Evidence: Parse SRUM Application Timeline
Description: Parse System Resource Usage Monitor (SRUM) Application Timeline data.
Category:Platform: windows
Short Name: srumtimeparse
Is Parsed: No
Sent to Investigation Hub: Yes
Collect File(s): No
Data Collected
This collector gathers structured data about parse srum application timeline.
Parse SRUM Application Timeline Data
Field
Description
Example
AutoIncId
Auto-increment ID from SRUM database
123
Timestamp
Timestamp
2023-10-15 14:30:25
InFocusTimestamp
In Focus Timestamp
2023-10-15 14:30:25
UserInputTimestamp
User Input Timestamp
2023-10-15 14:30:25
InFocusS
In Focus S
123
PSMForegroundS
PSM Foreground S
123
UserInputS
User Input S
DOMAIN\User
InFocusTransitions
In Focus Transitions
123
AppName
App Name
Example Name
UserSid
Windows SID in S-1-5-... format (from SRUM IdMapTable)
S-1-5-21-...
UserName
Resolved username via Windows API (LookupAccountSidW)
