Skip to main content

Security ContentExabeam Security Content in the Legacy Structure

Table of ContentsTable of Contents

Event Types and Required Fields

This table defines the required, extended, and informational fields that are available for every event type.

Note

Events can be created even if the required fields are not present. However, the event will not be applicable for rule scoring and modeling.

Event Name	Description	Categories	Fields
account-creation	A user created a new account. Note This is tied to Windows events 4720 or 624.	Category: Account Subcategory: Create	Required Fields: dest host account_name time user Extended Fields: account_domain src Informational Fields: domain event_name account logon_id event_code
account-deleted	A user deleted an account. Note This is tied to Windows events 4726 or 630.	Category: Account Subcategory: Changes	Required Fields: time host user target_user Extended Fields: dest_host account_name Informational Fields: domain target_domain event_name outcome dest_ip src user_sid account logon_id event_code
account-disabled	An administrator disabled a user's account.	Category: Account Subcategory: Management	Required Fields: time host user target_user Extended Fields: — Informational Fields: dest domain target_domain event_name outcome src user_sid account logon_id event_code
account-enabled	An account was enabled by a user.	Category: Account Subcategory: Management	Required Fields: target_user dest host time user Extended Fields: src_host Informational Fields: domain target_domain event_name outcome src_ip account logon_id event_code
account-lockout	An account has been locked.	Category: Account Subcategory: Activity	Required Fields: dest domain host time user Extended Fields: src_host Informational Fields: caller_domain event_name src_ip caller_user auth_method logon_id event_code
account-password-change	A user changed their account password. Note This is tied to Windows events 4723 or 627.	Category: Account Subcategory: Activity	Required Fields: time host user target_user Extended Fields: target_domain dest_host Informational Fields: domain event_name outcome dest_ip src user_sid account logon_id event_code
account-password-change-failed	A user attempted to change their account password but failed. Note This is tied to Windows events 4723 or 627.	Category: Account Subcategory: Activity	Required Fields: time host user target_user Extended Fields: — Informational Fields: failure_reason domain event_name outcome dest src user_sid logon_id event_code target_domain
account-password-reset	An administrator reset a user's password. Note This is tied to Windows events 4724 or 628.	Category: Account Subcategory: Management	Required Fields: time host user target_user Extended Fields: target_domain dest_host Informational Fields: target_user_sid domain event_name outcome dest_ip src user_sid account logon_id event_code
account-switch	A user switched their account to impersonate another account. Note This is tied to Windows events 4648 and 552. Also tied to Unix SUDO logs.	Category: Account Subcategory: Switch	Required Fields: dest host account time user Extended Fields: process src_host safe_value Informational Fields: process_name command_line account_logon_guid account_domain domain event_name src_ip process_directory user_sid user_uid logon_id user_logon_guid event_code dest_service
account-unlocked	An administrator unlocked a user's account.	Category: Account Subcategory: Activity	Required Fields: time host user target_user Extended Fields: — Informational Fields: dest domain target_domain event_name outcome src user_sid account logon_id event_code
app-activity	A user's activity within a specific application.	Category: Application Subcategory: Activity	Required Fields: host object app time activity user Extended Fields: browser os mime user_agent src Informational Fields: dest result additional_info event_name resource target event_code
app-activity-failed	A user successfully logged in to an app but failed to perform an action in the app.	Category: Application Subcategory: Activity	Required Fields: host outcome app time activity user Extended Fields: src_ip Informational Fields: dest failure_reason src_host result additional_info event_name user_agent object resource event_code
app-login	A user logged into an application.	Category: Application Subcategory: Login	Required Fields: time host user app Extended Fields: browser os user_agent src Informational Fields: dest event_name user_email event_code protocol
audit-log-clear	An audit log was deleted from the system. Note This is tied to Windows events indicating audit log clearance, such as Windows 1102 and 517.	Category: Audit Subcategory: Change	Required Fields: dest host time user Extended Fields: src_host Informational Fields: domain event_name src_ip logon_id audit_category policy event_code
