Event Types
The Integrated Cyber Defense Schema defines a large number of event types.
| Name | ID | Category | Description |
|---|---|---|---|
| Application Log | 1 | Application Activity | Application Log events report status information about an application or service. |
| Application Lifecycle | 2 | Application Activity | Application Lifecycle events report installation, removal, start, stop, and heartbeat of an application or service. |
| Update | 3 | Application Activity | Update events report code, content, configuration, or policy updates that are made to an application or service. |
| Policy Change | 4 | Application Activity | Policy change events report when the endpoint applies a new policy. |
| File Reputation | 5 | Application Activity | File Reputation events report the results of a file reputation query. |
| Update Available | 6 | Application Activity | Update Available events report when code, content, configuration, or policy updates are available. |
| User Message | 7 | Application Activity | User Message events report when a user is messaged via Email or SMS. |
| Registration | 9 | Application Activity | Registration events report device or application registration with a management system. |
| Command Activity | 11 | Application Activity | Command Activity events report the state and status of commands. |
| Action Request | 12 | Application Activity | Action Request events report requester, action, target and status information about action requests. |
| Action Response | 13 | Application Activity | Action Response events report the response to an action request, including HTTP status. |
| BitLocker | 15 | Application Activity | BitLocker events report volume encryption and decryption activity. |
| User Session Audit | 20 | Audit | Reports user logon and logoff activity at a management console or a managed client. |
| Entity Audit | 21 | Audit | Entity Audit events report activity by a managed client, a micro service, or a user at a management console. The activity can be a create, update, and delete operation on a managed entity. For example, the Policy service records policy change events, the SEP client reports local policy changes, and the policy administrator updates policies at the console. |
| Policy Override Audit | 22 | Audit | Reports user policy override activity at a management console or a managed client. |
| License Lifecycle | 30 | License | License Lifecycle events report the installation, update, and removal of a license. |
| License Expiry | 31 | License | License Expiry events report aggregate license expiration information. |
| License Count | 32 | License | License Count events report aggregate license counts. |
| Certificate Lifecycle | 40 | Application Activity | Certificate Lifecycle events report the installation, update, and removal of a certificate. |
| Certificate Expiry | 41 | Application Activity | Certificate Expiry events report certificate expiration information. |
| URL Reputation | 42 | Application Activity | URL Reputation events report the results of a url reputation lookup. |
| Status | 1000 | Diagnostic | Status events report the status of a component, for example a service, application or appliance. Report the status information in the message attribute, for example "Connection failure", "Low Disk", or "High CPU". If additional status information is required, include common extension status attributes such as status_detail, status_os, status_exception and status_stack_trace. If reporting status for a specific process, include the Process object. |
| CPU Usage | 1005 | Diagnostic | CPU Usage events report service or application CPU usage statistics. |
| Memory Usage | 1006 | Diagnostic | Memory Usage events report service or application memory usage statistics. |
| Throughput | 1007 | Diagnostic | Throughput events report the processing rate of a service or application. |
| User Session Activity | 8000 | System Activity | User Session Activity events report when a user attempts a logon or logoff, successfully or otherwise. |
| Process Activity | 8001 | System Activity | Process Activity events report when a process launches, injects, opens or terminates another process, successful or otherwise. |
| Module Activity | 8002 | System Activity | Module Activity events report when a process loads or unloads a module. |
| File Activity | 8003 | System Activity | File Activity events report when a process performs an action on a file. |
| Directory Activity | 8004 | System Activity | Directory Activity events report when a process performs an action on a directory. |
| Registry Key Activity | 8005 | System Activity | Registry Key Activity events report when a process performs an action on a Windows registry key. |
| Registry Value Activity | 8006 | System Activity | Registry Value Activity events reports when a process performs an action on a Windows registry value. |
| Host Network Activity | 8007 | System Activity | Host Network Activity events report attempted network connections - successful, or otherwise. |
| Memory Activity | 8008 | System Activity | Memory Activity events report when a process performs internal memory allocation, modification, or other manipulation activities - such as a buffer overflow or turning off data execution protection (DEP) - that are not typical for a process. |
| Kernel Activity | 8009 | System Activity | Kernel Activity events report when a process creates, reads, or deletes a kernel resource. |
| Network Activity | 8010 | System Activity | Network Activity events report network connection activity. |
| Email Activity | 8011 | System Activity | Email Activity events report non-threatening email activity. |
| Email File Activity | 8012 | System Activity | Email File Activity events report non-threatening files within emails. |
