Security Category

Threats and anomalies can be detected in any of the following ways:
  • By a manual or scheduled scan of a device
  • By monitoring a device for suspicious activity
  • By monitoring the network for suspicious activity

Possible threats and anomalies include:

  • Known viruses
  • Known malware
  • Suspicious file activity (AKA greyware)
  • Suspicious network activity
  • Suspicious resource activity
  • Suspicious email activity
Possible responses include:
  • Removing a file that contains one or more threats
  • Removing a registry key
  • Killing a process that contains a threat
  • Blocking network activity
  • Blocking or removing emails

Name ID Description
Boot Record Detection 8025 Boot Record Detection events report the detection and resolution of boot record threats or policy violations.
Compliance 8071 Compliance events report the results of a compliance and remediation checks.
Compliance Scan 8070 Compliance Scan events report the start, completion, and overall result of the scan. Detailed results are reported in individual Compliance events.
Email Analytics 8039 Email Analytics events report contextual information about emails blocked by the Anti-Malware service and emails blocked because attachments were determined to be malicious.
Email Detection 8035 Email Detection events report the detection and resolution of email threats and policy violations.
Email File Detection 8034 Email File Detection events report the detection and resolution of threats and policy violations within email file attachments.
Email URL Detection 8036 Email URL Detection events report the detection and resolution of URL threats and policy violations within emails.
Entity Change 8061 Entity Change events report when an entity state changes that impact the security of the entity.
File Detection 8031 File Detection events report the detection and resolution of file threats or policy violations.
File Response 8046 File Response events report file actions taken in response to a detection.
Host Network Detection 8040 Host Network Detection events report the detection and resolution of host network threats or policy violations.
Host Network Traffic Detection 8037 Host Network Traffic Detection events report the detection of threats in the network traffic data.
Incident Associate 8078 Incident Associate events report when an event is associated with an incident.
Incident Closure 8077 Incident closure events report when an incident has been closed.
Incident Creation 8075 Incident creation events report the creation of an incident.
Incident Update 8076 Incident updates events report when an incident has been updated.
Kernel Detection 8030 Kernel Detection events report the detection and resolution of kernel resource threats or policy violations.
Memory Detection 8029 Memory Detection events report the detection and resolution of memory access threats or policy violations.
Module Detection 8028 Module Detection events report the detection and resolution of module threats or policy violations.
Network Detection 8050 Network Detection events report the detection and resolution of network threats or policy violations.
Peripheral Device Detection 8038 Peripheral Device Detection events report the detection and resolution of peripheral device policy violations.
Process Detection 8027 Process Detection events report the detection and resolution of process threats or policy violations.
Process Response 8045 Process response events report process actions that were taken in response to a detection.
Registry Key Detection 8032 Registry Key Detection events report the detection and resolution of registry key threats or policy violations.
Registry Key Response 8047 Registry Key Response events report registry key actions that were taken in response to a detection.
Registry Value Detection 8033 Registry Value Detection events report the detection and resolution of registry value threats or policy violations.
Registry Value Response 8048 Registry Value Response events report registry value actions that were taken in response to detection.
Scan 8020 Scan events report the start, completion, and results of a scan. The scan event includes the number of items that were scanned and the number of detections that were resolved.
Startup App Response 8043 Startup App Response events report service repair actions taken in response to a detection.
Unscannable File 8021 Unscannable file events report files that could not be scanned and the reasons why.
User Session Detection 8026 User Session Detection events report the detection and resolution of session threats or policy violations.
WMI Response 8044 WMI Response events report the wmi repair actions that were taken in response to a detection.