Page Contents

Appendix
- AgentX Vendor Field Mapping
  - Linux
  - Windows
- AgentX Labels

Appendix¶

AgentX Vendor Field Mapping¶

Linux¶

Unix Sysmon¶

Event ID: 1¶

Unix Field	Logpoint Field
EventData_Domain	caller_domain
EventData_IntegrityLevel	integrity_level
EventData_ParentUser	parent_user

Event ID: 3¶

Unix Field	Logpoint Field
EventData_Initiated	is_initiated

Event ID: 4¶

Unix Field	Logpoint Field
EventData_SchemaVersion	schema_version
EventData_State	status
EventData_Version	version

Event ID: 16¶

Unix Field	LogPoint Field
EventData_Configuration	file

Event ID: 23¶

Unix Field	Logpoint Field
EventData_IsExecutable	is_executable
EventData_Archived	is_archived

Unix Sysmon Generic Taxonomy¶

Unix Field	Logpoint Field
agent_name	agentx_agent
agent_ip	agentx_agent_address
decoder_name	agentx_decoder
EventData_AccountName	user
EventData_CommandLine	command
EventData_Company	vendor
EventData_CreationUtcTime	creation_ts
EventData_CurrentDirectory	path
EventData_Description	description
EventData_DestinationHostname	destination_host
EventData_DestinationIp	destination_address
EventData_DestinationIsIpv6	is_destination_ipv6
EventData_DestinationPort	destination_port
EventData_DestinationPortName	service
EventData_EventType	event_type
EventData_FileVersion	file_version
EventData_Image	image
EventData_LogonGuid	logon_guid
EventData_LogonId	logon_id
EventData_OriginalFileName	file
EventData_ParentCommandLine	parent_command
EventData_ParentImage	parent_image
EventData_ParentProcessGuid	parent_process_guid
EventData_ParentProcessId	parent_process_id
EventData_ProcessGuid	process_guid
EventData_ProcessId	process_id
EventData_Product	application
EventData_Protocol	protocol
EventData_QueryName	query
EventData_QueryStatus	status
EventData_RuleName	rule
EventData_SourceHostname	source_host
EventData_SourceIp	source_address
EventData_SourceIsIpv6	is_source_ipv6
EventData_SourcePort	source_port
EventData_TargetFilename	target_file
EventData_TerminalSessionId	session_id
EventData_User	user
EventData_UtcTime	utc_ts
id	id
location	location
manager_name	agentx_manager
System_Channel	channel
System_Computer	host
System_EventID	event_id
System_EventRecordID	record_id
System_Keywords	keyword
System_Level	severity
System_Opcode	opcode_value
System_Execution_ProcessID	execution_process_id
System_Security_UserId	user_id
System_Provider_Guid	guid
System_Provider_Name	event_source
System_SeverityValue	log_level
System_TimeCreated_SystemTime	log_ts
System_Task	task_value
System_Execution_ThreadID	execution_thread_id
System_Version	version
timestamp	event_received_ts
AllowHardTerminate	allow_hard_terminate
AllowStartOnDemand	allow_start_on_demand
Arguments	argument
Author	author
ClassId	class_id
Command	command
Count	restart_failure_count
Data	data
DataOffset	data_offset
Date	date
DaysInterval	days_interval
Deadline	deadline
Delay	delay
Description	description
DisallowStartIfOnBatteries	disallow_start_if_on_batteries
DisallowStartOnRemoteAppSession	disallow_start_on_remote_app_session
Duration	duration
Enabled	enabled
Exclusive	exclusive
ExecutionTimeLimit	execution_time_limit
GroupId	group_id
Hidden	hidden
Interval	restart_failure_interval
LogonType	logon_type
MultipleInstancesPolicy	multiple_instance_policy
Period	period
Priority	priority
RandomDelay	random_delay
RestartOnIdle	restart_on_idle
RunLevel	run_level
RunOnlyIfIdle	run_only_if_idle
RunOnlyIfNetworkAvailable	run_only_if_network_available
SecurityDescriptor	sd
Source	source
StartBoundary	start_ts
StartWhenAvailable	start_when_available
StateChange	state_change
StateName	state_name
StopAtDurationEnd	stop_at_duration_end
StopIfGoingOnBatteries	stop_if_going_on_batteries
StopOnIdleEnd	stop_on_idle_end
URI	url
UseUnifiedSchedulingEngine	use_unified_scheduling_engine
UserId	user_id
Version	version
WaitTimeout	wait_timeout
WakeToRun	wake_to_run
access_list	access_list
action	action
description	description
integrity_label	integrity_label
logon_category	logon_category
message	message
object	object
right	right
rule_description	rule_description
rule_firedtimes	rule_trigger_count
rule_frequency	rule_frequency
rule_gdpr	gdpr
rule_gpg13	gpg13
rule_groups	rule_group
rule_hipaa	hipaa
rule_id	rule_trigger_id
rule_level	rule_level
rule_mail	rule_mail
rule_mitre_id	attack_id
rule_mitre_tactic	attack_category
rule_mitre_technique	attack_tag
rule_nist_800_53	nist_800_53
rule_pci_dss	pci_dss
rule_tsc	tsc

