Security ContentExabeam How Content Works Guide

Table of Contents

Event Types and Required Fields

Refer to this appendix to learn more about the required fields in the event for every event type.

This appendix defines the required fields that should be present in the event for every event type.

Note

Events can still be created if the required fields are not present. However, the event will not apply from a rule scoring and modeling standpoint.

EventName

Description

Required Fields

Optional Fields

process-network-failed

An endpoint process was blocked from accessing a network.

  • host

  • time

  • dest_host/dest_ip

  • src_host/src_ip

  • process_name

  • direction

  • src_port

  • process

  • bytes

  • domain

  • user

  • event_code

  • event_name

  • process_directory

  • dest_port

network-connection-failed

A network connection failure occurred.

  • host

  • time

  • src_host/src_ip

  • dest_host/dest_ip

  • action

  • src-port

  • dest_port

  • direction

  • src_interface

  • protocol

  • event_name

  • src_translated_port

  • bytes_in

  • dest_translated_ip

  • rule

  • src_mac

  • bytes

  • dest_mac

  • user

  • event_code

  • bytes_out

  • dest_interface

  • outcome

  • src_translated_ip

  • dest_translated_port

database-login

A user logged into the database.

  • host

  • time

  • database_name

  • db_user

  • user

  • src_host/src_ip

  • domain

  • protocol

  • dest_host/dest_ip

  • service_name

  • app

  • process_name

  • process

  • event_code

  • server_group

  • event_name

database-delete

One or more records were deleted from the database.

  • host

  • time

  • database_name

  • db_user

  • user

  • src_host/scr_ip

  • process

  • database_schema

  • dest_host/dest_ip

  • app

  • process_name

  • domain

  • db_operation

  • table_name

  • event_code

  • database_object

  • server_group

  • event_name

privileged-object-access

A user obtained special privileges to access a privileged object.

Note

This is tied to Windows events 4674 or 578.

  • host

  • time

  • user

  • dest_host/dest_ip

  • privileges

  • object

  • ownership_privilege

  • src_host/src_ip

  • domain

  • object_type

  • event_code

  • process

  • environment_privilege

  • process_name

  • object_server

  • logon_id

  • tcb_privilege

  • debug_privilege

  • event_name

  • process_directory

account-creation

A user created a new account.

Note

This is tied to Windows events 4720 or 624.

  • host

  • time

  • dest_host/dest_ip

  • account_name

  • user

  • src_host/src_ip

  • domain

  • event_name

  • logon_id

  • event_code

  • account_domain

dns-query

An asset queried for a domain in the DNS server.

  • host

  • time

  • src_host/src_ip

  • query

  • src_port

  • dest_host/dest_ip

  • query_type

  • bytes

  • event_name

  • query_flags

  • user

  • event_code

  • src_mac

  • dest_port

vpn-logout

A user logged off remote access VPN.

  • host

  • time

  • user

  • src_host/src_ip

  • domain

  • session_duration

  • realm

  • dest_host/dest_ip

  • bytes_out

  • session_id

  • event_name

  • event_code

  • bytes_in

  • os

  • src_translated_ip

dlp-email-alert-out

Outgoing email activity reported by an email monitoring tool.

  • host

  • time

  • recipient

  • sender

  • src_host/src_ip

  • direction

  • external_domain

  • attachments

  • recipients

  • dest_host/dest_ip

  • bytes

  • num_recipients

  • return_path

  • event_name

  • user

  • event_code

  • external_address

  • outcome

  • message_id

  • user_email

  • subject

service-logon

A non-interactive service logon occurred.

Note

This is tied to Windows events 4624 and 528 with logon type 5.

  • host

  • time

  • dest_host/dest_ip

  • user

  • src_host/src_ip

  • domain

  • event_code

  • auth_package

  • process

  • process_name

  • logon_id

  • logon_type

  • event_name

dlp-alert

An alert was reported by a DLP product running on the endpoints.

  • host

  • time

  • src_host/src_ip

  • alert_name

  • alert_severity

  • alert_type

  • target

  • dest_host/dest_ip

  • file_name

  • domain

  • event_name

  • alert_id

  • user

  • event_code

  • outcome

  • additional_info

file-write

A file was created, edited, or moved.