audit-policy-change	An audit policy was changed. Note This is tied to Windows events 4719 and 612.	Category: — Subcategory: —	Required Fields: dest domain host time policy user Extended Fields: src_host Informational Fields: event_name src_ip subcategory event_name logon_id audit_category event_code
authentication-attempt	An authentication whose outcome could not be determined was attempted.	Category: Account Subcategory: Activity	Required Fields: dest host time user Extended Fields: — Informational Fields: browser src domain os event_name outcome user_agent auth_method app realm event_code
authentication-failed	An authentication attempt performed either from a public IP address or from an internal network address failed.	Category: Account Subcategory: Auth	Required Fields: dest failure_reason host time user Extended Fields: src_ip Informational Fields: browser src_host domain additional_info os event_name outcome user_agent auth_method app realm event_code
authentication-successful	An authentication attempt performed either from a public IP address or from an internal network address was successful.	Category: Account Subcategory: Activity	Required Fields: dest host time user Extended Fields: src_ip Informational Fields: browser src_host domain os event_name outcome auth_method app realm event_code
batch-logon	A non-interactive batch logon occurred. Note This is tied to Windows events 4624, and 528 with logon type 4.	Category: Account Subcategory: Activity	Required Fields: dest host time user Extended Fields: process src_host account event_code Informational Fields: process_name domain logon_type event_name src_ip auth_package logon_id
cloud-admin-activity	Administrative activity against cloud services.	Category: Cloud Subcategory: Admin	Required Fields: user service activity Extended Fields: — Informational Fields: src_ip user_agent role policy account
cloud-admin-activity-failed	Failed administrative activity against cloud services.	Category: Cloud Subcategory: Admin	Required Fields: user service activity failure_reason Extended Fields: — Informational Fields: src_ip user_agent role policy account
computer-logon	A non-interactive computer logon occurred.	Category: Endpoint Subcategory: Activity	Required Fields: dest host time user Extended Fields: — Informational Fields: process_name domain event_name src account event_code
config-change	A user made a configuration change.	Category: — Subcategory: —	Required Fields: dest host object time activity user Extended Fields: — Informational Fields: event_name outcome src event_code
database-access	A user accessed a database.	Category: Database Subcategory: Activity	Required Fields: host db_operation db_user database_name time user Extended Fields: — Informational Fields: process_name dest table_name session_id server_group process domain additional_info database_schema event_name reason service_name src app account database_object protocol sql_count
database-activity-failed	A database query was issued and then failed.	Category: Database Subcategory: Activity	Required Fields: host db_operation db_user database_name time user Extended Fields: — Informational Fields: process_name dest table_name session_id server_group process domain additional_info database_schema event_name failure_reason service_name src app account database_object event_code protocol
database-alert	Abnormal activity in the database was detected either by Exabeam or by a third-party monitoring tool.	Category: Database Subcategory: Security Alerts	Required Fields: host alert_name db_user database_name time user Extended Fields: dest response_size process src Informational Fields: process_name alert_severity table_name malware_url alert_id server_group domain additional_info alert_type event_name db_operation service_name app account database_object event_code
database-delete	One or more records were deleted from the database.	Category: Database Subcategory: —	Required Fields: host time user database_name Extended Fields: — Informational Fields: domain db_user app db_operation db_query service_name server_group src dest rsponse_size database_object database_schema
database-failed-login	A user attempted and failed to log in to a database.	Category: Database Subcategory: —	Required Fields: host reason db_user database_name time user Extended Fields: — Informational Fields: process_name dest server_group process domain additional_info event_name outcome service_name auth_package src app account event_code protocol
database-login	A user logged into the database.	Category: Database Subcategory: Activity	Required Fields: host db_user database_name time user Extended Fields: src Informational Fields: process_name dest server_group process domain event_name service_name auth_package app account event_code protocol
database-query	A user queried a database.	Category: Database Subcategory: Activity	Required Fields: host db_user database_name time user db_query Extended Fields: response_size db_operation src Informational Fields: process_name dest table_name server_group process domain database_schema event_name service_name app database_object event_code