Unix Audit Log Taxonomy¶

Unix Field	Logpoint Field
ARCH	processor_architecture
AUID	audit_user
EGID	effective_group
EUID	effective_user
FSGID	file_system_group
FSUID	file_system_user
GID	group
OGID	owner_group
PPID	parent_process
SAUID	sender_audit_user
SGID	set_group
SPID	sent_process
SUID	set_user
SYSCALL	system_call
UID	user
a0	argument0
a1	argument1
a10	argument10
a11	argument11
a12	argument12
a13	argument13
a14	argument14
a15	argument15
a16	argument16
a17	argument17
a18	argument18
a19	argument19
a2	argument2
a20	argument20
a3	argument3
a4	argument4
a5	argument5
a6	argument6
a7	argument7
a8	argument8
a9	argument9
acct	user
addr	source_address
agent_id	agentx_agent_id
agent_ip	agentx_agent_address
agent_name	agentx_agent
algo	algorithm
arch	processor_architecture
argc	argument_count
auid	audit_user_id
cap_fi	inherited_file_system_privilege
cap_fp	permitted_file_system_privilege
cap_pe	effective_process_privilege
cap_pi	inherited_process_privilege
cap_pp	permitted_process_privilege
capability	privilege
cgroup	path
cmd	command
comm	command
cwd	path
decoder_name	agentx_decoder
dev	device_id
devmajor	major_device_id
devminor	minor_device_id
egid	effective_group_id
euid	effective_user_id
exe	path
exit	status_code
family	address_type
fd	file_descriptor
filetype	file_type
flags	flag
fsgid	file_system_group_id
fsuid	file_system_user_id
fver	version
gid	group_id
hostname	hostname
icmptype	icmp_type
ino	inode
inode	inode
inode_gid	inode_group_id
inode_uid	inode_user_id
items	item_count
key	key
ksize	key_size
laddr	destination_address
list	list_id
log_type	log_level
lport	destination_port
manager_name	agentx_manager
message_id	message_id
mode	permission
msgtype	message_type
name	path
name	path
nametype	path_type
new auid	audit_user_id
new ses	session_id
new-disk	disk
new-mem	virtual_memory_size
new-net	hardware_address
new-vcpu	virtual_cpu_count
new_gid	group_id
new_pe	pe
new_pi	pi
new_pp	pp
oauid	user
obj	object
obj_gid	object_group_id
obj_lev_high	object_level_high
obj_lev_low	object_level_low
obj_role	role
obj_uid	object_id
obj_user	user
ocomm	command
ogid	owner_group_id
ogid	owner_group_id
old auid	old_audit_user_id
old ses	old_session_id
old-disk	old_disk
old-mem	old_memory
old-net	old_hardware_address
old-vcpu	old_cpu_count
old_prom	old_flag
op	action
opid	target_process_id
oses	target_session_id
ouid	user_id
path	path
perm	permission
pid	process_id
ppid	parent_process_id
prom	flag
proto	protocol
rdev	recorded_device_id
record_id	record_id
res	status
result	status
rport	source_port
rule_description	rule_description
rule_firedtimes	rule_trigger_count
rule_frequency	rule_frequency
rule_gdpr	gdpr
rule_gpg13	gpg13
rule_groups	rule_group
rule_hipaa	hipaa
rule_id	rule_trigger_id
rule_level	rule_level
rule_mail	rule_mail
rule_mitre_id	attack_id
rule_mitre_tactic	attack_category
rule_mitre_technique	attack_tag
rule_nist_800_53	nist_800_53
rule_pci_dss	pci_dss
rule_tsc	tsc
saddr	socket_address
sauid	sender_audit_user_id
scontext	source_context
ses	session_id
sgid	set_group_id
sig	signal_count
size	datasize
spid	sent_process_id
subj	subject
subj_clr	subject_clearance
subj_role	role
subj_sen	sensitivity
subj_user	user
subject	context subject
success	is_success
suid	set_user_id
syscall	system_call_id
tclass	target_class
tcontext	target_context
terminal	terminal
timestamp	event_received_ts
tty	terminal_type
type	event_type
uid	user_id
user pid	process_id
vm	virtual_machine