| Email URL Activity | 8013 | System Activity | Email URL Activity events report non-threatening URLs within an email. |
| Host Network Traffic Activity | 8014 | System Activity | Host Network Traffic Activity events report network traffic information. |
| Monitored Source | 8015 | System Activity | Monitored Source events report when an event or message of interest is recorded to a monitored source. If the monitored source event can be mapped to a particular Unified Security event, send the corresponding Unified Security event, and include an Event Source object. |
| Startup Application Configuration Change | 8016 | System Activity | Startup Application Configuration Change events report when a startup application configuration has been created, deleted or modified. |
| Peripheral Device Activity | 8017 | System Activity | Peripheral Device Activity events report peripheral device activity. |
| AMSI Activity | 8018 | System Activity | AMSI Activity events report Antimalware Scan Interface (AMSI) activity. |
| Email Delivery | 8019 | System Activity | Email Delivery events report the delivery status of emails. |
| Scan | 8020 | Security | Scan events report the start, completion, and results of a scan. The scan event includes the number of items that were scanned and the number of detections that were resolved. |
| Unscannable File | 8021 | Security | Unscannable file events report files that could not be scanned and the reasons why. |
| Boot Record Detection | 8025 | Security | Boot Record Detection events report the detection and resolution of boot record threats or policy violations. |
| User Session Detection | 8026 | Security | User Session Detection events report the detection and resolution of session threats or policy violations. |
| Process Detection | 8027 | Security | Process Detection events report the detection and resolution of process threats or policy violations. |
| Module Detection | 8028 | Security | Module Detection events report the detection and resolution of module threats or policy violations. |
| Memory Detection | 8029 | Security | Memory Detection events report the detection and resolution of memory access threats or policy violations. |
| Kernel Detection | 8030 | Security | Kernel Detection events report the detection and resolution of kernel resource threats or policy violations. |
| File Detection | 8031 | Security | File Detection events report the detection and resolution of file threats or policy violations. |
| Registry Key Detection | 8032 | Security | Registry Key Detection events report the detection and resolution of registry key threats or policy violations. |
| Registry Value Detection | 8033 | Security | Registry Value Detection events report the detection and resolution of registry value threats or policy violations. |
| Email File Detection | 8034 | Security | Email File Detection events report the detection and resolution of threats and policy violations within email file attachments. |
| Email Detection | 8035 | Security | Email Detection events report the detection and resolution of email threats and policy violations. |
| Email URL Detection | 8036 | Security | Email URL Detection events report the detection and resolution of URL threats and policy violations within emails. |
| Host Network Traffic Detection | 8037 | Security | Host Network Traffic Detection events report the detection of threats in the network traffic data. |
| Peripheral Device Detection | 8038 | Security | Peripheral Device Detection events report the detection and resolution of peripheral device policy violations. |
| Email Analytics | 8039 | Security | Email Analytics events report contextual information about emails blocked by the Anti-Malware service and emails blocked because attachments were determined to be malicious. |
| Host Network Detection | 8040 | Security | Host Network Detection events report the detection and resolution of host network threats or policy violations. |
| Startup App Response | 8043 | Security | Startup App Response events report service repair actions taken in response to a detection. |
| WMI Response | 8044 | Security | WMI Response events report the wmi repair actions that were taken in response to a detection. |
| Process Response | 8045 | Security | Process response events report process actions that were taken in response to a detection. |
| File Response | 8046 | Security | File Response events report file actions taken in response to a detection. |
| Registry Key Response | 8047 | Security | Registry Key Response events report registry key actions that were taken in response to a detection. |
| Registry Value Response | 8048 | Security | Registry Value Response events report registry value actions that were taken in response to detection. |
| Network Detection | 8050 | Security | Network Detection events report the detection and resolution of network threats or policy violations. |
| Entity Change | 8061 | Security | Entity Change events report when an entity state changes that impact the security of the entity. |
| Compliance Scan | 8070 | Security | Compliance Scan events report the start, completion, and overall result of the scan. Detailed results are reported in individual Compliance events. |
| Compliance | 8071 | Security | Compliance events report the results of a compliance and remediation checks. |
| Incident Creation | 8075 | Security | Incident creation events report the creation of an incident. |
| Incident Update | 8076 | Security | Incident updates events report when an incident has been updated. |
| Incident Closure | 8077 | Security | Incident closure events report when an incident has been closed. |
| Incident Associate | 8078 | Security | Incident Associate events report when an event is associated with an incident. |
| User Session Query | 8080 | Evidence of Compromise | User Session Query events report information about existing user sessions. |
