process-network-failed | An endpoint process was blocked from accessing a network. | host time dest_host/dest_ip src_host/src_ip process_name
| direction src_port process bytes domain user event_code event_name process_directory dest_port
|
network-connection-failed | A network connection failure occurred. | host time src_host/src_ip dest_host/dest_ip action src-port dest_port
| direction src_interface protocol event_name src_translated_port bytes_in dest_translated_ip rule src_mac bytes dest_mac user event_code bytes_out dest_interface outcome src_translated_ip dest_translated_port
|
database-login | A user logged into the database. | host time database_name db_user user
| src_host/src_ip domain protocol dest_host/dest_ip service_name app process_name process event_code server_group event_name
|
database-delete | One or more records were deleted from the database. | host time database_name db_user user
| src_host/scr_ip process database_schema dest_host/dest_ip app process_name domain db_operation table_name event_code database_object server_group event_name
|
privileged-object-access | A user obtained special privileges to access a privileged object. NoteThis is tied to Windows events 4674 or 578. | host time user dest_host/dest_ip privileges object
| ownership_privilege src_host/src_ip domain object_type event_code process environment_privilege process_name object_server logon_id tcb_privilege debug_privilege event_name process_directory
|
account-creation | A user created a new account. NoteThis is tied to Windows events 4720 or 624. | host time dest_host/dest_ip account_name user
| src_host/src_ip domain event_name logon_id event_code account_domain
|
dns-query | An asset queried for a domain in the DNS server. | host time src_host/src_ip query
| src_port dest_host/dest_ip query_type bytes event_name query_flags user event_code src_mac dest_port
|
vpn-logout | A user logged off remote access VPN. | | src_host/src_ip domain session_duration realm dest_host/dest_ip bytes_out session_id event_name event_code bytes_in os src_translated_ip
|
dlp-email-alert-out | Outgoing email activity reported by an email monitoring tool. | | src_host/src_ip direction external_domain attachments recipients dest_host/dest_ip bytes num_recipients return_path event_name user event_code external_address outcome message_id user_email subject
|
service-logon | A non-interactive service logon occurred. NoteThis is tied to Windows events 4624 and 528 with logon type 5. | host time dest_host/dest_ip user
| src_host/src_ip domain event_code auth_package process process_name logon_id logon_type event_name
|
dlp-alert | An alert was reported by a DLP product running on the endpoints. | host time src_host/src_ip alert_name
| alert_severity alert_type target dest_host/dest_ip file_name domain event_name alert_id user event_code outcome additional_info
|
file-write | A file was created, edited, or moved. | host time dest_host/dest_ip file_name user
| src_host/src_ip domain file_type app process_name bytes src_file_name accesses file_path process event_code activity file_ext src_file_dir event_name file_parent
|
account-switch | A user switched their account to impersonate another account. NoteThis is tied to Windows events 4648 and 552. Also tied to Unix SUDO logs. | host time dest_host/dest_ip account user
| src_host/src_ip domain safe_value process account_logon_guid process_name dest_service user_uid user_logon_guid user_sid logon_id event_code account_domain event_name process_directory
|
authentication-failed | An authentication attempt performed either from a public IP address or from an internal network address failed. | host time dest_host/dest_ip user failure_reason
| src_host/src_ip domain app additional_info event_name user_agent event_code outcome os auth_method browser
|
file-download | A file was downloaded. | host time dest_host/dest_ip file_name user
| src_host/src_ip domain file_type app process_name bytes src_file_name accesses file_path process event_code activity file_ext src_file_dir event_name file_parent
|
app-login | A user logged into an application. | | src_host/src_ip protocol dest_host/dest_ip event_name user_agent event_code os user_email
|
usb-write | A user copied files from their machine to a USB flash drive. | host time dest_host/dest_ip file_name user
| src_host/src_ip src_file_name activity_details event_code process process_name bytes domain src_file_ext device_type activity file_ext src_file_dir event_name file_path process_directory device_id
|
