System Activity Category
System Activity events report actions that occur at devices and on the network.
Events that pertain to devices follow an actor -> action -> target model that identifies the process (i.e., actor) that operated on the target object.
| Name | ID | Description |
|---|---|---|
| AMSI Activity | 8018 | AMSI Activity events report Antimalware Scan Interface (AMSI) activity. |
| API Activity | 8200 | API Activity events are reported as a result of an API invocation. |
| Directory Activity | 8004 | Directory Activity events report when a process performs an action on a directory. |
| Directory History | 8204 | Directory History events report historical action take on a directory. |
| Email Activity | 8011 | Email Activity events report non-threatening email activity. |
| Email Delivery | 8019 | Email Delivery events report the delivery status of emails. |
| Email File Activity | 8012 | Email File Activity events report non-threatening files within emails. |
| Email URL Activity | 8013 | Email URL Activity events report non-threatening URLs within an email. |
| File Activity | 8003 | File Activity events report when a process performs an action on a file. |
| File History | 8203 | File History events report historical action taken on a file. |
| Host Network Activity | 8007 | Host Network Activity events report attempted network connections - successful, or otherwise. |
| Host Network History | 8207 | Host Network History events report historical attempted network connections. |
| Host Network Traffic Activity | 8014 | Host Network Traffic Activity events report network traffic information. |
| Kernel Activity | 8009 | Kernel Activity events report when a process creates, reads, or deletes a kernel resource. |
| Memory Activity | 8008 | Memory Activity events report when a process performs internal memory allocation, modification, or other manipulation activities - such as a buffer overflow or turning off data execution protection (DEP) - that are not typical for a process. |
| Module Activity | 8002 | Module Activity events report when a process loads or unloads a module. |
| Monitored Source | 8015 | Monitored Source events report when an event or message of interest is recorded to a monitored source. If the monitored source event can be mapped to a particular Unified Security event, send the corresponding Unified Security event, and include an Event Source object. |
| Network Activity | 8010 | Network Activity events report network connection activity. |
| Peripheral Device Activity | 8017 | Peripheral Device Activity events report peripheral device activity. |
| Peripheral Device History | 8217 | Peripheral Device History events report historical information about peripheral device activity. |
| Process Activity | 8001 | Process Activity events report when a process launches, injects, opens or terminates another process, successful or otherwise. |
| Process History | 8201 | Process History events report when a process had launched, injected, opened or terminated another process, successful or otherwise. |
| Registry Key Activity | 8005 | Registry Key Activity events report when a process performs an action on a Windows registry key. |
| Registry Value Activity | 8006 | Registry Value Activity events reports when a process performs an action on a Windows registry value. |
| Startup Application Configuration Change | 8016 | Startup Application Configuration Change events report when a startup application configuration has been created, deleted or modified. |
| User Session Activity | 8000 | User Session Activity events report when a user attempts a logon or logoff, successfully or otherwise. |