An event type. Choose event type not based on the product that generated the event but the one that logged the event itself. So, for example, an antivirus (AV) scanning email on a client would generate an SMTP_PROXY event, not an AV event. A DLP device scanning a web upload would generate an HTTP_PROXY event and not a DLP or process activity event. Note: In the case of a HTTP_PROXY event, you might also include process details if this occurred on an endpoint. That would be optional, but there are a certain set of required fields and banned fields due to its status as an HTTP_PROXY event.
| Enums | |
|---|---|
EVENTTYPE_UNSPECIFIED |
Default event type |
PROCESS_UNCATEGORIZED |
Activity related to a process which does not match any other event types. |
PROCESS_LAUNCH |
Process launch. |
PROCESS_INJECTION |
Process injecting into another process. |
PROCESS_PRIVILEGE_ESCALATION |
Process privilege escalation. |
PROCESS_TERMINATION |
Process termination. |
PROCESS_OPEN |
Process being opened. |
PROCESS_MODULE_LOAD |
Process loading a module. |
REGISTRY_UNCATEGORIZED |
Registry event which does not match any of the other event types. |
REGISTRY_CREATION |
Registry creation. |
REGISTRY_MODIFICATION |
Registry modification. |
REGISTRY_DELETION |
Registry deletion. |
SETTING_UNCATEGORIZED |
Settings-related event which does not match any of the other event types. |
SETTING_CREATION |
Setting creation. |
SETTING_MODIFICATION |
Setting modification. |
SETTING_DELETION |
Setting deletion. |
MUTEX_UNCATEGORIZED |
Any mutex event other than creation. |
MUTEX_CREATION |
Mutex creation. |
FILE_UNCATEGORIZED |
File event which does not match any of the other event types. |
FILE_CREATION |
File created. |
FILE_DELETION |
File deleted. |
FILE_MODIFICATION |
File modified. |
FILE_READ |
File read. |
FILE_COPY |
File copied. Used for file copies, for example, to a thumb drive. |
FILE_OPEN |
File opened. |
FILE_MOVE |
File moved or renamed. |
FILE_SYNC |
File synced (for example, Google Drive, Dropbox, backup). |
USER_UNCATEGORIZED |
User activity which does not match any of the other event types. |
USER_LOGIN |
User login. |
USER_LOGOUT |
User logout. |
USER_CREATION |
User creation. |
USER_CHANGE_PASSWORD |
User password change event. |
USER_CHANGE_PERMISSIONS |
Change in user permissions. |
USER_STATS |
Deprecated. Used to update user info for an LDAP dump. |
USER_BADGE_IN |
User physically badging into a location. |
USER_DELETION |
User deletion. |
USER_RESOURCE_CREATION |
User creating a virtual resource. This is equivalent to RESOURCE_CREATION. |
USER_RESOURCE_UPDATE_CONTENT |
User updating content of a virtual resource. This is equivalent to RESOURCE_WRITTEN. |
USER_RESOURCE_UPDATE_PERMISSIONS |
User updating permissions of a virtual resource. This is equivalent to RESOURCE_PERMISSIONS_CHANGE. |
USER_COMMUNICATION |
User initiating communication through a medium (for example, video). |
USER_RESOURCE_ACCESS |
User accessing a virtual resource. This is equivalent to RESOURCE_READ. |
USER_RESOURCE_DELETION |
User deleting a virtual resource. This is equivalent to RESOURCE_DELETION. |
GROUP_UNCATEGORIZED |
A group activity that does not fall into one of the other event types. |
GROUP_CREATION |
A group creation. |
GROUP_DELETION |
A group deletion. |
GROUP_MODIFICATION |
A group modification. |
EMAIL_UNCATEGORIZED |
Email messages |
EMAIL_TRANSACTION |
An email transaction. |
EMAIL_URL_CLICK |
Deprecated: use NETWORK_HTTP instead. An email URL click event. |
NETWORK_UNCATEGORIZED |
A network event that does not fit into one of the other event types. |
NETWORK_FLOW |
Aggregated flow stats like netflow. |
NETWORK_CONNECTION |
Network connection details like from a FW. |
