Evidence of Compromise Category

EoC query result events include the existence of files, processes, registry keys and other objects on a device. EoC remediation result events include the remediation status of files, processes, registry keys and other objects on a device.
Name ID Description
Administrative Group Query 8098 Group Query events report information about administrative groups.
DNS Query 8097 DNS Query events report information about Directory Name Service (DNS) entries.
Directory Query 8084 Directory Query events report information about directories that are present on the system.
Directory Remediation 8104 Directory Remediation events report directory remediation activity.
File Query 8083 File Query events report information about files that are present on the system.
File Remediation 8103 File Remediation events report file remediation activity.
Job Query 8092 Job Query events report information about scheduled jobs.
Job Remediation 8111 Job Remediation events report job remediation activity.
Kernel Object Query 8089 Kernel Query events report information about kernel resources.
Kernel Remediation 8109 Kernel Remediation events report kernel resource remediation activity.
Module Query 8082 Module Query events report information about loaded modules.
Module Remediation 8102 Module Remediation events report module remediation activity.
Network Information Query 8096 Network Information Query events report information about network adapters.
Network Query 8087 Network Query events report information about active network connections.
Network Remediation 8107 Registry Network Remediation events report network remediation activity.
Peripheral Device Query 8095 Peripheral Device Query events report information about peripheral devices.
Prefetch Query 8091 Prefetch Query events report information about Windows prefetch files.
Process Query 8081 Process Query events report information about running processes.
Process Remediation 8101 Process Remediation events report process remediation activity.
Registry Key Query 8085 Registry Key Query events report information about Windows registry keys.
Registry Key Remediation 8105 Registry Key Remediation events report registry key remediation activity.
Registry Value Query 8086 Registry Value Query events report information about Windows registry values.
Registry Value Remediation 8106 Registry Value Remediation events report registry value remediation activity.
Service Query 8090 Service Query events report information about running services.
Service Remediation 8110 Service Remediation events report service remediation activity.
Startup Application Query 8093 Startup Application Query events report information about startup applications.
Startup Application Remediation 8112 Startup Application Remediation events report startup application remediation activity.
Unsuccessful Query 8099 Unsuccessful Query events report unsuccessful attempts at Evidence of Compromise queries.
Unsuccessful Remediation 8119 Unsuccessful Remediation events report unsuccessful attempts at Evidence of Compromise remediation.
User Query 8094 User Query events report information about users.
User Session Query 8080 User Session Query events report information about existing user sessions.
User Session Remediation 8100 User Session Remediation events report user session remediation results.