This collection is an import from SigmaHQ (core) project rules related to Windows Process Creation.

Release: r2024-11-10

The process creation detection relies on Sysmon.

• Sysmon Download & Installation
• Example Sysmon configuration by @SwiftOnSecurity

Example acquisition for this collection:

1source: wineventlog
2pretty_name: sysmon
3event_channel: "Microsoft-Windows-Sysmon/Operational"
4labels:
5 type: sysmon