File Integrity Monitoring¶

Unix Field	Logpoint Field
Author	author
Command	command
Data	data
Description	description
Duration	duration
Priority	priority
URI	url
UserId	user_id
agent_id	agentx_agent_id
agent_ip	agentx_agent_address
agent_name	agentx_agent
decoder_name	agentx_decoder
manager_name	agentx_manager
rule_firedtimes	rule_trigger_count
rule_gdpr	gdpr
rule_gpg13	gpg13
rule_groups	rule_group
rule_hipaa	hipaa
rule_id	rule_trigger_id
rule_mitre_id	attack_id
rule_mitre_tactic	attack_category
rule_mitre_technique	attack_tag
rule_nist_800_53	nist_800_53
rule_pci_dss	pci_dss
rule_tsc	tsc
syscheck_arch	architecture
syscheck_attrs_after	attribute
syscheck_audit_process_id	process_id
syscheck_audit_process_name	process
syscheck_audit_user_id	user_id
syscheck_audit_user_name	user
syscheck_changed_attributes	changed_attribute
syscheck_diff	changed_content
syscheck_entry_type	registry_entry_type
syscheck_event	action
syscheck_gid_after	group_id
syscheck_gname_after	group
syscheck_inode_after	inode
syscheck_md5_after	hash
syscheck_md5_before	old_hash
syscheck_mode	mode
syscheck_mtime_after	modification_ts
syscheck_mtime_before	old_modification_ts
syscheck_path	path
syscheck_perm_after	permission
syscheck_sha1_after	hash_sha1
syscheck_sha1_before	old_hash_sha1
syscheck_sha256_after	hash_sha256
syscheck_sha256_before	old_hash_sha256
syscheck_size_after	datasize
syscheck_size_before	old_datasize
syscheck_uid_after	uid
syscheck_uname_after	owner
syscheck_value_name	registry_value_name
syscheck_value_type	registry_value_type
syscheck_win_perm_after	permission
syscheck_win_perm_before	old_permission
timestamp	event_received_ts
data_parameters_program	program
data_parameters_keys	parameter_key
data_origin_name	origin
data_version	version
data_command	command
hostname	host
log_type	log_level
rule_description	rule_description
rule_frequency	rule_frequency
rule_level	rule_level
rule_mail	rule_mail

Security Configuration Assessment¶

Unix Field	Logpoint Field
Author	author
Command	command
Data	data
Description	description
Duration	duration
Priority	priority
URI	url
UserId	user_id
agent_id	agentx_agent_id
agent_ip	agentx_agent_address
agent_name	agentx_agent
check_compliance_gpg_13	check_compliance_gpg13
check_references	check_reference
check_rules	check_rule
data_sca_check_compliance_cis_csc	check_compliance_cis_csc
data_sca_check_compliance_hipaa	check_compliance_hipaa
data_sca_check_compliance_nist_800_53	check_compliance_nist_800_53
data_sca_check_compliance_pci_dss	check_compliance_pci_dss
data_sca_check_compliance_tsc	check_compliance_tsc
data_sca_check_description	check_description
data_sca_check_file	check_file
data_sca_check_id	check_id
data_sca_check_rationale	check_rationale
data_sca_check_reason	check_reason
data_sca_check_references	check_reference
data_sca_check_registry	check_registry
data_sca_check_remediation	check_remediation
data_sca_check_result	check_result
data_sca_check_status	check_status
data_sca_check_title	check_title
data_sca_description	policy_description
data_sca_failed	fail_count
data_sca_file	policy_file
data_sca_invalid	invalid_count
data_sca_passed	pass_count
data_sca_policy	policy
data_sca_policy_id	policy_id
data_sca_scan_id	scan_id
data_sca_score	scan_score
data_sca_total_checks	total_count
data_sca_type	scan_type
decoder_name	agentx_decoder
description	policy_description
end_time	end_ts
failed	fail_count
file	policy_file
invalid	invalid_count
manager_name	agentx_manager
name	policy
passed	pass_count
policies	policy_id
references	policy_reference
rule_cis	cis
rule_cis_csc	cis_csc
rule_firedtimes	rule_trigger_count
rule_gdpr	gdpr
rule_gdpr_IV	gdpr_iv
rule_gpg13	gpg13
rule_gpg_13	gpg13
rule_groups	rule_group
rule_hipaa	hipaa
rule_id	rule_trigger_id
rule_mitre_id	attack_id
rule_mitre_tactic	attack_category
rule_mitre_technique	attack_tag
rule_nist_800_53	nist_800_53
rule_pci_dss	pci_dss
rule_tsc	tsc
score	scan_score
start_time	start_ts
timestamp	event_received_ts
total_checks	total_count
type	scan_type

