Skip to content

Correct Sysmon event-type documentation (Events 27-29) and fix eBPF link#50

Merged
darkoperator merged 1 commit into
trustedsec:masterfrom
einlamye:guide-pr2-event-types-and-ebpf-link
Jun 30, 2026
Merged

Correct Sysmon event-type documentation (Events 27-29) and fix eBPF link#50
darkoperator merged 1 commit into
trustedsec:masterfrom
einlamye:guide-pr2-event-types-and-ebpf-link

Conversation

@einlamye

Copy link
Copy Markdown
Contributor

Several accuracy fixes to the Sysmon event documentation. The "Windows Supported Event Types"
table stopped at Event 26 even though the guide already has dedicated chapters for File Block
Executable, File Block Shredding and File Executable Detected. The File Block Shredding chapter
also listed the wrong event ID, and the What is Sysmon chapter linked to the wrong GitHub repo
for the sysinternalsEBPF library (the guide's own eBPF chapter has the correct one).

Changes

  • chapters/what-is-sysmon.md
    • Added the missing event rows: File Block Executable (27), File Block Shredding (28), File Executable Detected (29).
    • Fixed the broken reference: sysinternalsEBPF library now points to https://github.com/Sysinternals/SysinternalsEBPF (was the unrelated ebpf-for-windows repo; confirmed against chapters/eBPF.md).
    • Noted that the Windows download provides three binaries (x86 / x64 / ARM64).
    • Added a dedicated "Windows on ARM (ARM64)" subsection: native ARM64 support via Sysmon64a.exe, event coverage identical to x64 (same IDs/schema), and that the native build is required because SysmonDrv must match the OS architecture.
    • Fixed author-name typo: "Tomas Garnier" → "Thomas Garnier".
  • chapters/file-blockshredding.md
    • Corrected the event ID: File Block Shredding is EventID 28, not 27 (27 is File Block Executable). Also fixed the "loggedusing" → "logged using" typo.

@darkoperator darkoperator merged commit 1238f3d into trustedsec:master Jun 30, 2026
2 of 4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants