Scan Event

Scan events report the start, completion, and results of a scan. The scan event includes the number of items that were scanned and the number of detections that were resolved.
Name Attribute Group Requirement Type Description
Event ID event_id Classification Reserved Integer The event ID identifies the event's semantics, structure and outcome.
8020000Scan: Unknown
8020001Scan: Started
8020002Scan: Completed
8020003Scan: Cancelled
8020004Scan: Duration ViolationThe allocated scan time was insufficient to complete the requested scan.
8020005Scan: Pause ViolationThe scan was paused, either by the user or by program constraints (e.g. scans that are suspended during certain time intervals), and not resumed within the allotted time.
8020006Scan: ErrorThe scan could not be completed due to an internal error.
8020007Scan: Paused
8020008Scan: ResumedThe scan was resumed from the pause point.
8020009Scan: RestartedThe scan restarted from the beginning of the file enumeration.
8020010Scan: DelayedThe user delayed the scan.
Severity severity_id Classification Required Integer The severity of the event.
0UnknownThe event severity is not known.
1InformationalPurely informational. No action needed.
2WarningThe user decides if action is needed.
3MinorAction is required but the situation is not serious at this time.
4MajorAction is required immediately.
5CriticalAction is required immediately and the scope is broad.
6FatalAn error occurred but it is too late to take remedial action.
Version version Classification Required String The event type version, in the form major.minor. For example: 1.7. Event consumers use the version to determine what the event attributes represent.
Type type_id Classification Required Integer The event type.
8020ScanScan events report the start, completion, and results of a scan. The scan event includes the number of items that were scanned and the number of detections that were resolved.
Category category_id Classification Required Integer The event type category.
1Security
Type StringЕxt type Classification Optional String The event type.
Disposition id Classification Required Integer The outcome of the event.
0Unknown
1Started
2Completed
3Cancelled
4Duration ViolationThe allocated scan time was insufficient to complete the requested scan.
5Pause ViolationThe scan was paused, either by the user or by program constraints (e.g. scans that are suspended during certain time intervals), and not resumed within the allotted time.
6ErrorThe scan could not be completed due to an internal error.
7Paused
8ResumedThe scan was resumed from the pause point.
9RestartedThe scan restarted from the beginning of the file enumeration.
10DelayedThe user delayed the scan.
EntityЕxt entity Primary Optional Managed Entity The managed entity that pertains to the event.
TrustedЕxt num_trusted Primary Recommended Integer The number of trusted items.
Scan EndЕxt scan_end Primary Recommended Datetime The time that the scan ended.

Note: The time submission format is the number of milliseconds since 01/01/1970 00:00:00 UTC.

Error FilesЕxt num_errors Primary Recommended Integer The number of files with either scanning or remediation errors.
Scanned ProcessesЕxt num_processes Primary Recommended Integer The number of processes scanned.
Schedule IDЕxt schedule_uid Primary Recommended String The schedule identifier that is associated with this Scan event; required if the scan was initiated by a schedule.
Correlation IDЕxt correlation_uid Primary Optional String The unique identifier used to correlate events.
TotalЕxt total Primary Recommended Integer The total number of items that were scanned; zero if no items were scanned. Required for all events except START.
SkippedЕxt num_skipped Primary Recommended Integer The number of skipped items.
Command IDЕxt command_uid Primary Optional String The command identifier that is associated with this Scan event; required if the scan was initiated by a command.
Scan IDЕxt scan_uid Primary Recommended String The identifier of this Scan.
ResolutionsЕxt num_resolutions Primary Recommended Integer The number of items that were resolved.
EventsЕxt events Primary Optional JSON Array The additional events that pertain to the event or incident.
Scanned Network ItemsЕxt num_network Primary Recommended Integer The number of network items scanned.
Scan Type scan_type_id Primary Recommended Integer The type of scan.
0Unknown
1ManualThe scan was manually initiated by the user or administrator.
2ScheduledThe scan was started based on scheduler.
3Updated DefinitionsThe scan was triggered by a content update.
4Quarantined ItemsThe scan was was triggered by newly quarantined items.
5Attached MediaThe scan was triggered by the attachment of removable media.
6User LogonThe scan was started due to a user logon.
7ELAMThe scan was triggered by an Early Launch Anti-Malware (ELAM) detection.
8CommandThe scan was triggered by a command from the management server.
Event Unique ID uuid Primary Reserved String The system-assigned unique identifier of an event occurrence.
Scanned FoldersЕxt num_folders Primary Recommended Integer The number of folders scanned.
Scanned ArchivesЕxt num_archives Primary Recommended Integer The number of archives scanned.
Scan Outcome verdict_id Primary Recommended Integer The outcome of the Scan.
0Unknown
1ResolvedThreats were resolved.
2CleanNo threats detected.
3UnresolvedSome threats were not resolved.
4ErrorScan error.
5CancelledThe scan was cancelled.
CybOxЕxt cybox Primary Reserved Cyber Observable eXpression The Cyber Observable eXpression (CybOX TM) attributes.
Scan Name scan_name Primary Recommended String The administrator-supplied or application-generated name of the scan. For example:
  • "Home office weekly user database scan"
  • "Scan folders for viruses"
  • "Full system virus scan"
Scanned FilesЕxt num_files Primary Recommended Integer The number of files scanned.
Policy policy Primary Recommended Policy The policy associated with this Scan event; required if the scan was initiated by a policy.
UnresolvedЕxt num_unresolved Primary Recommended Integer The number of scanned itmes with threats, but no resolution.
Duration duration Primary Recommended Integer The duration of the scan (seconds).
Scan Coverage Identifier scan_coverage_id Primary Recommended Integer Type of scan coverage.
0Unknown
1Full Scan
2Quick ScanScans file locations mostly likely to get infected or be a source of infection.
3Custom ScanSpecific paths specified by the admin or endpoint user.
SessionsЕxt sessions Primary Optional Session Array The user sessions on the device.
Log NameЕxt log_name Primary Reserved String The name of the database, index, or archive where the event was logged.
DetectionsЕxt num_detections Primary Recommended Integer The number of detections.
Scanned Registry ItemsЕxt num_registry Primary Recommended Integer The number of registry items scanned.
Scan StartЕxt scan_start Primary Recommended Datetime The time that the scan started.

Note: The time submission format is the number of milliseconds since 01/01/1970 00:00:00 UTC.

Message IDЕxt message_id Message Optional String The numeric representation of the message, ordinarily used for translation purposes.
Message CodeЕxt message_code Message Optional String The coded string representation of the message, ordinarily used for trouble shooting.
Message message Message Recommended String The description of the event.
Composite EventЕxt composite Occurrence Optional Integer The type of composite event. See the Event Logging API for more information.
1IntactThe composite event is stored as-is.
2ExpandedThe composite event is expanded into multiple events.
Event Time time Occurrence Reserved Datetime The event occurrence time (Device Time) adjusted to the server clock.

Note: The internal time format is the number of milliseconds since 01/01/1970 00:00:00 UTC.

CountЕxt count Occurrence Optional Integer For aggregated events, the number of times that the event occurred during the Device Time to Device End Time period.
Sequence NumberЕxt seq_num Occurrence Recommended Integer A 32-bit positive number that indicates the order of events sent by the client.

Note: The first event that a client sends has a Sequence Number of 1 and the client increments the Sequence Number with each subsequent event. For UNPACK (2) composite events, each event in the events array must have a unique seq_num, such as events[i+1].seq_num = events[i].seq_num + 1. When the sequence number wraps around, based on java.lang.Integer.MAX_VALUE, it must start from 1. The event service records sequence numbers to detect lost events.

End TimeЕxt end_time Occurrence Reserved Datetime For aggregate events, the Device End Time adjusted to the server clock.
Device Time device_time Occurrence Required Datetime The time that the event occurred at the device.

Note: The time submission format is the number of milliseconds since 01/01/1970 00:00:00 UTC. The event producer or the event collection agent that detects the event provides the event Device Time.

Collected TimeЕxt log_time Occurrence Reserved Datetime The time that the system collected the event.

Note: The internal time format is the number of milliseconds since 01/01/1970 00:00:00 UTC.

Device End TimeЕxt device_end_time Occurrence Optional Datetime The time of the last aggregated event.

Note: The time submission format is the number of milliseconds since 01/01/1970 00:00:00 UTC, and this value must be greater than or equal to the Device Time (device_time) value.

Time Zone timezone Occurrence Recommended Integer Returns a Long value that represents the difference in minutes of between the local time in this time zone and the Coordinated Universal Time (UTC).