  • host

  • time

  • dest_host/dest_ip

  • file_name

  • user

  • src_host/src_ip

  • domain

  • file_type

  • app

  • process_name

  • bytes

  • src_file_name

  • accesses

  • file_path

  • process

  • event_code

  • activity

  • file_ext

  • src_file_dir

  • event_name

  • file_parent

account-switch

A user switched their account to impersonate another account.

Note

This is tied to Windows events 4648 and 552. Also tied to Unix SUDO logs.

  • host

  • time

  • dest_host/dest_ip

  • account

  • user

  • src_host/src_ip

  • domain

  • safe_value

  • process

  • account_logon_guid

  • process_name

  • dest_service

  • user_uid

  • user_logon_guid

  • user_sid

  • logon_id

  • event_code

  • account_domain

  • event_name

  • process_directory

authentication-failed

An authentication attempt performed either from a public IP address or from an internal network address failed.

  • host

  • time

  • dest_host/dest_ip

  • user

  • failure_reason

  • src_host/src_ip

  • domain

  • app

  • additional_info

  • event_name

  • user_agent

  • event_code

  • outcome

  • os

  • auth_method

  • browser

file-download

A file was downloaded.

  • host

  • time

  • dest_host/dest_ip

  • file_name

  • user

  • src_host/src_ip

  • domain

  • file_type

  • app

  • process_name

  • bytes

  • src_file_name

  • accesses

  • file_path

  • process

  • event_code

  • activity

  • file_ext

  • src_file_dir

  • event_name

  • file_parent

app-login

A user logged into an application.

  • host

  • time

  • app

  • user

  • src_host/src_ip

  • protocol

  • dest_host/dest_ip

  • event_name

  • user_agent

  • event_code

  • os

  • user_email

usb-write

A user copied files from their machine to a USB flash drive.

  • host

  • time

  • dest_host/dest_ip

  • file_name

  • user

  • src_host/src_ip

  • src_file_name

  • activity_details

  • event_code

  • process

  • process_name

  • bytes

  • domain

  • src_file_ext

  • device_type

  • activity

  • file_ext

  • src_file_dir

  • event_name

  • file_path

  • process_directory

  • device_id

database-alert

Abnormal activity in the database was detected either by Exabeam or by a third-party monitoring tool.

  • host

  • time

  • alert_name

  • db_user

  • user

  • database_name

  • domain

  • alert_type

  • event_code

  • dest_host/dest_ip

  • service_name

  • app

  • process_name

  • process

  • alert_id

  • database_object

  • server_group

  • event_name

  • additional_info

  • src_host/src_ip

  • alert_severity

  • malware_url

  • db_operation

  • table_name

  • response_size

print-activity

A user printed files, data, or some other form of content.

  • host

  • time

  • user

  • dest_host/dest_ip

  • printer_name

  • object

  • src_host/src_ip

  • domain

  • num_pages

  • bytes

  • event_name

  • event_code

  • activity

  • outcome

workstation-locked

A user locked their workstation.

Note

This is tied to Windows event 4800.

  • host

  • time

  • dest_host/dest_ip

  • user

  • src_host/src_ip

  • domain

  • event_code

  • event_name

failed-physical-access

A user swiped their physical badge to open a door, gate, or other entrance but were denied access.

  • host

  • time

  • outcome

  • badge_id

  • location_door

  • location_city

  • location_building

  • first_name

  • last_name

  • src_host/src_ip

  • dest_host/dest_ip

  • event_name

  • employee_id

  • user

  • event_code

vpn-connection

A user used VPN to connect to a network.

  • host

  • time

  • src_host/src_ip

  • src_port

  • dest_host/dest_ip

  • dest_port

  • event_name

  • event_code

  • bytes_in

  • dest_translated_ip

  • session_id

  • duration

  • user

  • access_group

  • bytes_out

  • action

  • src_translated_ip

app-activity

A user's activity within a specific application.

  • host

  • time

  • user

  • activity

  • app

  • object

  • src_host/src_ip

  • resource

  • dest_host/dest_ip

  • event_name

  • result

  • event_code

  • additional_info

  • user_agent

usb-insert

A USB flash drive was connected to the network.

  • host

  • time

  • dest_host/dest_ip

  • user

  • device_id

  • src_host/src_ip

  • domain

  • activity_details

  • event_code

  • process

  • process_name

  • bytes

  • device_type

  • event_name

dlp-email-alert-in-failed

An inbound email activity failure. For example, if there is an email server error.