database-update	A user issued a database query to update one or more database records.	Category: Database Subcategory: —	Required Fileds: host time user database_name db_operation Extended Fields: — Informational Fields: domain db_user app db_query service_nme server_group src dest response_size database_object database_schema
dlp-alert	An alert was reported by a DLP product running on the endpoints.	Category: Data Subcategory: Alert	Required Fields: host alert_name src time Extended Fields: process_name top_domain alert_severity dest process alert_type user protocol Informational Fields: device_id alert_id file_name domain additional_info event_name outcome target event_code
dlp-email-alert-in	Incoming email activity reported by an email monitoring tool.	Category: Email Subcategory: Activity	Required Fields: time host sender recipient Extended Fields: subject Informational Fields: dest return_path recipients alert_name event_name outcome direction user_email bytes message_id external_domain src num_recipients external_address attachments user event_code
dlp-email-alert-in-failed	An inbound email activity failure. For example, if there is an email server error.	Category: Email Subcategory: Activity	Required Fields: time host sender recipient Extended Fields: — Informational Fields: dest subject return_path recipients alert_name event_name outcome direction user_email bytes message_id external_domain src num_recipients external_address attachments user event_code
dlp-email-alert-out	Outgoing email activity reported by an email monitoring tool.	Category: Email Subcategory: Activity	Required Fields: time host sender recipient Extended Fields: file_ext alert_id subject file_name dest_ip bytes external_domain num_recipients external_address user Informational Fields: return_path recipients alert_name event_name outcome direction user_email dest_host message_id src attachments event_code
dlp-email-alert-out-failed	An outbound email activity failure occurred. For example, if the recipient email address is wrong or if there is an email server error.	Category: Email Subcategory: Activity	Required Fields: time host sender recipient Extended Fields: file_name bytes external_domain external_address user Informational Fields: dest subject return_path recipients alert_name event_name outcome direction user_email message_id src num_recipients attachments event_code
dns-query	An asset queried for a domain in the DNS server.	Category: Network Subcategory: DNS	Required Fields: host query src time Extended Fields: — Informational Fields: dest dns_respons_code result query_type src_port event_name outcome bytes response query_id dest_port src_mac category activity user event_code protocol query_flags
dns-response	An asset received a response from a DNS server.	Category: Network Subcategory: DNS	Required Fields: dest dns_response_code host query time Extended Fields: category Informational Fields: response_flags result query_type src_port event_name outcome bytes response query_id dest_port src activity user event_code protocol
ds-access	User accessed an active directory object.	Category: — Subcategory: —	Required Fields: domain host object time user Extended Fields: activity_type object_class dest_host src attribute Informational Fields: object_ou event_name dest_ip new_attribute object_dn account logon_id old_attribute event_code
failed-app-login	A user failed to log in to an application.	Category: Account Subcategory: Activity	Required Fields: failure_reason host app time user Extended Fields: src_ip Informational Fields: dest browser src_host os event_name outcome user_agent event_code
failed-ds-access	An access attempt to an active directory object failed.	Category: — Subcategory: —	Required Fields: domain host object time user Extended Fields: — Informational Fields: object_ou dest failure_reason event_name outcome activity_type object_class new_attribute src object_dn attribute old_attribute event_code
failed-logon	A user failed a logon attempt.	Category: Account Subcategory: Login	Required Fields: dest host time user Extended Fields: failure_reason result_code logon_type auth_package src event_code Informational Fields: process_name process domain event_name user_sid
failed-physical-access	A user swiped their physical badge to open a door, gate, or other entrance but were denied access.	Category: Physical Security Subcategory: Activity	Required Fields: host outcome location_door badge_id time Extended Fields: location_building location_city user Informational Fields: first_name employee_id dest event_name direction last_name src event_code
failed-usb-activity	USB activity failed. For example, an administrator sets a policy to deny USB activity on machines connected to the company network. Then, a user attempts to copy files to a USB flash drive and is denied by the policy. The activity would be logged as failed-USB-activity.	Category: Endpoint Subcategory: Usb	Required Fields: dest device_id host time user Extended Fields: — Informational Fields: process_name process activity_details domain os event_name device_type bytes src file_path activity event_code