| Process Query | 8081 | Evidence of Compromise | Process Query events report information about running processes. |
| Module Query | 8082 | Evidence of Compromise | Module Query events report information about loaded modules. |
| File Query | 8083 | Evidence of Compromise | File Query events report information about files that are present on the system. |
| Directory Query | 8084 | Evidence of Compromise | Directory Query events report information about directories that are present on the system. |
| Registry Key Query | 8085 | Evidence of Compromise | Registry Key Query events report information about Windows registry keys. |
| Registry Value Query | 8086 | Evidence of Compromise | Registry Value Query events report information about Windows registry values. |
| Network Query | 8087 | Evidence of Compromise | Network Query events report information about active network connections. |
| Kernel Object Query | 8089 | Evidence of Compromise | Kernel Query events report information about kernel resources. |
| Service Query | 8090 | Evidence of Compromise | Service Query events report information about running services. |
| Prefetch Query | 8091 | Evidence of Compromise | Prefetch Query events report information about Windows prefetch files. |
| Job Query | 8092 | Evidence of Compromise | Job Query events report information about scheduled jobs. |
| Startup Application Query | 8093 | Evidence of Compromise | Startup Application Query events report information about startup applications. |
| User Query | 8094 | Evidence of Compromise | User Query events report information about users. |
| Peripheral Device Query | 8095 | Evidence of Compromise | Peripheral Device Query events report information about peripheral devices. |
| Network Information Query | 8096 | Evidence of Compromise | Network Information Query events report information about network adapters. |
| DNS Query | 8097 | Evidence of Compromise | DNS Query events report information about Directory Name Service (DNS) entries. |
| Administrative Group Query | 8098 | Evidence of Compromise | Group Query events report information about administrative groups. |
| Unsuccessful Query | 8099 | Evidence of Compromise | Unsuccessful Query events report unsuccessful attempts at Evidence of Compromise queries. |
| User Session Remediation | 8100 | Evidence of Compromise | User Session Remediation events report user session remediation results. |
| Process Remediation | 8101 | Evidence of Compromise | Process Remediation events report process remediation activity. |
| Module Remediation | 8102 | Evidence of Compromise | Module Remediation events report module remediation activity. |
| File Remediation | 8103 | Evidence of Compromise | File Remediation events report file remediation activity. |
| Directory Remediation | 8104 | Evidence of Compromise | Directory Remediation events report directory remediation activity. |
| Registry Key Remediation | 8105 | Evidence of Compromise | Registry Key Remediation events report registry key remediation activity. |
| Registry Value Remediation | 8106 | Evidence of Compromise | Registry Value Remediation events report registry value remediation activity. |
| Network Remediation | 8107 | Evidence of Compromise | Registry Network Remediation events report network remediation activity. |
| Kernel Remediation | 8109 | Evidence of Compromise | Kernel Remediation events report kernel resource remediation activity. |
| Service Remediation | 8110 | Evidence of Compromise | Service Remediation events report service remediation activity. |
| Job Remediation | 8111 | Evidence of Compromise | Job Remediation events report job remediation activity. |
| Startup Application Remediation | 8112 | Evidence of Compromise | Startup Application Remediation events report startup application remediation activity. |
| Unsuccessful Remediation | 8119 | Evidence of Compromise | Unsuccessful Remediation events report unsuccessful attempts at Evidence of Compromise remediation. |
| API Activity | 8200 | System Activity | API Activity events are reported as a result of an API invocation. |
| Process History | 8201 | System Activity | Process History events report when a process had launched, injected, opened or terminated another process, successful or otherwise. |
| File History | 8203 | System Activity | File History events report historical action taken on a file. |
| Directory History | 8204 | System Activity | Directory History events report historical action take on a directory. |
| Host Network History | 8207 | System Activity | Host Network History events report historical attempted network connections. |
| Peripheral Device History | 8217 | System Activity | Peripheral Device History events report historical information about peripheral device activity. |
| Content Detection | 9000 | Information Protection | Content Detection events report the detection and resolution of content policy violations. |
| File Content Detection | 9001 | Information Protection | File Content Detection events report the detection and resolution of file content policy violations. |
| Email Content Detection | 9002 | Information Protection | Email Content Detection events report the detection and resolution of email content policy violations. |
| Instant Message Content Detection | 9003 | Information Protection | Instant Message Content Detection events report the detection and resolution of instant message content policy violations. |
| Clipboard Content Detection | 9005 | Information Protection | Clipboard Content Detection events report the detection and resolution of clipboard content policy violations. |
| Print/FAX Content Detection | 9006 | Information Protection | Print/FAX Content Detection events report the detection and resolution of print/FAX content policy violations. |