database-alert | Abnormal activity in the database was detected either by Exabeam or by a third-party monitoring tool. | host time alert_name db_user user database_name
| domain alert_type event_code dest_host/dest_ip service_name app process_name process alert_id database_object server_group event_name additional_info src_host/src_ip alert_severity malware_url db_operation table_name response_size
|
print-activity | A user printed files, data, or some other form of content. | host time user dest_host/dest_ip printer_name object
| src_host/src_ip domain num_pages bytes event_name event_code activity outcome
|
workstation-locked | A user locked their workstation. NoteThis is tied to Windows event 4800. | host time dest_host/dest_ip user
| src_host/src_ip domain event_code event_name
|
failed-physical-access | A user swiped their physical badge to open a door, gate, or other entrance but were denied access. | host time outcome badge_id location_door
| location_city location_building first_name last_name src_host/src_ip dest_host/dest_ip event_name employee_id user event_code
|
vpn-connection | A user used VPN to connect to a network. | host time src_host/src_ip src_port dest_host/dest_ip dest_port
| event_name event_code bytes_in dest_translated_ip session_id duration user access_group bytes_out action src_translated_ip
|
app-activity | A user's activity within a specific application. | host time user activity app object
| src_host/src_ip resource dest_host/dest_ip event_name result event_code additional_info user_agent
|
usb-insert | A USB flash drive was connected to the network. | host time dest_host/dest_ip user device_id
| src_host/src_ip domain activity_details event_code process process_name bytes device_type event_name
|
dlp-email-alert-in-failed | An inbound email activity failure. For example, if there is an email server error. | | src_host/src_ip direction external_domain attachments recipients dest_host/dest_ip bytes num_recipients return_path event_name user event_code external_address outcome message_id user_email subject
|
account-unlocked | An administrator unlocked a user's account. | | src_host/src_ip domain user_sid target_domain dest_host/dest_ip logon_id event_code outcome event_name
|
process-alert | A user has executed a process that triggered an organization's configured endpoint process alert. | host time dest_host/dest_ip alert_name process_name
| src_host/src_ip domain alert_type process command_line alert_severity parent_process alert_id user event_code process_directory event_name md5
|
privileged-access | A user obtained special privileges. For example, if a regular user who does not have administrator privileges attempts to elevate their own privileges to have administrator privileges. NoteThis is tied to events indicating privileged access or service, such as Windows events 4672, 4673, 576, and 577. | host time dest_host/dest_ip privileges user
| ownership_privilege src_host/src_ip domain event_code process environment_privilege process_name object_server logon_id tcb_privilege debug_privilege event_name process_directory
|
dlp-email-alert-out-failed | An outbound email activity failure occurred. For example, if the recipient email address is wrong or if there is an email server error. | | src_host/src_ip direction external_domain attachments recipients dest_host/dest_ip bytes num_recipients return_path event_name user event_code external_address outcome message_id user_email subject
|
dns-response | An asset received a response from a DNS server. | host time dest_host/dest_ip query dns_response_code
| src_host/src_ip src_port query_type bytes event_name query_id user event_code response_flags response dest_port
|
database-failed-login | A user attempted and failed to log in to a database. | host time reason db_user user database_name
| src_host/src_ip domain dest_host/dest_ip service_name app process_name process event_code server_group outcome event_name
|
process-created | A user has executed an endpoint process on a host. | host time dest_host/dest_ip process_name
| src_host/src_ip domain process pid command_line parent_process logon_id user event_code path event_name process_directory md5
|
failed-vpn-login | A remote access VPN login attempt performed either from a public IP address or from an internal network address failed. | host time src_host/src_ip user
| domain realm dest_host/dest_ip failure_reason event_name event_code
|
nac-failed-logon | A logon attempted to a NAC failed. | host time dest_host/dest_ip domain user
| src_host/src_ip network event_code auth_server event_name
|
web-activity-denied | A user was blocked by a restricting policy while attempted to access a web resource via a proxy or other web monitoring gateway. | host time user action method web_domain