failed-vpn-login	A remote access VPN login attempt performed either from a public IP address or from an internal network address failed.	Cateogory: VPN Subcategory: Login	Required Fields: host src time user Extended Fields: — Informational Fields: dest failure_reason domain realm event_code
file-alert	A file integrity product (such as Tripwire) reported a change made to critical and/or system file.	Category: File Subcategory: Security	Required Fields: dest file_name host alert_name time Extended Fields: process user Informational Fields: process_name alert_severity file_ext alert_id domain os alert_type event_name accesses src file_path file_parent action event_code
file-delete	A user deleted a file.	Category: File Subcategory: Activity	Required Fields: dest file_name host time user Extended Fields: file_ext accesses src file_parent Informational Fields: src_file_dir process_name process domain event_name object bytes src_file_name file_path app file_type activity event_code protocol
file-download	A file was downloaded.	Category: File Subcategory: Download	Required Fields: dest file_name host time user Extended Fields: — Informational Fields: src_file_dir process_name file_ext process domain event_name accesses object bytes src src_file_name file_path file_parent activity event_code protocol
file-permission-change	A user has changed the permissions for a file and/or folder.	Category: File Subcategory: Activity	Required Fields: dest file_name host accesses time user Extended Fields: file_ext src file_parent Informational Fields: src_file_dir process_name process domain event_name object bytes src_file_name file_path app file_type activity event_code protocol
file-read	A user opened or downloaded a file.	Category: File Subcategory: Read	Required Fields: dest file_name host time user Extended Fields: file_ext process accesses src file_parent Informational Fields: src_file_dir process_name domain event_name object bytes src_file_name file_path app file_type activity event_code protocol
file-upload	A file was uploaded to the web.	Category: File Subcategory: Activity	Required Fields: dest file_name host time user Extended Fields: — Informational Fields: src_file_dir process_name file_ext process domain event_name accesses object bytes src src_file_name file_path app file_type file_parent activity event_code protocol
file-write	A file was created, edited, or moved.	Category: File Subcategory: Write	Required Fields: dest file_name host time user Extended Fields: src_file_dir file_ext process accesses src src_file_name file_path file_parent Informational Fields: process_name domain event_name object bytes app file_type activity event_code protocol
kerberos-logon	An interactive logon using Kerberos occurred. Note This is tied to Windows events 4768 or 672. For more precise readings on the nature of the logon, consider collecting Windows events 4624 from the asset.	Category: Account Subcategory: Activity	Required Fields: dest domain result_code host time user Extended Fields: ticket_options src_host ticket_encryption_type logon_type badge_id account event_code Informational Fields: event_name src_ip service_name user_sid
local-logon	A local logon occurred. Note This is tied to Windows events 4624 or 528 events with logon type 2 or 7. Also tied to Windows events with logon type 11 and a process name indicating a local interactive logon. And tied to Linux local logon events.	Category: Account Subcategory: Activity	Required Fields: dest host time user Extended Fields: process src_host domain logon_type badge_id account event_code Informational Fields: process_name event_name src_ip auth_package logon_id
member-added	A user has been added to a domain group membership.	Category: Account Subcategory: Management	Required Fields: host account_id group_name time user Extended Fields: account_ou dest_host src account_name Informational Fields: account_comain group_type domain event_name group_domain dest_ip account logon_id event_code account_dn
member-removed	A user has been removed from a domain group membership.	Category: Account Subcategory: Management	Required Fields: host account_id group_name time user Extended Fields: src Informational Fields: dest account_domain group_type domain account_ou event_name group_domain account_name logon_id event_code account_dn
nac-failed-logon	A logon attempted to a NAC failed.	Category: Network Subcategory: Security	Required Fields: dest domain host time user Extended Fields: — Informational Fields: network auth_server event_name src_mac src account event_code
nac-logon	A user was granted network access.	Category: Network Subcategory: Access	Required Fields: dest host time user Extended Fields: auth_type src_mac Informational Fields: network domain auth_server event_name src account event_code
