Mappings: Windows - Microsoft-Windows-Sysmon/Operational - 24
| Input | Value |
|---|---|
| Vendor | Microsoft |
| Product | Windows |
| Log Format | Windows |
| Event ID Regex Pattern | Microsoft-Windows-Sysmon/Operational-24 |
| Output | Value |
|---|---|
| Vendor | Microsoft |
| Product | Windows |
| Record Type | Audit |
| Cloud SIEM Schema Field | Original Record Key | Notes |
|---|---|---|
| action | None | The static text ClipboardChange is populated in this schema field. |
| baseImage | EventData.Image | |
| description | None | The static text Sysmon observed the system clipboard contents change is populated in this schema field. |
| device_hostname | Computer | |
| file_hash_imphash | IMPHASH | |
| file_hash_md5 | MD5 | |
| file_hash_sha1 | SHA1 | |
| file_hash_sha256 | SHA256 | |
| pid | EventData.ProcessId | |
| sourceUid | EventRecordID | |
| timestamp | EventData.UtcTime | We expect the orginal record value of EventData.UtcTime is in the format yyyy-MM-dd HH:mm:ss.SSS |
| user_userId | Security.UserID | |
| user_username | EventData.User |