  • host

  • time

  • recipient

  • sender

  • src_host/src_ip

  • direction

  • external_domain

  • attachments

  • recipients

  • dest_host/dest_ip

  • bytes

  • num_recipients

  • return_path

  • event_name

  • user

  • event_code

  • external_address

  • outcome

  • message_id

  • user_email

  • subject

account-unlocked

An administrator unlocked a user's account.

  • host

  • time

  • target_user

  • user

  • src_host/src_ip

  • domain

  • user_sid

  • target_domain

  • dest_host/dest_ip

  • logon_id

  • event_code

  • outcome

  • event_name

process-alert

A user has executed a process that triggered an organization's configured endpoint process alert.

  • host

  • time

  • dest_host/dest_ip

  • alert_name

  • process_name

  • src_host/src_ip

  • domain

  • alert_type

  • process

  • command_line

  • alert_severity

  • parent_process

  • alert_id

  • user

  • event_code

  • process_directory

  • event_name

  • md5

privileged-access

A user obtained special privileges. For example, if a regular user who does not have administrator privileges attempts to elevate their own privileges to have administrator privileges.

Note

This is tied to events indicating privileged access or service, such as Windows events 4672, 4673, 576, and 577.

  • host

  • time

  • dest_host/dest_ip

  • privileges

  • user

  • ownership_privilege

  • src_host/src_ip

  • domain

  • event_code

  • process

  • environment_privilege

  • process_name

  • object_server

  • logon_id

  • tcb_privilege

  • debug_privilege

  • event_name

  • process_directory

dlp-email-alert-out-failed

An outbound email activity failure occurred. For example, if the recipient email address is wrong or if there is an email server error.

  • host

  • time

  • recipient

  • sender

  • src_host/src_ip

  • direction

  • external_domain

  • attachments

  • recipients

  • dest_host/dest_ip

  • bytes

  • num_recipients

  • return_path

  • event_name

  • user

  • event_code

  • external_address

  • outcome

  • message_id

  • user_email

  • subject

dns-response

An asset received a response from a DNS server.

  • host

  • time

  • dest_host/dest_ip

  • query

  • dns_response_code

  • src_host/src_ip

  • src_port

  • query_type

  • bytes

  • event_name

  • query_id

  • user

  • event_code

  • response_flags

  • response

  • dest_port

database-failed-login

A user attempted and failed to log in to a database.

  • host

  • time

  • reason

  • db_user

  • user

  • database_name

  • src_host/src_ip

  • domain

  • dest_host/dest_ip

  • service_name

  • app

  • process_name

  • process

  • event_code

  • server_group

  • outcome

  • event_name

process-created

A user has executed an endpoint process on a host.

  • host

  • time

  • dest_host/dest_ip

  • process_name

  • src_host/src_ip

  • domain

  • process

  • pid

  • command_line

  • parent_process

  • logon_id

  • user

  • event_code

  • path

  • event_name

  • process_directory

  • md5

failed-vpn-login

A remote access VPN login attempt performed either from a public IP address or from an internal network address failed.

  • host

  • time

  • src_host/src_ip

  • user

  • domain

  • realm

  • dest_host/dest_ip

  • failure_reason

  • event_name

  • event_code

nac-failed-logon

A logon attempted to a NAC failed.

  • host

  • time

  • dest_host/dest_ip

  • domain

  • user

  • src_host/src_ip

  • network

  • event_code

  • auth_server

  • event_name

web-activity-denied

A user was blocked by a restricting policy while attempted to access a web resource via a proxy or other web monitoring gateway.

  • host

  • time

  • user

  • action

  • method

  • web_domain

  • protocol

  • dest_host/dest_ip

  • bytes_out

  • uri_path

  • proxy_action

  • mime

  • categories

  • dest_port

  • category

  • src_host/src_ip

  • top_domain

  • src_port

  • referrer

  • result_code

  • failure_reason

  • src_ip

  • event_name

  • user_agent

  • event_code

  • bytes_in

  • os

  • full_url

  • uri_query

failed-app-login

A user failed to log in to an application.