netflow-connection	A new NetFlow connection was detected.	Category: Network Subcategory: Activity	Required Fields: dest host src_port dest_port src time Extended Fields: protocol Informational Fields: bytes_in time_end event_name outcome direction dest_interface end_reason bytes src_interface time_start bytes_out packets user event_code
network-alert	Suspicious activity in the network was detected and reported by a network security product, such as an IDS or IPS.	Category: Alerts Subcategory: Network	Required Fields: dest host alert_name src time Extended Fields: process dest_port user Informational Fields: process_name alert_severity alert_id domain additional_info src_port alert_type event_name outcome bytes policy event_code protocol
network-connection-failed	A network connection failure occurred.	Category: Network Subcategory: Security	Required Fields: dest host src_port dest_port src time action Extended Fields: — Informational Fields: bytes_in failure_reason dest_mac dest_translated_ip event_name outcome rule src_translated_ip direction dest_interface bytes src_mac dest_translated_port src_interface src_translated_port activity user event_code protocol
network-connection-successful	A network connection attempt was successful.	Category: Network Subcategory: Activity	Required Fields: dest host src_port dest_port src time Extended Fields: — Informational Fields: bytes_in failure_reason dest_mac dest_translated_ip event_name outcome rule src_translated_ip direction dest_interface bytes src_mac dest_translated_port src_interface bytes_out src_translated_port activity action user event_code protocol
ntlm-logon	An interactive logon using NTLM authentication occurred. Note This is tied to Microsoft NTLM events that indicate an interactive logon by user, such as Windows events 4776 or 680. For more precise readings on the nature of the logon, consider collecting Windows 4624 events from the asset.	Category: Account Subcategory: Activity	Required Fields: dest domain result_code host time user Extended Fields: src_host badge_id account event_code Informational Fields: event_name src_ip
physical-access	A user successfully opened a door, gate, or other entrance using their badge.	Category: Physical Security Subcategory: Activity	Required Fields: time host badge_id location_door Extended Fields: location_city Location_building user Informational Fields: first_name employee_id dest event_name outcome direction last_name src event_code
print-activity	A user printed files, data, or some other form of content.	Category: Printer Subcategory: Activity	Required Fields: dest host object printer_name time user Extended Fields: — Informational Fields: domain event_name outcome bytes num_pages src account activity event_code
privileged-access	A user obtained special privileges. For example, if a regular user who does not have administrator privileges attempts to elevate their own privileges to have administrator privileges. Note This is tied to events indicating privileged access or service, such as Windows events 4672, 4673, 576, and 577.	Category: Account Subcategory: Activity	Required Fields: dest host privileges time user Extended Fields: process_name process src event_code Informational Fields: object_server domain event_name debug_privilege environment_privilege process_directory object tcb_privilege ownership_privilege logon_id
privileged-object-access	A user obtained special privileges to access a privileged object. Note This is tied to Windows events 4674 or 578.	Category: Database Subcategory: Activity	Required Fields: dest host privileges object time user Extended Fields: process-Name process src_host Informational Fields: object_server domain object_type event_name debug_privilege src_ip environment_privilege process_directory tcb_privilege ownership_privilege logon_id event_code
process-alert	A user has executed a process that triggered an organization's configured endpoint process alert.	Category: Endpoint Subcategory: Process (maybe Security)	Required Fields: process_name dest host alert_name time Extended Fields: command_line process user Informational Fields: alert_severity alert_id domain additional_info src_port event_name parent_process process_directory md5 dest_port src event_code
process-created	A user has executed an endpoint process on a host.	Category: Endpoint Subcategory: Process	Required Fields: process_name dest host time Extended Fields: command_line process src_host process_directory user event_code Informational Fields: path domain event_name outcome src_ip parent_process md5 pid logon_id
process-created-failed	Failed process activity.	Category: Endpoint Subcategory: Process	Required Fields: process_name dest host time Extended Fields: user process Informational Fields: command_line path domain event_name outcome parent_process md5 pid src logon_id event_code
