Complete listing of event classes by category.
- Base Event (0): The base event is a generic and concrete event.
System Activity
Section titled “System Activity”- File System Activity (1001): File System Activity events report when a process performs an action on a file or folder.
- Kernel Extension Activity (1002): Kernel Extension events report when a driver/extension is loaded or unloaded into the kernel
- Kernel Activity (1003): Kernel Activity events report when an process creates, reads, or deletes a kernel resource.
- Memory Activity (1004): Memory Activity events report when a process has memory allocated, read/modified, or other manipulation activities - such as a buffer overflow or turning off data execution protection (DEP).
- Module Activity (1005): Module Activity events report when a process loads or unloads the
module. - Scheduled Job Activity (1006): Scheduled Job Activity events report activities related to scheduled jobs or tasks.
- Process Activity (1007): Process Activity events report when a process launches, injects, opens or terminates another process, successful or otherwise.
- Registry Key Activity (201001): Registry Key Activity events report when a process performs an action on a Windows registry key.
- Registry Value Activity (201002): Registry Value Activity events reports when a process performs an action on a Windows registry value.
- Windows Resource Activity (201003): Windows Resource Activity events report when a process accesses a Windows managed resource object, successful or otherwise.
Findings
Section titled “Findings”- Security Finding (2001): Security Finding events describe findings, detections, anomalies, alerts and/or actions performed by security products
Identity & Access Management
Section titled “Identity & Access Management”- Account Change (3001): Account Change events report when specific user account management tasks are performed, such as a user/role being created, changed, deleted, renamed, disabled, enabled, locked out or unlocked.
- Authentication (3002): Authentication events report authentication session activities such as user attempts a logon or logoff, successfully or otherwise.
- Authorize Session (3003): Authorize Session events report privileges or groups assigned to a new user session, usually at login time.
- Entity Management (3004): Entity Management events report activity by a managed client, a micro service, or a user at a management console.
- User Access Management (3005): User Access Management events report management updates to a user’s privileges.
- Group Management (3006): Group Management events report management updates to a group, including updates to membership and permissions.
Network Activity
Section titled “Network Activity”- Network Activity (4001): Network Activity events report network connection and traffic activity.
- HTTP Activity (4002): HTTP Activity events report HTTP connection and traffic information.
- DNS Activity (4003): DNS Activity events report DNS queries and answers as seen on the network.
- DHCP Activity (4004): DHCP Activity events report MAC to IP assignment via DHCP from a client or server.
- RDP Activity (4005): Remote Desktop Protocol (RDP) Activity events report remote client connections to a server as seen on the network.
- SMB Activity (4006): Server Message Block (SMB) Protocol Activity events report client/server connections sharing resources within the network.
- SSH Activity (4007): SSH Activity events report remote client connections to a server using the Secure Shell (SSH) Protocol.
- FTP Activity (4008): File Transfer Protocol (FTP) Activity events report file transfers between a server and a client as seen on the network.
- Email Activity (4009): Email events report activities of emails.
- Network File Activity (4010): Network File Activity events report activities on a cloud file storage service such as Box, MS OneDrive, or Google Drive.
- Email File Activity (4011): Email File Activity events report files within emails.
- Email URL Activity (4012): Email URL Activity events report URLs within an email.
Discovery
Section titled “Discovery”- Device Inventory Info (5001): Device Inventory Info events report device inventory data.
- Device Config State (5002): Device Config State events report device configuration data.
Application Activity
Section titled “Application Activity”- Web Resources Activity (6001): Web Resources Activity events describe actions executed on a set of Web Resources.
- Application Lifecycle (6002): Application Lifecycle events report installation, removal, start, stop of an application or service.
- API Activity (6003): API events describe general CRUD (Create, Read, Update, Delete) API activities, e.g. (AWS Cloudtrail)
- Web Resource Access Activity (6004): Web Resource Access Activity events describe successful/failed attempts to access a web resource over HTTP.