Unix Generic Log Taxonomy¶

Unix Field	Logpoint Field
agent_id	agentx_agent_id
agent_ip	agentx_agent_address
agent_name	agentx_agent
decoder_name	agentx_decoder
hostname	host
log_type	log_level
manager_name	agentx_manager
rule_description	rule_description
rule_firedtimes	rule_trigger_count
rule_frequency	rule_frequency
rule_gdpr	gdpr
rule_gpg13	gpg13
rule_groups	rule_group
rule_hipaa	hipaa
rule_id	rule_trigger_id
rule_level	rule_level
rule_mail	rule_mail
rule_mitre_id	attack_id
rule_mitre_tactic	attack_category
rule_mitre_technique	attack_tag
rule_nist_800_53	nist_800_53
rule_pci_dss	pci_dss
rule_tsc	tsc
timestamp	event_received_ts

Active Response Taxonomy¶

Unix Field	Logpoint Field
agent_id	agentx_agent_id
agent_ip	agentx_agent_address
agent_labels_os_name	agentx_agent_os
agent_name	agentx_agent
data_parameters_program	program
data_parameters_keys	parameter_key
data_origin_module	origin_module
data_origin_name	origin
data_version	version
data_command	command
decoder_name	agentx_decoder
manager_name	agentx_manager
hostname	host
log_type	log_level
rule_description	rule_description
rule_firedtimes	rule_trigger_count
rule_frequency	rule_frequency
rule_gdpr	gdpr
rule_gpg13	gpg13
rule_groups	rule_group
rule_hipaa	hipaa
rule_id	rule_trigger_id
rule_level	rule_level
rule_mail	rule_mail
rule_mitre_id	attack_id
rule_mitre_tactic	attack_category
rule_mitre_technique	attack_tag
rule_nist_800_53	nist_800_53
rule_pci_dss	pci_dss
rule_tsc	tsc
timestamp	event_received_ts

Windows¶

Windows Security Auditing¶

Event ID: 4616¶

Windows Field	Logpoint Field
eventdata_newTime	new_ts
eventdata_previousTime	old_ts

Event ID: 4697¶

Windows Field	Logpoint Field
eventdata_serviceType	object_type

Event ID: 4698¶

Windows Field	Logpoint Field
eventdata_taskContent	task_content

Event ID: 4720¶

Windows Field	Logpoint Field
eventdata_allowedToDelegateTo	allowed_to_delegate
eventdata_homeDirectory	home_directory
eventdata_homePath	home_path
eventdata_profilePath	path
eventdata_scriptPath	script_path
eventdata_sidHistory	sid_history
eventdata_userParameters	parameter
eventdata_userWorkstations	workstation