| protocol dest_host/dest_ip bytes_out uri_path proxy_action mime categories dest_port category src_host/src_ip top_domain src_port referrer result_code failure_reason src_ip event_name user_agent event_code bytes_in os full_url uri_query
|
failed-app-login | A user failed to log in to an application. | host time app user failure_reason
| src_host/src_ip dest_host/dest_ip event_name user_agent event_code outcome os browser
|
account-password-change | A user changed their account password. NoteThis is tied to Windows events 4723 or 627. | | src_host/src_ip domain user_sid target_domain dest_host/dest_ip logon_id event_code outcome event_name
|
account-deleted | A user deleted an account. NoteThis is tied to Windows events 4726 or 630. | | src_host/src_ip domain user_sid target_domain dest_host/dest_ip logon_id event_code event_name
|
file-read | A user opened or downloaded a file. | host time dest_host/dest_ip file_name user
| src_host/src_ip domain file_type app process_name bytes src_file_name accesses file_path process event_code activity file_ext src_file_dir event_name file_parent
|
usb-read | SB read activity was detected. | host time user dest_host/dest_ip file_name device_id
| src_host/src_ip domain activity_details event_code process process_name bytes device_type activity file_ext event_name file_path process_directory
|
nac-logon | A user was granted network access. | host time dest_host/dest_ip user
| auth_type src_host/src_ip domain network event_name event_code auth_server src_mac
|
share-access-denied | This user has been denied access to a Windows network share. | host time user share_name dest_host/dest_ip outcome
| src_host/src_ip domain share_path file_type file_name accesses logon_id event_code event_name
|
file-alert | A file integrity product (such as Tripwire) reported a change made to critical and/or system file. | host time dest_host/dest_ip file_name alert_name
| src_host/src_ip domain alert_type process process_name alert_severity accesses alert_id user event_code file_ext file_parent event_name file_path
|
audit-log-clear | An audit log was deleted from the system. NoteThis is tied to Windows events indicating audit log clearance, such as Windows 1102 and 517. | host time dest_host/dest_ip user
| src_host/src_ip domain logon_id event_code event_name
|
local-logon | A local logon occurred. NoteThis is tied to Windows events 4624 or 528 events with logon type 2 or 7. Also tied to Windows events with logon type 11 and a process name indicating a local interactive logon. And tied to Linux local logon events. | host time dest_host/dest_ip user
| src_host/src_ip domain event_code auth_package process process_name logon_id logon_type event_name
|
ntlm-logon | An interactive logon using NTLM authentication occurred. NoteThis is tied to Microsoft NTLM events that indicate an interactive logon by user, such as Windows events 4776 or 680. For more precise readings on the nature of the logon, consider collecting Windows 4624 events from the asset. | host time domain user dest_host/dest_ip result_code
| src_host/src_ip event_name event_code
|
winsession-disconnect | A user disconnected from an existing Terminal Services session. NoteThis is tied to Windows event 4779. | host time dest_host/dest_ip domain user
| src_host/src_ip logon_id event_code event_name
|
service-created | A service was installed on the system. NoteThis is tied to service creation events, such as Windows 4697. | host time dest_host service_name user
| src_host/src_ip process process_name dest_host/dest_ip user_sid logon_id event_code service_type account_domain event_name account_name process_directory
|
batch-logon | A non-interactive batch logon occurred. NoteThis is tied to Windows events 4624, and 528 with logon type 4. | host time dest_host/dest_ip user
| src_host/src_ip domain event_code auth_package process process_name logon_id logon_type event_name
|
computer-logon | A non-interactive computer logon occurred. | host time dest_host/dest_ip user
| src_host/src_ip domain event_code event_name
|
ds-access | User accessed an active directory object. | | old_attribute src_host/src_ip object_dn dest_host/dest_ip attribute new_attribute event_name logon_id event_code object_ou object_class activity_type
|
process-created-failed | A user failed to execute an endpoint process on a host. | host time dest_host/dest_ip process_name
| src_host/src_ip domain process pid command_line parent_process logon_id user event_code path outcome event_name process_directory md5