  • host

  • time

  • app

  • user

  • failure_reason

  • src_host/src_ip

  • dest_host/dest_ip

  • event_name

  • user_agent

  • event_code

  • outcome

  • os

  • browser

account-password-change

A user changed their account password.

Note

This is tied to Windows events 4723 or 627.

  • host

  • time

  • target_user

  • user

  • src_host/src_ip

  • domain

  • user_sid

  • target_domain

  • dest_host/dest_ip

  • logon_id

  • event_code

  • outcome

  • event_name

account-deleted

A user deleted an account.

Note

This is tied to Windows events 4726 or 630.

  • host

  • time

  • target_user

  • user

  • src_host/src_ip

  • domain

  • user_sid

  • target_domain

  • dest_host/dest_ip

  • logon_id

  • event_code

  • event_name

file-read

A user opened or downloaded a file.

  • host

  • time

  • dest_host/dest_ip

  • file_name

  • user

  • src_host/src_ip

  • domain

  • file_type

  • app

  • process_name

  • bytes

  • src_file_name

  • accesses

  • file_path

  • process

  • event_code

  • activity

  • file_ext

  • src_file_dir

  • event_name

  • file_parent

usb-read

SB read activity was detected.

  • host

  • time

  • user

  • dest_host/dest_ip

  • file_name

  • device_id

  • src_host/src_ip

  • domain

  • activity_details

  • event_code

  • process

  • process_name

  • bytes

  • device_type

  • activity

  • file_ext

  • event_name

  • file_path

  • process_directory

nac-logon

A user was granted network access.

  • host

  • time

  • dest_host/dest_ip

  • user

  • auth_type

  • src_host/src_ip

  • domain

  • network

  • event_name

  • event_code

  • auth_server

  • src_mac

share-access-denied

This user has been denied access to a Windows network share.

  • host

  • time

  • user

  • share_name

  • dest_host/dest_ip

  • outcome

  • src_host/src_ip

  • domain

  • share_path

  • file_type

  • file_name

  • accesses

  • logon_id

  • event_code

  • event_name

file-alert

A file integrity product (such as Tripwire) reported a change made to critical and/or system file.

  • host

  • time

  • dest_host/dest_ip

  • file_name

  • alert_name

  • src_host/src_ip

  • domain

  • alert_type

  • process

  • process_name

  • alert_severity

  • accesses

  • alert_id

  • user

  • event_code

  • file_ext

  • file_parent

  • event_name

  • file_path

audit-log-clear

An audit log was deleted from the system.

Note

This is tied to Windows events indicating audit log clearance, such as Windows 1102 and 517.

  • host

  • time

  • dest_host/dest_ip

  • user

  • src_host/src_ip

  • domain

  • logon_id

  • event_code

  • event_name

local-logon

A local logon occurred.

Note

This is tied to Windows events 4624 or 528 events with logon type 2 or 7. Also tied to Windows events with logon type 11 and a process name indicating a local interactive logon. And tied to Linux local logon events.

  • host

  • time

  • dest_host/dest_ip

  • user

  • src_host/src_ip

  • domain

  • event_code

  • auth_package

  • process

  • process_name

  • logon_id

  • logon_type

  • event_name

ntlm-logon

An interactive logon using NTLM authentication occurred.

Note

This is tied to Microsoft NTLM events that indicate an interactive logon by user, such as Windows events 4776 or 680. For more precise readings on the nature of the logon, consider collecting Windows 4624 events from the asset.

  • host

  • time

  • domain

  • user

  • dest_host/dest_ip

  • result_code

  • src_host/src_ip

  • event_name

  • event_code

winsession-disconnect

A user disconnected from an existing Terminal Services session.

Note

This is tied to Windows event 4779.

  • host

  • time

  • dest_host/dest_ip

  • domain

  • user

  • src_host/src_ip

  • logon_id

  • event_code

  • event_name

service-created

A service was installed on the system.

Note

This is tied to service creation events, such as Windows 4697.

  • host

  • time

  • dest_host

  • service_name

  • user

  • src_host/src_ip

  • process

  • process_name

  • dest_host/dest_ip

  • user_sid

  • logon_id

  • event_code

  • service_type

  • account_domain

  • event_name

  • account_name

  • process_directory

batch-logon

A non-interactive batch logon occurred.

Note

This is tied to Windows events 4624, and 528 with logon type 4.

