Evidence of Compromise Category
Evidence of Compromise (EoC) events report the results of EoC queries and remediations.
EoC query result events include the existence of files, processes, registry keys and other objects on a device. EoC remediation result events include the remediation status of files, processes, registry keys and other objects on a device.
| Name | ID | Description |
|---|---|---|
| Administrative Group Query | 8098 | Group Query events report information about administrative groups. |
| DNS Query | 8097 | DNS Query events report information about Directory Name Service (DNS) entries. |
| Directory Query | 8084 | Directory Query events report information about directories that are present on the system. |
| Directory Remediation | 8104 | Directory Remediation events report directory remediation activity. |
| File Query | 8083 | File Query events report information about files that are present on the system. |
| File Remediation | 8103 | File Remediation events report file remediation activity. |
| Job Query | 8092 | Job Query events report information about scheduled jobs. |
| Job Remediation | 8111 | Job Remediation events report job remediation activity. |
| Kernel Object Query | 8089 | Kernel Query events report information about kernel resources. |
| Kernel Remediation | 8109 | Kernel Remediation events report kernel resource remediation activity. |
| Module Query | 8082 | Module Query events report information about loaded modules. |
| Module Remediation | 8102 | Module Remediation events report module remediation activity. |
| Network Information Query | 8096 | Network Information Query events report information about network adapters. |
| Network Query | 8087 | Network Query events report information about active network connections. |
| Network Remediation | 8107 | Registry Network Remediation events report network remediation activity. |
| Peripheral Device Query | 8095 | Peripheral Device Query events report information about peripheral devices. |
| Prefetch Query | 8091 | Prefetch Query events report information about Windows prefetch files. |
| Process Query | 8081 | Process Query events report information about running processes. |
| Process Remediation | 8101 | Process Remediation events report process remediation activity. |
| Registry Key Query | 8085 | Registry Key Query events report information about Windows registry keys. |
| Registry Key Remediation | 8105 | Registry Key Remediation events report registry key remediation activity. |
| Registry Value Query | 8086 | Registry Value Query events report information about Windows registry values. |
| Registry Value Remediation | 8106 | Registry Value Remediation events report registry value remediation activity. |
| Service Query | 8090 | Service Query events report information about running services. |
| Service Remediation | 8110 | Service Remediation events report service remediation activity. |
| Startup Application Query | 8093 | Startup Application Query events report information about startup applications. |
| Startup Application Remediation | 8112 | Startup Application Remediation events report startup application remediation activity. |
| Unsuccessful Query | 8099 | Unsuccessful Query events report unsuccessful attempts at Evidence of Compromise queries. |
| Unsuccessful Remediation | 8119 | Unsuccessful Remediation events report unsuccessful attempts at Evidence of Compromise remediation. |
| User Query | 8094 | User Query events report information about users. |
| User Session Query | 8080 | User Session Query events report information about existing user sessions. |
| User Session Remediation | 8100 | User Session Remediation events report user session remediation results. |