Event Classes

Complete listing of event classes by category.

Other

• Base Event (0): The base event is a generic and concrete event.

System Activity

• File System Activity (1001): File System Activity events report when a process performs an action on a file or folder.
• Kernel Extension Activity (1002): Kernel Extension events report when a driver/extension is loaded or unloaded into the kernel
• Kernel Activity (1003): Kernel Activity events report when an process creates, reads, or deletes a kernel resource.
• Memory Activity (1004): Memory Activity events report when a process has memory allocated, read/modified, or other manipulation activities - such as a buffer overflow or turning off data execution protection (DEP).
• Module Activity (1005): Module Activity events report when a process loads or unloads the module.
• Scheduled Job Activity (1006): Scheduled Job Activity events report activities related to scheduled jobs or tasks.
• Process Activity (1007): Process Activity events report when a process launches, injects, opens or terminates another process, successful or otherwise.
• Registry Key Activity (201001): Registry Key Activity events report when a process performs an action on a Windows registry key.
• Registry Value Activity (201002): Registry Value Activity events reports when a process performs an action on a Windows registry value.
• Windows Resource Activity (201003): Windows Resource Activity events report when a process accesses a Windows managed resource object, successful or otherwise.

Findings

• Security Finding (2001): Security Finding events describe findings, detections, anomalies, alerts and/or actions performed by security products
• Vulnerability Finding (2002): The Vulnerability Finding event is a notification about weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source.
• Compliance Finding (2003): Compliance Finding events describe results of evaluations performed against resources, to check compliance with various Industry Frameworks or Security Standards such as NIST SP 800-53, CIS AWS Foundations Benchmark v1.4.0, ISO/IEC 27001 etc.
• Detection Finding (2004): A Detection Finding describes detections or alerts generated by security products using correlation engines, detection engines or other methodologies.
• Incident Finding (2005): An Incident Finding reports the creation, update, or closure of security incidents as a result of detections and/or analytics.

Identity & Access Management

• Account Change (3001): Account Change events report when specific user account management tasks are performed, such as a user/role being created, changed, deleted, renamed, disabled, enabled, locked out or unlocked.
• Authentication (3002): Authentication events report authentication session activities such as user attempts a logon or logoff, successfully or otherwise.
• Authorize Session (3003): Authorize Session events report privileges or groups assigned to a new user session, usually at login time.
• Entity Management (3004): Entity Management events report activity by a managed client, a micro service, or a user at a management console.
• User Access Management (3005): User Access Management events report management updates to a user’s privileges.
• Group Management (3006): Group Management events report management updates to a group, including updates to membership and permissions.

Network Activity

• Network Activity (4001): Network Activity events report network connection and traffic activity.
• HTTP Activity (4002): HTTP Activity events report HTTP connection and traffic information.
• DNS Activity (4003): DNS Activity events report DNS queries and answers as seen on the network.
• DHCP Activity (4004): DHCP Activity events report MAC to IP assignment via DHCP from a client or server.
• RDP Activity (4005): Remote Desktop Protocol (RDP) Activity events report remote client connections to a server as seen on the network.
• SMB Activity (4006): Server Message Block (SMB) Protocol Activity events report client/server connections sharing resources within the network.
• SSH Activity (4007): SSH Activity events report remote client connections to a server using the Secure Shell (SSH) Protocol.
• FTP Activity (4008): File Transfer Protocol (FTP) Activity events report file transfers between a server and a client as seen on the network.
• Email Activity (4009): Email events report activities of emails.
• Network File Activity (4010): Network File Activity events report file activities traversing the network, including file storage services such as Box, MS OneDrive, or Google Drive.
• Email File Activity (4011): Email File Activity events report files within emails.
• Email URL Activity (4012): Email URL Activity events report URLs within an email.
• NTP Activity (4013): The Network Time Protocol (NTP) Activity events report instances of remote clients synchronizing their clocks with an NTP server, as observed on the network.

Discovery

• Device Inventory Info (5001): Device Inventory Info events report device inventory data that is either logged or proactively collected.
• Device Config State (5002): Device Config State events report device configuration data and CIS Benchmark results.
• User Inventory Info (5003): User Inventory Info events report user inventory data that is either logged or proactively collected.
• Operating System Patch State (5004): Operating System Patch State reports the installation of an OS patch to a device and any associated knowledgebase articles.
• Device Config State Change (5019): Device Config State Change events report state changes that impact the security of the device.
• Registry Key Info (205004): Registry Key Info events report information about discovered Windows registry keys.
• Registry Value Info (205005): Registry Value Info events report information about discovered Windows registry values.
• Prefetch Info (205019): Prefetch Info events report information about Windows prefetch files.

Application Activity

• Web Resources Activity (6001): Web Resources Activity events describe actions executed on a set of Web Resources.
• Application Lifecycle (6002): Application Lifecycle events report installation, removal, start, stop of an application or service.
• API Activity (6003): API events describe general CRUD (Create, Read, Update, Delete) API activities, e.g. (AWS Cloudtrail)
• Web Resource Access Activity (6004): Web Resource Access Activity events describe successful/failed attempts to access a web resource over HTTP.
• Datastore Activity (6005): Datastore events describe general activities (Read, Update, Query, Delete, etc.) which affect datastores or data within those datastores, e.g. (AWS RDS, AWS S3).
• File Hosting Activity (6006): File Hosting Activity events report the actions taken by file management applications, including file sharing servers like Sharepoint and services such as Box, MS OneDrive, or Google Drive.
• Scan Activity (6007): Scan events report the start, completion, and results of a scan job.