Ex: In a state adopting daylight time in the Pacific time zone, the Bias is 480 minutes and DaylightBias is -60 minutes. To determine the time in UTC for June 11, 2 A.M. PST, add a Bias of (480/60) hours and a DaylightBias of -(60/60) hours to the local time June 11, 2 A.M. The time in UTC is June 11, 9 A.M.

Device Virtual Host TypeЕxt device_vhost_id Origination Optional Integer The device virtual host type.
0Unknown
1None
10VMware
11Hyper-V®
12Xen
13KVM
14QEMU
15VirtualBox
16Solaris Zones
30AWS
31Azure
32GCP
33OCP
50Docker
51Cloud Foundry
52LXC
Feature IDЕxt feature_uid Origination Recommended String The unique identifier of the feature originating the event.
Device OS Country CodeЕxt device_os_country Origination Optional String The operating system country code as defined by the ISO 3166-1 standard (Alpha-2 code). For the complete list of country codes, see ISO 3166-1 alpha-2 codes.
Domain IDЕxt domain_uid Origination Recommended String The unique domain identifier.
Impersonator Customer IDЕxt impersonator_customer_uid Origination Optional String The unique customer identifier of the impersonating agent.
ContainerЕxt container Origination Optional Container The container that pertains to the event.
Device OS Service Pack VersionЕxt device_os_sp_ver Origination Optional String The version number of the latest Service Pack.
Impersonator Domain IDЕxt impersonator_domain_uid Origination Optional String The unique domain identifier of the impersonating agent.
Device Network InformationЕxt device_networks Origination Recommended Network Info Array The network information objects that are associated with the device, one for each MAC address/IP address combination.

Note: The first element of the array is the network information that pertains to the event.

User IDЕxt user_uid Origination Recommended String The unique identifier of the user associated with the event.
Compliant DeviceЕxt device_is_compliant Origination Optional Boolean The event occurred on a compliant device.
Device Virtual Host Type StringЕxt device_vhost Origination Optional String The device virtual host type string.
Device SubnetЕxt device_subnet Origination Optional IP Address The subnet IP address. For example: "255.0.0.0".
Feature PathЕxt feature_path Origination Recommended String The path of the feature originating the event.
Feature TypeЕxt feature_type Origination Recommended String The type of feature.

Device GroupЕxt device_group Origination Optional String The full path of the group to which the device belongs. For example: West Coast\Windows Laptops.
Product Version product_ver Origination Recommended String The version of the product.

Note: The version is as defined by the product SKU, originating the event. For example: "2013.1.3-beta".

Product LanguageЕxt product_lang Origination Recommended String The two letter lower case language codes as defined by ISO 639-1. For example: "en" (English), "de" (German), or "fr" (French).
Device BIOS ManufacturerЕxt device_hw_bios_manufacturer Origination Optional String The BIOS manufacturer. For example: "LENOVO".
Device Org Unit IDЕxt org_unit_uid Origination Recommended String The unique identifier of the organizational unit.
Device Org UnitЕxt device_org_unit Origination Recommended String The name of the org unit to which the device belongs.
Device OS TypeЕxt device_os_type_id Origination Recommended Integer The type of the operating system.
0Unknown
100Windows
200Linux
300Solaris
301AIX
302HP-UX
400Macintosh
500iOS
501Android
502Windows Mobile
503iPadOS
1001Other
Device DomainЕxt device_domain Origination Recommended String The network domain where the device resides. For example: "internal.somecompany.com".
Personal DeviceЕxt device_is_personal Origination Optional Boolean The event occurred on a personal device.
User PresentЕxt is_user_present Origination Optional Boolean The indication of whether the user was logged on at event generation time.
Device OS LanguageЕxt device_os_lang Origination Optional String The lowercase two-letter ISO language code as defined by ISO 639-1. For example: "en", "de", or "fr".
Product DataЕxt product_data Origination Optional JSON The event attributes that are specific to the reporting product.
Device OS BuildЕxt device_os_build Origination Optional String The operating system build number.
User Name user_name Origination Recommended String The name of the user that originated or caused the event (if the event involves a user) or the user on whose behalf the event occurred.
Product IDЕxt product_uid Origination Recommended String The unique identifier of the product originating the event.
Device AliasЕxt device_alias_name Origination Optional String The alternate device name, ordinarily as assigned by an administrator.
Device IMEIЕxt device_imei Origination Optional String The International Mobile Station Equipment Identifier that is associated with the device.
Device CaptionЕxt device_cap Origination Optional String A short description or caption of the device. For example: "ATP Scanner 1 " or " CSP Manager".
Device GatewayЕxt device_gateway Origination Optional IP Address The gateway IP address. For example: "10.0.0.1".
Impersonator User IDЕxt impersonator_user_uid Origination Optional String The unique user identifier of the impersonating agent.
Device BIOS DateЕxt device_hw_bios_date Origination Optional String The BIOS date. For example: "03/31/16".
Device TypeЕxt device_type Origination Recommended String The type of device originating the event. For example: "unknown", "server", "desktop", "laptop", "tablet", "mobile", "virtual", "browser", or "other".
Device LocationЕxt device_location Origination Optional Location The location of the device at the time of the event.
Device MAC AddressesЕxt device_mac Origination Optional String The Media Access Control (MAC) address that is associated with the device.
Device OS BitsЕxt device_os_bits Origination Optional Integer The number of processor bits. For example: 64 or 128.
Device SiteЕxt device_site Origination Recommended String The name of the site to which the device belongs.
Reference Event Log TimeЕxt ref_log_time Origination Optional Datetime The log time of the reference event.

