Security Category
Security events report the detection and resolution of threats, anomalies, and security policy violations, as well as traces of such.
Threats and anomalies can be detected in any of the following ways:
- By a manual or scheduled scan of a device
- By monitoring a device for suspicious activity
- By monitoring the network for suspicious activity
Possible threats and anomalies include:
- Known viruses
- Known malware
- Suspicious file activity (AKA greyware)
- Suspicious network activity
- Suspicious resource activity
- Suspicious email activity
- Removing a file that contains one or more threats
- Removing a registry key
- Killing a process that contains a threat
- Blocking network activity
- Blocking or removing emails
| Name | ID | Description |
|---|---|---|
| Boot Record Detection | 8025 | Boot Record Detection events report the detection and resolution of boot record threats or policy violations. |
| Compliance | 8071 | Compliance events report the results of a compliance and remediation checks. |
| Compliance Scan | 8070 | Compliance Scan events report the start, completion, and overall result of the scan. Detailed results are reported in individual Compliance events. |
| Email Analytics | 8039 | Email Analytics events report contextual information about emails blocked by the Anti-Malware service and emails blocked because attachments were determined to be malicious. |
| Email Detection | 8035 | Email Detection events report the detection and resolution of email threats and policy violations. |
| Email File Detection | 8034 | Email File Detection events report the detection and resolution of threats and policy violations within email file attachments. |
| Email URL Detection | 8036 | Email URL Detection events report the detection and resolution of URL threats and policy violations within emails. |
| Entity Change | 8061 | Entity Change events report when an entity state changes that impact the security of the entity. |
| File Detection | 8031 | File Detection events report the detection and resolution of file threats or policy violations. |
| File Response | 8046 | File Response events report file actions taken in response to a detection. |
| Host Network Detection | 8040 | Host Network Detection events report the detection and resolution of host network threats or policy violations. |
| Host Network Traffic Detection | 8037 | Host Network Traffic Detection events report the detection of threats in the network traffic data. |
| Incident Associate | 8078 | Incident Associate events report when an event is associated with an incident. |
| Incident Closure | 8077 | Incident closure events report when an incident has been closed. |
| Incident Creation | 8075 | Incident creation events report the creation of an incident. |
| Incident Update | 8076 | Incident updates events report when an incident has been updated. |
| Kernel Detection | 8030 | Kernel Detection events report the detection and resolution of kernel resource threats or policy violations. |
| Memory Detection | 8029 | Memory Detection events report the detection and resolution of memory access threats or policy violations. |
| Module Detection | 8028 | Module Detection events report the detection and resolution of module threats or policy violations. |
| Network Detection | 8050 | Network Detection events report the detection and resolution of network threats or policy violations. |
| Peripheral Device Detection | 8038 | Peripheral Device Detection events report the detection and resolution of peripheral device policy violations. |
| Process Detection | 8027 | Process Detection events report the detection and resolution of process threats or policy violations. |
| Process Response | 8045 | Process response events report process actions that were taken in response to a detection. |
| Registry Key Detection | 8032 | Registry Key Detection events report the detection and resolution of registry key threats or policy violations. |
| Registry Key Response | 8047 | Registry Key Response events report registry key actions that were taken in response to a detection. |
| Registry Value Detection | 8033 | Registry Value Detection events report the detection and resolution of registry value threats or policy violations. |
| Registry Value Response | 8048 | Registry Value Response events report registry value actions that were taken in response to detection. |
| Scan | 8020 | Scan events report the start, completion, and results of a scan. The scan event includes the number of items that were scanned and the number of detections that were resolved. |
| Startup App Response | 8043 | Startup App Response events report service repair actions taken in response to a detection. |
| Unscannable File | 8021 | Unscannable file events report files that could not be scanned and the reasons why. |
| User Session Detection | 8026 | User Session Detection events report the detection and resolution of session threats or policy violations. |
| WMI Response | 8044 | WMI Response events report the wmi repair actions that were taken in response to a detection. |