NETWORK_FTP |
FTP telemetry. |
NETWORK_DHCP |
DHCP payload. |
NETWORK_DNS |
DNS payload. |
NETWORK_HTTP |
HTTP telemetry. |
NETWORK_SMTP |
SMTP telemetry. |
STATUS_UNCATEGORIZED |
A status message that does not fit into one of the other event types. |
STATUS_HEARTBEAT |
Heartbeat indicating product is alive. |
STATUS_STARTUP |
An agent startup. |
STATUS_SHUTDOWN |
An agent shutdown. |
STATUS_UPDATE |
A software or fingerprint update. |
SCAN_UNCATEGORIZED |
Scan item that does not fit into one of the other event types. |
SCAN_FILE |
A file scan. |
SCAN_PROCESS_BEHAVIORS |
Scan process behaviors. Please use SCAN_PROCESS instead. |
SCAN_PROCESS |
Scan process. |
SCAN_HOST |
Scan results from scanning an entire host device for threats/sensitive documents. |
SCAN_VULN_HOST |
Vulnerability scan logs about host vulnerabilities (e.g., out of date software) and network vulnerabilities (e.g., unprotected service detected via a network scan). |
SCAN_VULN_NETWORK |
Vulnerability scan logs about network vulnerabilities. |
SCAN_NETWORK |
Scan network for suspicious activity |
SCHEDULED_TASK_UNCATEGORIZED |
Scheduled task event that does not fall into one of the other event types. |
SCHEDULED_TASK_CREATION |
Scheduled task creation. |
SCHEDULED_TASK_DELETION |
Scheduled task deletion. |
SCHEDULED_TASK_ENABLE |
Scheduled task being enabled. |
SCHEDULED_TASK_DISABLE |
Scheduled task being disabled. |
SCHEDULED_TASK_MODIFICATION |
Scheduled task being modified. |
SYSTEM_AUDIT_LOG_UNCATEGORIZED |
A system audit log event that is not a wipe. |
SYSTEM_AUDIT_LOG_WIPE |
A system audit log wipe. |
SERVICE_UNSPECIFIED |
Service event that does not fit into one of the other event types. |
SERVICE_CREATION |
A service creation. |
SERVICE_DELETION |
A service deletion. |
SERVICE_START |
A service start. |
SERVICE_STOP |
A service stop. |
SERVICE_MODIFICATION |
A service modification. |
GENERIC_EVENT |
Operating system events that are not described by any of the other event types. Might include uncategorized Microsoft Windows event logs. |
RESOURCE_CREATION |
The resource was created/provisioned. This is equivalent to USER_RESOURCE_CREATION. |
RESOURCE_DELETION |
The resource was deleted/deprovisioned. This is equivalent to USER_RESOURCE_DELETION. |
RESOURCE_PERMISSIONS_CHANGE |
The resource had it's permissions or ACLs updated. This is equivalent to USER_RESOURCE_UPDATE_PERMISSIONS. |
RESOURCE_READ |
The resource was read. This is equivalent to USER_RESOURCE_ACCESS. |
RESOURCE_WRITTEN |
The resource was written to. This is equivalent to USER_RESOURCE_UPDATE_CONTENT. |
DEVICE_FIRMWARE_UPDATE |
Firmware update. |
DEVICE_CONFIG_UPDATE |
Configuration update. |
DEVICE_PROGRAM_UPLOAD |
A program or application uploaded to a device. |
DEVICE_PROGRAM_DOWNLOAD |
A program or application downloaded to a device. |
ANALYST_UPDATE_VERDICT |
Analyst update about the Verdict (such as true positive, false positive, or disregard) of a finding. |
ANALYST_UPDATE_REPUTATION |
Analyst update about the Reputation (such as useful or not useful) of a finding. |
ANALYST_UPDATE_SEVERITY_SCORE |
Analyst update about the Severity score (0-100) of a finding. |
ANALYST_UPDATE_STATUS |
Analyst update about the finding status. |
ANALYST_ADD_COMMENT |
Analyst addition of a comment for a finding. |
ANALYST_UPDATE_PRIORITY |
Analyst update about the priority (such as low, medium, or high) for a finding. |
ANALYST_UPDATE_ROOT_CAUSE |
Analyst update about the root cause for a finding. |
ANALYST_UPDATE_REASON |
Analyst update about the reason (such as malicious or not malicious) for a finding. |
ANALYST_UPDATE_RISK_SCORE |
Analyst update about the risk score (0-100) of a finding. |