|
kerberos-logon | An interactive logon using Kerberos occurred. NoteThis is tied to Windows events 4768 or 672. For more precise readings on the nature of the logon, consider collecting Windows events 4624 from the asset. | host time domain user dest_host/dest_ip result_code
| src_host/src_ip user_sid service_name ticket_encryption_type event_code event_name ticket_options
|
failed-usb-activity | USB activity failed. For example, an administrator sets a policy to deny USB activity on machines connected to the company network. Then, a user attempts to copy files to a USB flash drive and is denied by the policy. The activity would be logged as failed-USB-activity. | host time dest_host/dest_ip user device_id
| src_host/src_ip domain activity_details event_code process process_name bytes device_type activity event_name
|
security-alert | An alert was reported by a third-party security product, such as FireEye, Palo Alto Networks, or other antivirus software running on the endpoints. | host time src_host/src_ip alert_name
| alert_type alert_sevirity dest_host/dest_ip file_name process_name malware_url process alert_id user event_code event_name additional_info
|
app-activity-failed | A user successfully logged in to an app but failed to perform an action in the app. | host time user activity app outcome
| src_host/src_ip resource dest_host/dest_ip object event_name user_agent event_code additional_info result
|
vpn-login | Remote access VPN login attempt either from a public IP address or from an internal network address was successful. | host time src_host/src_ip user
| domain realm dest_host/dest_ip os session_id event_name event_code src_translated_ip
|
physical-access | A user successfully opened a door, gate, or other entrance using their badge. | host time badge_id location_door
| location_city location_building first_name last_name src_host/src_ip dest_host/dest_ip event_name employee_id user event_code outcome
|
file-upload | A file was uploaded to the web. | host time dest_host/dest_ip file_name user
| src_host/src_ip domain file_type app process_name bytes src_file_name accesses file_path process event_code activity file_ext src_file_dir event_name file_parent
|
config-change | A user made a configuration change. | host time user activity dest_host/dest_ip object
| src_host/src_ip event_code outcome event_name
|
database-update | A user issued a database query to update one or more database records. | host time database_name db_user user
| src_host/src_ip process database_schema dest_host/dest_ip app process_name domain db_operation table_name event_code database_object server_group event_name
|
account-password-change-failed | A user attempted to change their account password but failed. NoteThis is tied to Windows events 4723 or 627. | | target_user_sid domain src_host/src_ip user_sid target_domain dest_host/dest_ip logon_id event_code outcome event_name
|
database-activity-failed | A database query was issued and then failed. | host time db_user user db_operation database_name outcome
| src_host/src_ip domain resource dest_host/dest_ip app process_name process event_code server_group database_schema event_name
|
network-alert | Suspicious activity in the network was detected and reported by a network security product, such as an IDS or IPS. | host time dest_host/dest_ip src_host/src_ip alert_name
| domain alert_type src_port alert_severity event_name user event_code protocol additional_info dest_port
|
web-activity-allowed | A user has accessed a web resources via a proxy or some other web monitoring gateway. | host time user action method web_domain
| protocol dest_host/dest_ip bytes_out uri_path proxy_action mime categories dest_port category src_host/src_ip top_domain src_port referrer result_code src_ip event_name user_agent event_code bytes_in os full_url uri_query
|
remote-logon | A remote, interactive logon occurred. NoteThis is tied to Windows events 4624 with logon type 10 or 11. Also tied to Unix SSH login events. | host time dest_host/dest_ip src_host/src_ip user
| domain event_code auth_package process service_name process_name logon_id logon_type event_name ticket_options
|
failed-logon | A user failed a logon attempt. | host time dest_host/dest_ip user
| src_host/src_ip domain event_code process process_name failure_reason user_sid logon_type event_name result_code
|
account-enabled | An account was enabled by a user. | host time dest_host/dest_ip target_user user
| src_host/src_ip domain target_domain event_name logon_id event_code
|
