Collects sysmon process creation events and enriches with authenticode signature, tlsh hash, and call chain. Requires Sysmon and the process tracker.
name: Windows.EventLogs.SysmonProcessEnriched.yaml
author: Zane Gittins
description: |
Collects sysmon process creation events and enriches with authenticode signature, tlsh hash, and call chain. Requires Sysmon and the process tracker.
reference:
- https://signalsleuth.io/2025/08/31/sysmon_enrichment.html
type: CLIENT_EVENT
parameters:
- name: CachePeriod
default: 3600
description: Cache the authenticode signature and tlsh hash of a image for this duration of seconds.
type: int64
- name: TLSHImageRegex
default: "AppData|Downloads|Desktop|Public|Temp"
description: If an image matches this regex, calculate the TLSH hash.
type: regex
sources:
- precondition:
SELECT OS From info() where OS = 'windows'
query: |
LET get_auth_cache(Image) = authenticode(filename=Image)
LET get_tlsh_cache(Image) = tlsh_hash(path=Image)
SELECT *, cache(period=CachePeriod,
func=get_auth_cache(Image=EventData.Image),
key=str(str=EventData.Hashes),
name="auth") AS Authenticode,
if(condition=(EventData.Image =~ TLSHImageRegex),
then=cache(period=CachePeriod,
func=get_tlsh_cache(Image=EventData.Image),
key=str(str=EventData.Hashes),
name="tlsh")) AS TLSH,
join(array=process_tracker_callchain(id=EventData.ProcessId).Data.Name,
sep="->") AS CallChain
FROM delay(
query={
SELECT *
FROM watch_evtx(
filename="C:\\Windows\\system32\\winevt\\Logs\\Microsoft-Windows-Sysmon%4Operational.evtx")
WHERE System.EventID.Value = 1
},
delay=1)
resources:
max_rows: 1000