Sysmon Event ID 3


3: Network connection detected

This is an event from Sysmon.

On this page

The network connection event logs TCP/UDP connections on the machine. It is disabled by default. Each connection is linked to a process through the ProcessId and ProcessGUID fields. The event also contains the source and destination host names IP addresses, port numbers and IPv6 status.

Free Security Log Resources by Randy

Description Fields in 3

  • Log Name
  • Source
  • Loggged
  • Event ID
  • Task Category
  • Level
  • Keywords
  • User
  • Computer
  • OpCode
  • Description
  • RuleName
  • UtcTime
  • ProcessGuid
  • ProcessId
  • Image
  • User
  • Protocol
  • Initiated
  • SourceIsIpv6
  • SourceIp
  • SourceHostname
  • SourcePort
  • SourcePortName
  • DestinationIsIpv6
  • DestinationIp
  • DestinationHostname
  • DestinationPort
  • DestinationPortName

Supercharger Free Edition

Supercharger's built-in Xpath filters leave the noise behind.



Examples of 3

Network connection detected
RuleName: RDP
UtcTime: 2017-04-28 22:12:22.557
ProcessGuid: {a23eae89-bd28-5903-0000-00102f345d00}
ProcessId: 13220
Image: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
User: LAB\rsmith
Protocol: tcp
Initiated: true
SourceIsIpv6: false
SourceHostname: rfsH.lab.local
SourcePort: 3328
DestinationIsIpv6: false
DestinationPort: 3389
DestinationPortName: ms-wbt-server

Event XML:
<Event xmlns="">
        <Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
        <TimeCreated SystemTime="2017-04-28T22:12:23.657698300Z" />
        <Correlation />
        <Execution ProcessID="3216" ThreadID="3976" />
        <Security UserID="S-1-5-18" />
        <Data Name="RuleName">RDP</Data>
        <Data Name="UtcTime">2017-04-28 22:12:22.557</Data>
        <Data Name="ProcessGuid">{A23EAE89-BD28-5903-0000-00102F345D00}</Data>
        <Data Name="ProcessId">13220</Data>
        <Data Name="Image">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Data>
        <Data Name="User">LAB\rsmith</Data>
        <Data Name="Protocol">tcp</Data>
        <Data Name="Initiated">true</Data>
        <Data Name="SourceIsIpv6">false</Data>
        <Data Name="SourceIp"></Data>
        <Data Name="SourceHostname">rfsH.lab.local</Data>
        <Data Name="SourcePort">3328</Data>
        <Data Name="SourcePortName">-</Data>
        <Data Name="DestinationIsIpv6">false</Data>
        <Data Name="DestinationIp"></Data>
        <Data Name="DestinationHostname">lab-sc-100</Data>
        <Data Name="DestinationPort">3389</Data>
        <Data Name="DestinationPortName">ms-wbt-server</Data>

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection


Additional Resources