This collection is an import from SigmaHQ (core) project rules related to Windows Process Creation.

Release: r2024-11-10

The process creation detection relies on Sysmon.

• Sysmon Download & Installation
• Example Sysmon configuration by @SwiftOnSecurity

Example acquisition for this collection:

source: wineventlog
pretty_name: sysmon
event_channel: "Microsoft-Windows-Sysmon/Operational"
labels:
 type: sysmon