  • host

  • time

  • dest_host/dest_ip

  • user

  • src_host/src_ip

  • domain

  • event_code

  • auth_package

  • process

  • process_name

  • logon_id

  • logon_type

  • event_name

computer-logon

A non-interactive computer logon occurred.

  • host

  • time

  • dest_host/dest_ip

  • user

  • src_host/src_ip

  • domain

  • event_code

  • event_name

ds-access

User accessed an active directory object.

  • host

  • time

  • domain

  • object

  • user

  • old_attribute

  • src_host/src_ip

  • object_dn

  • dest_host/dest_ip

  • attribute

  • new_attribute

  • event_name

  • logon_id

  • event_code

  • object_ou

  • object_class

  • activity_type

process-created-failed

A user failed to execute an endpoint process on a host.

  • host

  • time

  • dest_host/dest_ip

  • process_name

  • src_host/src_ip

  • domain

  • process

  • pid

  • command_line

  • parent_process

  • logon_id

  • user

  • event_code

  • path

  • outcome

  • event_name

  • process_directory

  • md5

kerberos-logon

An interactive logon using Kerberos occurred.

Note

This is tied to Windows events 4768 or 672. For more precise readings on the nature of the logon, consider collecting Windows events 4624 from the asset.

  • host

  • time

  • domain

  • user

  • dest_host/dest_ip

  • result_code

  • src_host/src_ip

  • user_sid

  • service_name

  • ticket_encryption_type

  • event_code

  • event_name

  • ticket_options

failed-usb-activity

USB activity failed. For example, an administrator sets a policy to deny USB activity on machines connected to the company network. Then, a user attempts to copy files to a USB flash drive and is denied by the policy. The activity would be logged as failed-USB-activity.

  • host

  • time

  • dest_host/dest_ip

  • user

  • device_id

  • src_host/src_ip

  • domain

  • activity_details

  • event_code

  • process

  • process_name

  • bytes

  • device_type

  • activity

  • event_name

security-alert

An alert was reported by a third-party security product, such as FireEye, Palo Alto Networks, or other antivirus software running on the endpoints.

  • host

  • time

  • src_host/src_ip

  • alert_name

  • alert_type

  • alert_sevirity

  • dest_host/dest_ip

  • file_name

  • process_name

  • malware_url

  • process

  • alert_id

  • user

  • event_code

  • event_name

  • additional_info

app-activity-failed

A user successfully logged in to an app but failed to perform an action in the app.

  • host

  • time

  • user

  • activity

  • app

  • outcome

  • src_host/src_ip

  • resource

  • dest_host/dest_ip

  • object

  • event_name

  • user_agent

  • event_code

  • additional_info

  • result

vpn-login

Remote access VPN login attempt either from a public IP address or from an internal network address was successful.

  • host

  • time

  • src_host/src_ip

  • user

  • domain

  • realm

  • dest_host/dest_ip

  • os

  • session_id

  • event_name

  • event_code

  • src_translated_ip

physical-access

A user successfully opened a door, gate, or other entrance using their badge.

  • host

  • time

  • badge_id

  • location_door

  • location_city

  • location_building

  • first_name

  • last_name

  • src_host/src_ip

  • dest_host/dest_ip

  • event_name

  • employee_id

  • user

  • event_code

  • outcome

file-upload

A file was uploaded to the web.

  • host

  • time

  • dest_host/dest_ip

  • file_name

  • user

  • src_host/src_ip

  • domain

  • file_type

  • app

  • process_name

  • bytes

  • src_file_name

  • accesses

  • file_path

  • process

  • event_code

  • activity

  • file_ext

  • src_file_dir

  • event_name

  • file_parent

config-change

A user made a configuration change.

  • host

  • time

  • user

  • activity

  • dest_host/dest_ip

  • object

  • src_host/src_ip

  • event_code

  • outcome

  • event_name

database-update

A user issued a database query to update one or more database records.

  • host

  • time

  • database_name

  • db_user

  • user

  • src_host/src_ip

  • process

  • database_schema

  • dest_host/dest_ip

  • app

  • process_name

  • domain

  • db_operation

  • table_name

  • event_code

  • database_object

  • server_group

  • event_name

account-password-change-failed

A user attempted to change their account password but failed.

Note

This is tied to Windows events 4723 or 627.

