in the kibana dashboard, winlogbeat records the sysmon event and send it to elasticsearch and henceforth to kibana. there are 3 field name on time basis and i am not able to understand the difference between them namely event_data.PreviousCreationUtcTime, event_data.UtcTime and event_data.CreationUtcTime.
Hi,
The fields below event_data come from the raw Sysmon event and their meaning seems to depend on the event ID.
For these particular fields I've found: https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90002
It indicates that a file's creation time has been changed, being:
- UtcTime: Time the change occurred
- TargetFilename: Name of the file changed
- PreviousCreationUtcTime: Previous file creation time.
- CreationUtcTime: New file creation time.
Hi Adrisr,
Can this data can be manipulated to find out the launch time of a application?
For that you have Event ID 1: Process Creation
Hi,
By launch time i mean how much time it took to open an application and pop up on the screen.
can sysmon and winlogbeat record this kind of data?
I'm no expert, but I don't think Sysmon has support for that, as it is rather application-specific.
hey
i dont think sysmon can provide "latency" in relation to process creation etc. here i would go for another sysinternals tool called procmon
if you google promon latency you get some good pointers
again assuming i understand your problem correctly.
Hi,
Procmon is giving data regarding the process creation but the duration of process creation is 0.000000 which is not theoretically possible. Is relative duration a correct measure to find out the launching time of the application? if yes, can we create logs of this and send the data to kibana through winlogbeat.