audit-policy-change | An audit policy was changed. NoteThis is tied to Windows events 4719 and 612. | host time policy domain user dest_host/dest_ip
| src_host/src_ip event_code subcategory event_name logon_id audit_category
|
workstation-unlocked | A user unlocked their workstation. NoteThis is tied to Windows event 4801. | host time dest_host/dest_ip user
| src_host/src_ip domain event_code event_name
|
database-query | A user queried a database. | host time db_user user database_name db_query
| src_host/src_ip process database_schema event_code dest_host/dest_ip app process_name domain db_operation table_name response_size database_object server_group event_name
|
member-added | A user has been added to a domain group membership. | host time user account_id group_name
| src_host/src_ip account_ou dest_host/dest_ip group_domain domain event_name logon_id event_code account_dn group_type
|
remote-access | A remote, non-interactive logon occurred. NoteThis is tied to Windows events 4769, or 4624 with logon type 3 or 8. | host time src_host/src_ip user service_name
| domain event_code auth_package dest_host/dest_ip process_name ticket_encryption_type process logon_id logon_type event_name ticket_options
|
account-disabled | An administrator disabled a user's account. | | src_host/src_ip domain user_sid target_domain dest_host/dest_ip logon_id event_code event_name
|
network-connection-successful | A network connection attempt was successful. | host time src_host/src_ip dest_host/dest_ip src-port dest_port
| direction src_interface protocol event_name src_translated_port bytes_in bytes bytes_out src_mac dest_mac rule event_code dest_translated_ip action dest_interface outcome src_translated_ip dest_translated_port user
|
authentication-successful | An authentication attempt performed either from a public IP address or from an internal network address was successful. | host time dest_host/dest_ip user
| src_host/src_ip domain app event_name user_agent event_code outcome os auth_method browser
|
netflow-connection | A new NetFlow connection was detected. | host time src_host/src_ip dest_host/dest_ip src-port dest_port
| direction src_interface protocol bytes_out packets time_end bytes end_reason user event_code bytes_in time_start dest_interface outcome event_name
|
share-access | This user has accessed a Windows network share. | host time dest_host/dest_ip user share_name
| src_host/src_ip domain share_path file_type file_name accesses logon_id event_code outcome event_name
|
account-password-reset | An administrator reset a user's password. NoteThis is tied to Windows events 4724 or 628. | | target_user_sid domain src_host/src_ip user_sid target_domain dest_host/dest_ip logon_id event_code outcome event_name
|
file-permission-change | A user has changed the permissions for a file and/or folder. | host time user dest_host/dest_ip file_name accesses
| src_host/src_ip domain file_type app process_name bytes file_path process event_code activity file_ext event_name file_parent
|
account-lockout | An account has been locked. | host time dest_host/dest_ip domain user
| src_host/src_ip caller_user caller_domain logon_id event_code event_name auth_method
|
database-access | A user accessed a database. | host time db_user user db_operation database_name
| src_host/src_ip domain database_schema dest_host/dest_ip sql_count app process_name session_id process table_name event_code service_name database_object server_group event_name additional_info
|
failed-ds-access | An access attempt to an active directory object failed. | | src_host/src_ip object_dn dest_host/dest_ip attribute failure_reason event_name event_code object_ou outcome object_class activity_type
|
member-removed | A user has been removed from a domain group membership. | host time user account_id group_name
| src_host/src_ip account_ou dest_host/dest_ip group_domain domain event_name logon_id event_code account_dn group_type
|
task-created | A user created a new scheduled task. NoteTied to Windows event 4698. | host time dest_host/dest_ip user task_name
| src_host/src_ip domain description process process_name run_level event_code account_domain event_name account_name process_directory
|
process-network | A process executing on the endpoint tried to access the network. | host time dest_host/dest_ip src_host/src_ip process_name
| direction src_port process bytes domain user event_code event_name process_directory dest_port
|
file-delete | A user deleted a file. | host time dest_host/dest_ip file_name user
| src_host/src_ip domain file_type app process_name bytes accesses file_path process event_code activity file_ext event_name file_parent
|
Documentation