process-network	A process executing on the endpoint tried to access the network.	Category: Endpoint Subcategory: Activity	Required Fields: process_name dest host src time Extended Fields: process process_directory web_domain dest_port user Informational Fields: domain src_port event_name direction bytes md5 pid event_code
process-network-failed	An endpoint process was blocked from accessing a network.	Category: Network Subcategory: Security	Required Fields: process_name dest host src time Extended Fields: process user Informational Fields: domain src_port event_name direction process_directory bytes web_domain md5 pid dest_port event_code
remote-access	A remote, non-interactive logon occurred. Note This is tied to Windows events 4769, or 4624 with logon type 3 or 8.	Category: Account Subcategory: Activity	Required Fields: host service_name src time user Extended Fields: dest process ticket_options domain ticket_encryption_type auth_package account event_code Informational Fields: process_name logon_type event_name logon_id
remote-logon	A remote, interactive logon occurred. Note This is tied to Windows events 4624 with logon type 10 or 11. Also tied to Unix SSH login events.	Category: Account Subcategory: Login	Required Fields: dest host src time user Extended Fields: process ticket_options domain ticket_encryption_type logon_type auth_package badge_id account event_code Informational Fields: process_name event_name service_name logon_id
security-alert	An alert was reported by a third-party security product, such as FireEye, Palo Alto Networks, or other antivirus software running on the endpoints.	Category: Alerts Subcategory: Endpoint	Required Fields: host alert_name src time Extended Fields: process_name alert_severity dest process alert_type user Informational Fields: malware_url alert_id file_name domain additional_info src_port event_name outcome md5 dest_port category event_code
service-created	A service was installed on the system. Note This is tied to service creation events, such as Windows 4697.	Category: Endpoint Subcategory: Creation	Required Fields: host service_name dest_host time user Extended Fields: process_name process Informational Fields: account_domain domain event_name process_directory dest_ip src account_name service_type user_sid logon_id event_code
service-logon	A non-interactive service logon occurred. Note This is tied to Windows events 4624 and 528 with logon type 5.	Category: — Subcategory: —	Required Fields: dest host time user Extended Fields: process src_host account event_code Informational Fields: process_name domain logon_type event_name src_ip auth_package logon_id
share-access	This user has accessed a Windows network share.	Category: File Subcategory: Activity	Required Fields: dest host share_name time user Extended Fields: src_port file_path event_code Informational Fields: file_name domain event_name outcome accesses src share_path file_type logon_id
share-access-denied	This user has been denied access to a Windows network share.	Category: File Subcategory: Activity	Required Fields: dest host share_name time user Extended Fields: — Informational Fields: src_port file_path event_code file_name domain event_name outcome accesses src share_path file_type logon_id
storage-access	Object access activity from a cloud storage bucket.	Category: Cloud Subcategory: Storage	Required Fields: user service activity bucket file_name Extended Fields: — Informational Fields: src_ip user_agent
storage-activity	Activity against cloud storage services.	Category: Cloud Subcategory: Storage	Required Fields: user service activity Extended Fields: bucket Informational Fields: src_ip user_agent role policy account
storage-activity-failed	Failed activity against cloud storage services.	Category: Cloud Subcategory: Storage	Required Fields: user service activity failure_reason Extended Fields: bucket Informational Fields: src_ip user_agent role policy account
task-created	A user created a new scheduled task. Note Tied to Windows event 4698.	Category: Endpoint Subcategory: Activity	Required Fields: dest host task_name time user Extended Fields: process_name process Informational Fields: account_domain description domain run_level event_name process_directory s account_name event_code
usb-activity	Unspecified USB activity.	Category: Endpoint Subcategory: Usb	Required Fields: dest device_info host time user activity Extended Fields: — Informational Fields: process_name process activity_details domain os event_name device_type bytes src file_path event_code
usb-insert	A USB flash drive was connected to the network.	Category: Endpoint Subcategory: Usb	Required Fields: dest device_id host time user Extended Fields: — Informational Fields: process_name process activity_details domain os event_name device_type bytes src file_path activity event_code
usb-read	SB read activity was detected.	Category: Endpoint Subcategory: Usb	Required Fields: dest device_id file_name host time user Extended Fields: process Informational Fields: process_name file_ext activity_details domain os event_name process_directory device_type bytes src file_path activity event_code
