Looking at the Sysmon/Linux sources, GUIDs are constructed by concatenating the "machine id", the start time of the process (UNIX-style, seconds since 1970-1-1), and a "process start key" which is not defined in the userspace component (function GenerateUniqueId in sysmonCommon/eventsCommon.h):
*(DWORD*) pResult = machineId;
pResult += sizeof(DWORD);
*(DWORD*) pResult = seconds;
pResult += sizeof(DWORD);
*(DWORD64*) pResult = ProcessStartKey;
The "process key" is taken from m_EventBody.m_ProcessCreateEvent.m_ProcessKey which for Linux is created in the eBPF code (set_ProcCreate_info in ebpfKern/sysmonProcCreate.c):
// get the process key - this is the end of the text segment currently as it should be
// a) randomised for a PIE executable; and
// b) dependent on the amount of code in the process
event->m_ProcessKey = (uint64_t)derefPtr(task, config->offsets.mm_end_code);I'm still in the process of looking at Sysmon/Windows with a disassembler, so I can't yet speak to what happens there. However, from the logs I have looked at, I don't recognize the process id as part of the process GUID.
Looking at the Sysmon/Linux sources, GUIDs are constructed by concatenating the "machine id", the start time of the process (UNIX-style, seconds since 1970-1-1), and a "process start key" which is not defined in the userspace component (function
GenerateUniqueIdinsysmonCommon/eventsCommon.h):The "process key" is taken from
m_EventBody.m_ProcessCreateEvent.m_ProcessKeywhich for Linux is created in the eBPF code (set_ProcCreate_infoinebpfKern/sysmonProcCreate.c):I'm still in the process of looking at Sysmon/Windows with a disassembler, so I can't yet speak to what happens there. However, from the logs I have looked at, I don't recognize the process id as part of the process GUID.