Event Classes

Complete listing of event classes by category.

Other

• Base Event (0): The base event is a generic and concrete event.

System Activity

• File System Activity (1001): File System Activity events report when a process performs an action on a file or folder.
• Kernel Extension Activity (1002): Kernel Extension events report when a driver/extension is loaded or unloaded into the kernel
• Kernel Activity (1003): Kernel Activity events report when an process creates, reads, or deletes a kernel resource.
• Memory Activity (1004): Memory Activity events report when a process has memory allocated, read/modified, or other manipulation activities - such as a buffer overflow or turning off data execution protection (DEP).
• Module Activity (1005): Module Activity events report when a process loads or unloads the module.
• Scheduled Job Activity (1006): Scheduled Job Activity events report activities related to scheduled jobs or tasks.
• Process Activity (1007): Process Activity events report when a process launches, injects, opens or terminates another process, successful or otherwise.
• Event Log Activity (1008): Event Log Activity events report actions pertaining to the system’s event logging service(s), such as disabling logging or clearing the log data.
• Script Activity (1009): Script Activity events report when a process executes a script.
• Registry Key Activity (201001): Registry Key Activity events report when a process performs an action on a Windows registry key.
• Registry Value Activity (201002): Registry Value Activity events reports when a process performs an action on a Windows registry value.
• Windows Resource Activity (201003): Windows Resource Activity events report when a process accesses a Windows managed resource object, successful or otherwise.
• Windows Service Activity (201004): Windows Service Activity events report when a process interacts with the Service Control Manager.

Findings

• Security Finding (2001): Security Finding events describe findings, detections, anomalies, alerts and/or actions performed by security products
• Vulnerability Finding (2002): The Vulnerability Finding event is a notification about weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source.
• Compliance Finding (2003): Compliance Finding events describe results of evaluations performed against resources, to check compliance with various Industry Frameworks or Security Standards such as NIST SP 800-53, CIS AWS Foundations Benchmark v1.4.0, ISO/IEC 27001 etc.
• Detection Finding (2004): A Detection Finding describes detections or alerts generated by security products using correlation engines, detection engines or other methodologies.
• Incident Finding (2005): An Incident Finding reports the creation, update, or closure of security incidents as a result of detections and/or analytics.
• Data Security Finding (2006): A Data Security Finding describes detections or alerts generated by various data security products such as Data Loss Prevention (DLP), Data Classification, Secrets Management, Digital Rights Management (DRM), Data Security Posture Management (DSPM), and similar tools.
• Application Security Posture Finding (2007): The Application Security Posture Finding event is a notification about any bug, defect, deficiency, exploit, vulnerability, weakness or any other issue with software and related systems.
• IAM Analysis Finding (2008): This finding represents an IAM analysis result, which evaluates IAM policies, access patterns, and IAM configurations for potential security risks.

Identity & Access Management

• Account Change (3001): Account Change events report when specific user account management tasks are performed, such as a user/role being created, changed, deleted, renamed, disabled, enabled, locked out or unlocked.
• Authentication (3002): Authentication events report authentication session activities, including user attempts to log on or log off, regardless of success, as well as other key stages within the authentication process.
• Authorize Session (3003): Authorize Session events report privileges or groups assigned to a new user session, usually at login time.
• Entity Management (3004): Entity Management events report activity by a managed client, a micro service, or a user at a management console.
• User Access Management (3005): User Access Management events report management updates to a user’s privileges.
• Group Management (3006): Group Management events report management updates to a group, including updates to membership and permissions.

Network Activity

• Network Activity (4001): Network Activity events report network connection and traffic activity.
• HTTP Activity (4002): HTTP Activity events report HTTP connection and traffic information.
• DNS Activity (4003): DNS Activity events report DNS queries and answers as seen on the network.
• DHCP Activity (4004): DHCP Activity events report MAC to IP assignment via DHCP from a client or server.
• RDP Activity (4005): Remote Desktop Protocol (RDP) Activity events report post-authentication remote client connections between clients and servers over the network.
• SMB Activity (4006): Server Message Block (SMB) Protocol Activity events report client/server connections sharing resources within the network.
• SSH Activity (4007): SSH Activity events report remote client connections to a server using the Secure Shell (SSH) Protocol.
• FTP Activity (4008): File Transfer Protocol (FTP) Activity events report file transfers between a server and a client as seen on the network.
• Email Activity (4009): Email Activity events report SMTP protocol and email activities including those with embedded URLs and files.
• Network File Activity (4010): Network File Activity events report file activities traversing the network, including file storage services such as Box, MS OneDrive, or Google Drive.
• Email File Activity (4011): Email File Activity events report files within emails.
• Email URL Activity (4012): Email URL Activity events report URLs within an email.
• NTP Activity (4013): The Network Time Protocol (NTP) Activity events report instances of remote clients synchronizing their clocks with an NTP server, as observed on the network.
• Tunnel Activity (4014): Tunnel Activity events report secure tunnel establishment (such as VPN), teardowns, renewals, and other network tunnel specific actions.