usb-write	A user copied files from their machine to a USB flash drive.	Category: Endpoint Subcategory: Usb	Required Fields: dest file_name host time user Extended Fields: device_id process Informational Fields: src_file_dir process_name file_ext activity_details domain process_name os event_name process_directory device_type bytes src src_file_name file_path activity src_file_ext event_code
vpn-connection	A user used VPN to connect to a network.	Category: Network Subcategory: VPN	Required Fields: src dest time host Extended Fields: — Informational Fields: user src_port src_translated_ip dest_port dest_translated_ip src_translated_port dest_translated_port bytes_in bytes_out session_duration action session_id
vpn-login	Remote access VPN login attempt either from a public IP address or from an internal network address was successful.	Category: VPN Subcategory: Login	Required Fields: host src time user Extended Fields: dest os src_translated_ip badge_id realm account Informational Fields: session_id domain event_name event_code
vpn-logout	A user logged off remote access VPN.	Category: VPN Subcategory: Login	Required Fields: time host user Extended Fields: dest file_name alert_name service_name object bytes external_domain session_duration num_pages bytes_out safe_value Informational Fields: bytes_in session_id domain os event_name src_translated_ip reason src realm account event_code
web-activity-allowed	A user has accessed a web resources via a proxy or some other web monitoring gateway.	Category: Web Subcategory: Activity	Required Fields: method host web_domain time action user Extended Fields: top_domain bytes_in browser os uri_path full_url dest_ip src categories category uri_query Informational Fields: result_code src_port event_name mime user_agent dest_host dest_port proxy_action bytes_out referrer event_code protocol
web-activity-denied	A user was blocked by a restricting policy while attempted to access a web resource via a proxy or other web monitoring gateway.	Category: Web Subcategory: Activity (or Security)	Required Fields: method host web_domain time action user Extended Fields: top_domain bytes_in uri_path full_url dest_ip src categories category uri_query Informational Fields: failure_reason browser result_code src_port os event_name mime user_agent dest_host dest_port proxy_action bytes_out referrer event_code protocol
webconference-login	Web conference application login.	Category: Application Subcategory: Login	Required Fields: user_email src_ip app Extended Fields: — Informational Fields: client_type app_version
webconference-operations-activity	Web conference application operations.	Category: Application Subcategory: Activity	Required Fields: user_email app activity object_type Extended Fields: — Informational Fields: additional_info object
web-meeting-created	Web conference meeting created.	Category: Application Subcategory: Activity	Required Fields: user has_password enforce_login join_before_host waiting_room Extended Fields: — Informational Fields: meeting_number meeting_topic meeting_type meeting_duration meeting_timezone
web-meeting-ended	Web conference meeting ended.	Category: Application Subcategory: Activity	Required Fields: meeting_host_id Extended Fields: — Informational Fields: meeting_number meeting_topic meeting_type meeting_duration meeting_timezone
web-meeting-participant-joined	Web conference meeting participant joined.	Category: Application Subcategory: Activity	Required Fields: meeting_host_id participant_name participant_id Extended Fields: — Informational Fields: meeting_number meeting_topic meeting_type meeting_timezone
web-meeting-started	Web conference meeting started.	Category: Application Subcategory: Activity	Required Fields: meeting_host_id Extended Fields: — Informational Fields: meeting_number meeting_topic meeting_type meeting_timezone
web-meeting-updated	Web conference meeting updated.	Category: Application Subcategory: Activity	Required Fields: user meeting_id type start_time has_password enforce_login join_before_host waiting_room Extended Fields: — Informational Fields: meeting_number
winsession-disconnect	A user disconnected from an existing Terminal Services session. Note This is tied to Windows event 4779.	Category: Account Subcategory: Activity	Required Fields: dest domain host time user Extended Fields: src_host Informational Fields: process_name event_name src_ip account logon_id event_code
workstation-locked	A user locked their workstation. Note This is tied to Windows event 4800.	Category: Endpoint Subcategory: Activity	Required Fields: dest host time user Extended Fields: — Informational Fields: process_name domain event_name src account event_code
workstation-unlocked	A user unlocked their workstation. Note This is tied to Windows event 4801.	Category: Endpoint Subcategory: Activity	Required Fields: dest host time user Extended Fields: — Informational Fields: process_name domain event_name src account event_code