Note: The time submission format is the number of milliseconds since 01/01/1970 00:00:00 UTC.

Feature NameЕxt feature_name Origination Recommended String The name of the feature originating the event.

Note: The Feature Name is ordinarily defined by the product SKU, but it could be any other name that identifies the software component originating the event. For example: "Live Update".

Raw DataЕxt raw_data Origination Optional String The event data as received.
Unmanaged DeviceЕxt device_is_unmanaged Origination Optional Boolean The event occurred on an unmanaged device.
Device Group NameЕxt device_group_name Origination Optional String The name of the leaf group to which the device belongs. For example: Windows Laptops.
Device Cloud VMЕxt device_cloud_vm Origination Optional Cloud Hosted VM The cloud-hosted virtual machine.
Customer IDЕxt customer_uid Origination Recommended String The unique customer identifier.
Device IDЕxt device_uid Origination Recommended String The unique identifier of the device.
Device Proxy NameЕxt device_proxy_name Origination Optional String The proxy host name. For example: "localproxy".
SourceЕxt source Origination Optional Event Source The monitored source that originated the event.
Device Reference IDЕxt device_ref_uid Origination Optional String The unique reference identifier of the device.
Device MD5Еxt device_name_md5 Origination Optional String The MD5 hash of the device name.

Note: The hash must be of the lower-case device name.

Device OS EditionЕxt device_os_edition Origination Optional String The operating system edition. For example: "Professional".
Device Domain IDЕxt device_domain_uid Origination Recommended String The unique identifier of the domain where the device resides.
Device IP Address device_ip Origination Recommended IP Address The IP address that pertains to the event, in either IPv4 or IPv6 format.

Note: Because the IP address of a device can change, the IP address must be captured when the event occurs, which may be different from when the event is sent. If additional network information is pertinent to the event, also populate Device Network Information (device_networks).

Original DataЕxt orig_data Origination Reserved String The pre-normalized event data.
Product Name product_name Origination Recommended String The name of the product originating the event.
User user Origination Recommended User The user that pertains to the event. Can be used to provide information in addition to User Name.
Device DescriptionЕxt device_desc Origination Optional String The description of the device, ordinarily as reported by the operating system.
Device Processor TypeЕxt device_hw_cpu_type Origination Optional String The processor type. For example: "x86 Family 6 Model 37 Stepping 5".
Device Proxy IPЕxt device_proxy_ip Origination Optional IP Address The proxy IP address.
Device OS Service PackЕxt device_os_sp_name Origination Optional String The name of the latest Service Pack.
Device BIOS VersionЕxt device_hw_bios_ver Origination Optional String The BIOS version. For example: "LENOVO G5ETA2WW (2.62)".
Feature VersionЕxt feature_ver Origination Recommended String The version of the feature originating the event. For example: "2014.1.3.64".
Reference Event Log NameЕxt ref_log_name Origination Optional String The log name of the reference event.
Device Public IPЕxt device_public_ip Origination Reserved IP Address The public IP address.

Note: The Device Public IP is populated with the value of the x-forwarded-for message header, if present.