  • host

  • time

  • target_user

  • user

  • target_user_sid

  • domain

  • src_host/src_ip

  • user_sid

  • target_domain

  • dest_host/dest_ip

  • logon_id

  • event_code

  • outcome

  • event_name

database-activity-failed

A database query was issued and then failed.

  • host

  • time

  • db_user

  • user

  • db_operation

  • database_name

  • outcome

  • src_host/src_ip

  • domain

  • resource

  • dest_host/dest_ip

  • app

  • process_name

  • process

  • event_code

  • server_group

  • database_schema

  • event_name

network-alert

Suspicious activity in the network was detected and reported by a network security product, such as an IDS or IPS.

  • host

  • time

  • dest_host/dest_ip

  • src_host/src_ip

  • alert_name

  • domain

  • alert_type

  • src_port

  • alert_severity

  • event_name

  • user

  • event_code

  • protocol

  • additional_info

  • dest_port

web-activity-allowed

A user has accessed a web resources via a proxy or some other web monitoring gateway.

  • host

  • time

  • user

  • action

  • method

  • web_domain

  • protocol

  • dest_host/dest_ip

  • bytes_out

  • uri_path

  • proxy_action

  • mime

  • categories

  • dest_port

  • category

  • src_host/src_ip

  • top_domain

  • src_port

  • referrer

  • result_code

  • src_ip

  • event_name

  • user_agent

  • event_code

  • bytes_in

  • os

  • full_url

  • uri_query

remote-logon

A remote, interactive logon occurred.

Note

This is tied to Windows events 4624 with logon type 10 or 11. Also tied to Unix SSH login events.

  • host

  • time

  • dest_host/dest_ip

  • src_host/src_ip

  • user

  • domain

  • event_code

  • auth_package

  • process

  • service_name

  • process_name

  • logon_id

  • logon_type

  • event_name

  • ticket_options

failed-logon

A user failed a logon attempt.

  • host

  • time

  • dest_host/dest_ip

  • user

  • src_host/src_ip

  • domain

  • event_code

  • process

  • process_name

  • failure_reason

  • user_sid

  • logon_type

  • event_name

  • result_code

account-enabled

An account was enabled by a user.

  • host

  • time

  • dest_host/dest_ip

  • target_user

  • user

  • src_host/src_ip

  • domain

  • target_domain

  • event_name

  • logon_id

  • event_code

audit-policy-change

An audit policy was changed.

Note

This is tied to Windows events 4719 and 612.

  • host

  • time

  • policy

  • domain

  • user

  • dest_host/dest_ip

  • src_host/src_ip

  • event_code

  • subcategory

  • event_name

  • logon_id

  • audit_category

workstation-unlocked

A user unlocked their workstation.

Note

This is tied to Windows event 4801.

  • host

  • time

  • dest_host/dest_ip

  • user

  • src_host/src_ip

  • domain

  • event_code

  • event_name

database-query

A user queried a database.

  • host

  • time

  • db_user

  • user

  • database_name

  • db_query

  • src_host/src_ip

  • process

  • database_schema

  • event_code

  • dest_host/dest_ip

  • app

  • process_name

  • domain

  • db_operation

  • table_name

  • response_size

  • database_object

  • server_group

  • event_name

member-added

A user has been added to a domain group membership.

  • host

  • time

  • user

  • account_id

  • group_name

  • src_host/src_ip

  • account_ou

  • dest_host/dest_ip

  • group_domain

  • domain

  • event_name

  • logon_id

  • event_code

  • account_dn

  • group_type

remote-access

A remote, non-interactive logon occurred.

Note

This is tied to Windows events 4769, or 4624 with logon type 3 or 8.

  • host

  • time

  • src_host/src_ip

  • user

  • service_name

  • domain

  • event_code

  • auth_package

  • dest_host/dest_ip

  • process_name

  • ticket_encryption_type

  • process

  • logon_id

  • logon_type

  • event_name

  • ticket_options

account-disabled

An administrator disabled a user's account.

  • host

  • time

  • target_user

  • user

  • src_host/src_ip

  • domain

  • user_sid

  • target_domain

  • dest_host/dest_ip

  • logon_id

  • event_code

  • event_name

network-connection-successful

A network connection attempt was successful.

