinationIsIpv6 sysmon-linux \pData Name="DestinationIp"\p(\.+)\p/Data\p eventdata.DestinationIp sysmon-linux \pData Name="DestinationHostname"\p(\.+)\p/Data\p eventdata.destinationHostname sysmon-linux \pData Name="DestinationPort"\p(\.+)\p/Data\p eventdata.destinationPort sysmon-linux \pData Name="DestinationPortName"\p(\.+)\p/Data\p eventdata.destinationPortName sysmon-linux \pData Name="State"\p(\.+)\p/Data\p eventdata.state sysmon-linux \pData Name="Version"\p(\.+)\p/Data\p eventdata.version sysmon-linux \pData Name="SchemaVersion"\p(\.+)\p/Data\p eventdata.schemaVersion sysmon-linux \pData Name="Device"\p(\.+)\p/Data\p eventdata.device sysmon-linux \pData Name="TargetFilename"\p(\.+)\p/Data\p eventdata.targetFilename sysmon-linux \pData Name="CreationUtcTime"\p(\d+-\d+-\d+T\d+:\d+:\d+.\d+\w)\p/Data\p eventdata.creationUtcTime sysmon-linux \pData Name="Configuration"\p(\.+)\p/Data\p eventdata.configuration sysmon-linux \pData Name="ConfigurationFileHash"\p(\.+)\p/Data\p eventdata.configurationFileHash sysmon-linux \pData Name="IsExecutable"\p(\.+)\p/Data\p eventdata.isExecutable sysmon-linux \pData Name="Archived"\p(\.+)\p/Data\p eventdata.archived