Event Classes

Complete listing of event classes by category.

Other

• Base Event (0): The base event is a generic and concrete event.

System Activity

• File System Activity (1001): File System Activity events report when a process performs an action on a file or folder.
• Kernel Extension Activity (1002): Kernel Extension events report when a driver/extension is loaded or unloaded into the kernel
• Kernel Activity (1003): Kernel Activity events report when an process creates, reads, or deletes a kernel resource.
• Memory Activity (1004): Memory Activity events report when a process has memory allocated, read/modified, or other manipulation activities - such as a buffer overflow or turning off data execution protection (DEP).
• Module Activity (1005): Module Activity events report when a process loads or unloads the module.
• Scheduled Job Activity (1006): Scheduled Job Activity events report activities related to scheduled jobs or tasks.
• Process Activity (1007): Process Activity events report when a process launches, injects, opens or terminates another process, successful or otherwise.
• Registry Key Activity (201001): Registry Key Activity events report when a process performs an action on a Windows registry key.
• Registry Value Activity (201002): Registry Value Activity events reports when a process performs an action on a Windows registry value.
• Windows Resource Activity (201003): Windows Resource Activity events report when a process accesses a Windows managed resource object, successful or otherwise.

Findings

• Security Finding (2001): Security Finding events describe findings, detections, anomalies, alerts and/or actions performed by security products
• Vulnerability Finding (2002): The Vulnerability Finding event is a notification about weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source.
• Compliance Finding (2003): Compliance Finding events describe results of evaluations performed against resources, to check compliance with various Industry Frameworks or Security Standards such as NIST SP 800-53, CIS AWS Foundations Benchmark v1.4.0, ISO/IEC 27001 etc.
• Detection Finding (2004): A Detection Finding describes detections or alerts generated by security products using correlation engines, detection engines or other methodologies.
• Incident Finding (2005): An Incident Finding reports the creation, update, or closure of security incidents as a result of detections and/or analytics.
• Data Security Finding (2006): A Data Security Finding describes detections or alerts generated by various data security products such as Data Loss Prevention (DLP), Data Classification, Secrets Management, Digital Rights Management (DRM), Data Security Posture Management (DSPM), and similar tools.

Identity & Access Management

• Account Change (3001): Account Change events report when specific user account management tasks are performed, such as a user/role being created, changed, deleted, renamed, disabled, enabled, locked out or unlocked.
• Authentication (3002): Authentication events report authentication session activities such as user attempts a logon or logoff, successfully or otherwise.
• Authorize Session (3003): Authorize Session events report privileges or groups assigned to a new user session, usually at login time.
• Entity Management (3004): Entity Management events report activity by a managed client, a micro service, or a user at a management console.
• User Access Management (3005): User Access Management events report management updates to a user’s privileges.
• Group Management (3006): Group Management events report management updates to a group, including updates to membership and permissions.

Network Activity

• Network Activity (4001): Network Activity events report network connection and traffic activity.
• HTTP Activity (4002): HTTP Activity events report HTTP connection and traffic information.
• DNS Activity (4003): DNS Activity events report DNS queries and answers as seen on the network.
• DHCP Activity (4004): DHCP Activity events report MAC to IP assignment via DHCP from a client or server.
• RDP Activity (4005): Remote Desktop Protocol (RDP) Activity events report remote client connections to a server as seen on the network.
• SMB Activity (4006): Server Message Block (SMB) Protocol Activity events report client/server connections sharing resources within the network.
• SSH Activity (4007): SSH Activity events report remote client connections to a server using the Secure Shell (SSH) Protocol.
• FTP Activity (4008): File Transfer Protocol (FTP) Activity events report file transfers between a server and a client as seen on the network.
• Email Activity (4009): Email events report activities of emails.
• Network File Activity (4010): Network File Activity events report file activities traversing the network, including file storage services such as Box, MS OneDrive, or Google Drive.
• Email File Activity (4011): Email File Activity events report files within emails.
• Email URL Activity (4012): Email URL Activity events report URLs within an email.
• NTP Activity (4013): The Network Time Protocol (NTP) Activity events report instances of remote clients synchronizing their clocks with an NTP server, as observed on the network.
• Tunnel Activity (4014): Tunnel Activity events report secure tunnel establishment (such as VPN), teardowns, renewals, and other network tunnel specific actions.

Discovery

• Device Inventory Info (5001): Device Inventory Info events report device inventory data that is either logged or proactively collected.
• Device Config State (5002): Device Config State events report device configuration data and CIS Benchmark results.
• User Inventory Info (5003): User Inventory Info events report user inventory data that is either logged or proactively collected.
• Operating System Patch State (5004): Operating System Patch State reports the installation of an OS patch to a device and any associated knowledgebase articles.
• Kernel Object Query (5006): Kernel Object Query events report information about discovered kernel resources.
• File Query (5007): File Query events report information about files that are present on the system.
• Folder Query (5008): Folder Query events report information about folders that are present on the system.
• Admin Group Query (5009): Admin Group Query events report information about administrative groups.
• Job Query (5010): Job Query events report information about scheduled jobs.
• Module Query (5011): Module Query events report information about loaded modules.
• Network Connection Query (5012): Network Connection Query events report information about active network connections.
• Networks Query (5013): Networks Query events report information about network adapters.
• Peripheral Device Query (5014): Peripheral Device Query events report information about peripheral devices.
• Process Query (5015): Process Query events report information about running processes.
• Service Query (5016): Service Query events report information about running services.
• User Session Query (5017): User Session Query events report information about existing user sessions.
• User Query (5018): User Query events report user data that have been discovered, queried, polled or searched.
• Device Config State Change (5019): Device Config State Change events report state changes that impact the security of the device.
• Registry Key Query (205004): Registry Key Query events report information about discovered Windows registry keys.
• Registry Value Query (205005): Registry Value Query events report information about discovered Windows registry values.
• Prefetch Query (205019): Prefetch Query events report information about Windows prefetch files.

Application Activity

• Web Resources Activity (6001): Web Resources Activity events describe actions executed on a set of Web Resources.
• Application Lifecycle (6002): Application Lifecycle events report installation, removal, start, stop of an application or service.
• API Activity (6003): API events describe general CRUD (Create, Read, Update, Delete) API activities, e.g. (AWS Cloudtrail)
• Web Resource Access Activity (6004): Web Resource Access Activity events describe successful/failed attempts to access a web resource over HTTP.
• Datastore Activity (6005): Datastore events describe general activities (Read, Update, Query, Delete, etc.) which affect datastores or data within those datastores, e.g. (AWS RDS, AWS S3).
• File Hosting Activity (6006): File Hosting Activity events report the actions taken by file management applications, including file sharing servers like Sharepoint and services such as Box, MS OneDrive, or Google Drive.
• Scan Activity (6007): Scan events report the start, completion, and results of a scan job.