  • host

  • time

  • src_host/src_ip

  • dest_host/dest_ip

  • src-port

  • dest_port

  • direction

  • src_interface

  • protocol

  • event_name

  • src_translated_port

  • bytes_in

  • bytes

  • bytes_out

  • src_mac

  • dest_mac

  • rule

  • event_code

  • dest_translated_ip

  • action

  • dest_interface

  • outcome

  • src_translated_ip

  • dest_translated_port

  • user

authentication-successful

An authentication attempt performed either from a public IP address or from an internal network address was successful.

  • host

  • time

  • dest_host/dest_ip

  • user

  • src_host/src_ip

  • domain

  • app

  • event_name

  • user_agent

  • event_code

  • outcome

  • os

  • auth_method

  • browser

netflow-connection

A new NetFlow connection was detected.

  • host

  • time

  • src_host/src_ip

  • dest_host/dest_ip

  • src-port

  • dest_port

  • direction

  • src_interface

  • protocol

  • bytes_out

  • packets

  • time_end

  • bytes

  • end_reason

  • user

  • event_code

  • bytes_in

  • time_start

  • dest_interface

  • outcome

  • event_name

share-access

This user has accessed a Windows network share.

  • host

  • time

  • dest_host/dest_ip

  • user

  • share_name

  • src_host/src_ip

  • domain

  • share_path

  • file_type

  • file_name

  • accesses

  • logon_id

  • event_code

  • outcome

  • event_name

account-password-reset

An administrator reset a user's password.

Note

This is tied to Windows events 4724 or 628.

  • host

  • time

  • target_user

  • user

  • target_user_sid

  • domain

  • src_host/src_ip

  • user_sid

  • target_domain

  • dest_host/dest_ip

  • logon_id

  • event_code

  • outcome

  • event_name

file-permission-change

A user has changed the permissions for a file and/or folder.

  • host

  • time

  • user

  • dest_host/dest_ip

  • file_name

  • accesses

  • src_host/src_ip

  • domain

  • file_type

  • app

  • process_name

  • bytes

  • file_path

  • process

  • event_code

  • activity

  • file_ext

  • event_name

  • file_parent

account-lockout

An account has been locked.

  • host

  • time

  • dest_host/dest_ip

  • domain

  • user

  • src_host/src_ip

  • caller_user

  • caller_domain

  • logon_id

  • event_code

  • event_name

  • auth_method

database-access

A user accessed a database.

  • host

  • time

  • db_user

  • user

  • db_operation

  • database_name

  • src_host/src_ip

  • domain

  • database_schema

  • dest_host/dest_ip

  • sql_count

  • app

  • process_name

  • session_id

  • process

  • table_name

  • event_code

  • service_name

  • database_object

  • server_group

  • event_name

  • additional_info

failed-ds-access

An access attempt to an active directory object failed.

  • host

  • time

  • domain

  • object

  • user

  • src_host/src_ip

  • object_dn

  • dest_host/dest_ip

  • attribute

  • failure_reason

  • event_name

  • event_code

  • object_ou

  • outcome

  • object_class

  • activity_type

member-removed

A user has been removed from a domain group membership.

  • host

  • time

  • user

  • account_id

  • group_name

  • src_host/src_ip

  • account_ou

  • dest_host/dest_ip

  • group_domain

  • domain

  • event_name

  • logon_id

  • event_code

  • account_dn

  • group_type

task-created

A user created a new scheduled task.

Note

Tied to Windows event 4698.

  • host

  • time

  • dest_host/dest_ip

  • user

  • task_name

  • src_host/src_ip

  • domain

  • description

  • process

  • process_name

  • run_level

  • event_code

  • account_domain

  • event_name

  • account_name

  • process_directory

process-network

A process executing on the endpoint tried to access the network.

  • host

  • time

  • dest_host/dest_ip

  • src_host/src_ip

  • process_name

  • direction

  • src_port

  • process

  • bytes

  • domain

  • user

  • event_code

  • event_name

  • process_directory

  • dest_port

file-delete

A user deleted a file.

  • host

  • time

  • dest_host/dest_ip

  • file_name

  • user

  • src_host/src_ip

  • domain

  • file_type

  • app

  • process_name

  • bytes

  • accesses

  • file_path

  • process

  • event_code

  • activity

  • file_ext

  • event_name

  • file_parent