.
Device OS VersionЕxt device_os_ver Origination Optional String The version of the OS running on the device that originated the event. For example: "Windows 10", "OS X 10.7", or "iOS 9".
Original Event IDЕxt ref_orig_uid Origination Optional String The unique identifier of the external event that corresponds to Reference Event ID (ref_uid) ,if applicable.
Sub-feature NameЕxt subfeature_name Origination Optional String The name of the sub-feature originating the event.
Customer Registry IDЕxt customer_registry_uid Origination Optional String The unique Symantec customer registry identifier.
Reference Event IDЕxt ref_uid Origination Optional String The unique external original message or event identifier that was used to record the event. For example: the Windows Event Log Event ID, the SEPM event UID, or the SYSLOG msgid.
Device Name device_name Origination Recommended String The name of the device originating the event.

Note: The Device Name is ordinarily the host name, but could be any other string that helps to identify the device, such as a phone number; for example "computer.domain" or "310.555.1234".

Trusted DeviceЕxt device_is_trusted Origination Optional Boolean The event occurred on a trusted device.
Device OSЕxt device_os_name Origination Recommended String The name of the operating system running on the device from which the event originated. For example: "Windows 10 Home Basic", "Mac OS X", "iOS", or "Android".
Log LevelЕxt log_level Status Optional String The log level as reported by the logger subsystem.
Stack TraceЕxt status_stack_trace Status Optional String The list of calls that the application was making when an exception was thrown.
Status DetailsЕxt status_detail Status Optional String The status details.
OS Code SourceЕxt status_os_src Status Optional Integer The indication of whether the OS Code (status_os) returned to the application for the requested operation was returned by the OS (0) or generated by the security product (1).
OS CodeЕxt status_os Status Optional String The operating system result code.
Thread NameЕxt status_thread_name Status Optional String The name of the thread that pertains to the status.
Status status_id Status Optional Integer The cross-platform event status.
0Unknown
1Success
2Failure
3In Progress
4Partial Success
RemediationЕxt remediation Remediation Optional String The remediation information.
Remediation ReferenceЕxt remediation_ref Remediation Optional String The reference to remediation information.

Note: The information can be either internal or external to the reporting product.

Remediation IDЕxt remediation_uid Remediation Optional String The unique identifier of the remediation information.
RemediatedЕxt remediated Remediation Optional Boolean The indication of whether the event was remediated.
Logging Device TimeЕxt logging_device_post_time Collector Optional Datetime The time when the event was logged by the logging device.

Note: The time submission format is the number of milliseconds since 01/01/1970 00:00:00 UTC.

Logging Device IPЕxt logging_device_ip Collector Optional IP Address The IP address of the device that logged the event.
Collector Device NameЕxt collector_device_name Collector Optional String The name of the collector device.
Logging Device NameЕxt logging_device_name Collector Optional String The name of the device that logged the event.
Collector IDЕxt collector_uid Collector Optional String The unique identifier of the collector.
Collector NameЕxt collector_name Collector Optional String The name of the collector.
Logging Device IDЕxt logging_device_ref_uid Collector Optional String The unique identifier of the device that collects logs from other devices.
Proxy Device IPЕxt proxy_device_ip Collector Optional IP Address The IP address of the proxy device that is collecting events from other devices. For example: the IP address of a Windows Domain controller. The format is either IPv4 or IPv6.
Collector Device IPЕxt collector_device_ip Collector Optional IP Address The IP address of the collector device in either IPv4 or IPv6 format.
Proxy Device NameЕxt proxy_device_name Collector Optional String The name of the proxy device that is collecting events from other devices.
STIC VersionЕxt stic_version STIC Optional String The version of the STIC library.
STIC Hardware IDsЕxt stic_legacy_hw_uids STIC Optional String Array The list of Hardware IDs that have been associated with the device.
STIC Control Data IDЕxt stic_schema_id STIC Optional String The telemetry submission control data identifier, represented as an 8 byte hexadecimal string.
STIC Enterprise IDsЕxt stic_legacy_ent_uids STIC Optional String Array The list of Enterprise IDs (related to license entitlement) that have been associated with the device.
STIC PIIЕxt stic_has_pii STIC Optional Boolean The indication of whether the event has any Personally Identifiable Information (PII).
STIC Hardware IDЕxt stic_hw_uid STIC Optional String The device hardware ID.
STIC Machine IDsЕxt stic_legacy_uids STIC Optional String Array The list of Machine IDs that have been associated with the device.
STIC IP HashЕxt stic_ip_hash STIC Optional String The STIC hash of the IP address.
STIC Machine IDЕxt stic_uid STIC Optional String The device Machine ID.