Discovery

• Device Inventory Info (5001): Device Inventory Info events report device inventory data that is either logged or proactively collected.
• Device Config State (5002): Device Config State events report device configuration data, device assessments, and/or CIS Benchmark results.
• User Inventory Info (5003): User Inventory Info events report user inventory data that is either logged or proactively collected.
• Operating System Patch State (5004): Operating System Patch State reports the installation of an OS patch to a device and any associated knowledgebase articles.
• Kernel Object Query (5006): Kernel Object Query events report information about discovered kernel resources.
• File Query (5007): File Query events report information about files that are present on the system.
• Folder Query (5008): Folder Query events report information about folders that are present on the system.
• Admin Group Query (5009): Admin Group Query events report information about administrative groups.
• Job Query (5010): Job Query events report information about scheduled jobs.
• Module Query (5011): Module Query events report information about loaded modules.
• Network Connection Query (5012): Network Connection Query events report information about active network connections.
• Networks Query (5013): Networks Query events report information about network adapters.
• Peripheral Device Query (5014): Peripheral Device Query events report information about peripheral devices.
• Process Query (5015): Process Query events report information about running processes.
• Service Query (5016): Service Query events report information about running services.
• User Session Query (5017): User Session Query events report information about existing user sessions.
• User Query (5018): User Query events report user data that have been discovered, queried, polled or searched.
• Device Config State Change (5019): Device Config State Change events report state changes that impact the security of the device.
• Software Inventory Info (5020): Software Inventory Info events report device software inventory data that is either logged or proactively collected.
• OSINT Inventory Info (5021): OSINT Inventory Info events report open source intelligence or threat intelligence inventory data that is either logged or proactively collected.
• Startup Item Query (5022): Startup Item Query events report information about discovered items, e.g., application components that are generally configured to run automatically.
• Cloud Resources Inventory Info (5023): Cloud Resources Inventory Info events report cloud asset inventory data.
• Live Evidence Info (5040): Data collected directly from devices that represents forensic information pulled, queried, or discovered from devices that may indicate malicious activity.
• Registry Key Query (205004): Registry Key Query events report information about discovered Windows registry keys.
• Registry Value Query (205005): Registry Value Query events report information about discovered Windows registry values.
• Prefetch Query (205019): Prefetch Query events report information about Windows prefetch files.

Application Activity

• Web Resources Activity (6001): Web Resources Activity events describe actions executed on a set of Web Resources.
• Application Lifecycle (6002): Application Lifecycle events report installation, removal, start, stop of an application or service.
• API Activity (6003): API events describe general CRUD (Create, Read, Update, Delete) API activities, e.g. (AWS Cloudtrail)
• Web Resource Access Activity (6004): Web Resource Access Activity events describe successful/failed attempts to access a web resource over HTTP.
• Datastore Activity (6005): Datastore events describe general activities (Read, Update, Query, Delete, etc.) which affect datastores or data within those datastores, e.g. (AWS RDS, AWS S3).
• File Hosting Activity (6006): File Hosting Activity events report the actions taken by file management applications, including file sharing servers like Sharepoint and services such as Box, MS OneDrive, Google Drive, or network file share services.
• Scan Activity (6007): Scan events report the start, completion, and results of a scan job.
• Application Error (6008): Application Error events describe issues with an applications.

Remediation

• Remediation Activity (7001): Remediation Activity events report on attempts at remediating a compromised device or computer network.
• File Remediation Activity (7002): File Remediation Activity events report on attempts at remediating files.
• Process Remediation Activity (7003): Process Remediation Activity events report on attempts at remediating processes.
• Network Remediation Activity (7004): Network Remediation Activity events report on attempts at remediating computer networks.

Unmanned Systems

• Drone Flights Activity (8001): Drone Flights Activity events report the activity of Unmanned Aerial Systems (UAS), their Operators, and mission-planning and authorization metadata as reported by the UAS platforms themselves, by Counter-UAS (CUAS) systems, or other remote monitoring or sensing infrastructure.
• Airborne Broadcast Activity (8002): Airborne Broadcast Activity events report the activity of any aircraft or unmanned system as reported and tracked by Automatic Dependent Surveillance - Broadcast (ADS-B) receivers.