Event ID: 4729¶

Windows Field	Logpoint Field
eventdata_sidHistory	sid_history

Event ID: 4730¶

Windows Field	Logpoint Field
eventdata_sidHistory	sid_history

Event ID: 4731¶

Windows Field	Logpoint Field
eventdata_sidHistory	sid_history

Event ID: 4734¶

Windows Field	Logpoint Field
eventdata_groupTypeChange	group_type

Event ID: 4744¶

Windows Field	Logpoint Field
eventdata_sidHistory	sid_history

Event ID: 4745¶

Windows Field	Logpoint Field
eventdata_sidHistory	sid_history

Event ID: 4748¶

Windows Field	Logpoint Field
eventdata_sidHistory	sid_history

Event ID: 4749¶

Windows Field	Logpoint Field
eventdata_sidHistory	sid_history

Event ID: 4750¶

Windows Field	Logpoint Field
eventdata_sidHistory	sid_history

Event ID: 4754¶

Windows Field	Logpoint Field
eventdata_sidHistory	sid_history

Event ID: 4755¶

Windows Field	Logpoint Field
eventdata_sidHistory	sid_history

Event ID: 4759¶

Windows Field	Logpoint Field
eventdata_sidHistory	sid_history

Event ID: 4760¶

Windows Field	LogPoint Field
eventdata_sidHistory	sid_history

Event ID: 4764¶

Windows Field	LogPoint Field
eventdata_groupTypeChange	group_type

Event ID: 4944¶

Windows Field	Logpoint Field
eventdata_groupPolicyApplied	policy
eventdata_logDroppedPacketsEnabled	log_dropped_packet
eventdata_logSuccessfulConnectionsEnabled	log_successful_connection
eventdata_multicastFlowsEnabled	multicast_flow
eventdata_operationMode	operation_mode
eventdata_profile	profile
eventdata_remoteAdminEnabled	remote_administration

Event ID: 4945¶

Windows Field	Logpoint Field
eventdata_profileUsed	profile

Event ID: 4953¶

Windows Field	Logpoint Field
eventdata_profile	profile
eventdata_reasonForRejection	reason

Event ID: 4956¶

Windows Field	Logpoint Field
eventdata_activeProfile	profile

Windows Sysmon¶

Event ID: 1¶

Windows Field	Logpoint Field
eventdata_accountname	caller_user
eventdata_domain	caller_domain
eventdata_integrityLevel	integrity_level
eventdata_parentUser	parent_user

Event ID: 2¶

Windows Field	Logpoint Field
eventdata_previousCreationUtcTime	previous_creation_ts

Event ID: 3¶

Windows Field	Logpoint Field
eventdata_initiated	is_initiated

Event ID: 4¶

Windows Field	Logpoint Field
eventdata_schemaVersion	schema_version
eventdata_state	status
eventdata_version	version

Event ID: 6¶

Windows Field	Logpoint Field
eventdata_signed	is_signed
eventdata_signature	signature
eventdata_signatureStatus	status
eventdata_imageLoaded	image

Event ID: 7¶

Windows Field	Logpoint Field
eventdata_image	source_image
eventdata_imageLoaded	image
eventdata_signatureStatus	status
eventdata_signed	is_signed
eventdata_signature	signature

Event ID: 8¶

Windows Field	Logpoint Field
eventdata_newThreadId	new_thread_id
eventdata_sourceImage	source_image
eventdata_sourceProcessGuid	source_process_guid
eventdata_sourceProcessId	source_process_id
eventdata_targetImage	target_image
eventdata_targetProcessGuid	target_process_guid
eventdata_targetProcessId	target_process_id
eventdata_startAddress	start_address
eventdata_sourceUser	source_user
eventdata_targetUser	target_user
eventdata_startFunction	start_function
eventdata_startModule	start_module

Event ID: 9¶

Windows Field	Logpoint Field
eventdata_utcTime	utc_ts
eventdata_device	device

Event ID: 10¶

Windows Field	Logpoint Field
eventdata_sourceImage	source_image
eventdata_callTrace	call_trace
eventdata_grantedAccess	access
eventdata_targetImage	image
eventdata_sourceProcessGUID	source_process_guid
eventdata_sourceProcessId	source_process_id
eventdata_sourceThreadId	source_thread_id
eventdata_targetProcessGUID	target_process_guid
eventdata_targetProcessId	target_process_id
eventdata_sourceUser	source_user
eventdata_targetUser	target_user

Event ID: 12¶

Windows Field	Logpoint Field
eventdata_targetObject	target_object

Event ID: 13¶

Windows Field	Logpoint Field
eventdata_targetObject	target_object
eventdata_details	detail

Event ID: 14¶

Windows Field	Logpoint Field
eventdata_targetObject	target_object
eventdata_newName	new_value

Event ID: 15¶

Windows Field	Logpoint Field
eventdata_contents	contents

Event ID: 16¶

Windows Field	Logpoint Field
eventdata_configuration	file

Event ID: 17¶

Windows Field	Logpoint Field
eventdata_pipeName	pipe

Event ID: 18¶

Windows Field	Logpoint Field
eventdata_pipeName	pipe

Event ID: 19¶

Windows Field	Logpoint Field
eventdata_name	name
eventdata_query	query
eventdata_eventNamespace	event_namespace

Event ID: 20¶

Windows Field	Logpoint Field
eventdata_name	name
eventdata_destination	destination

Event ID: 21¶

Windows Field	Logpoint Field
eventdata_consumer	consumer
eventdata_filter	filter

Event ID: 22¶

Windows Field	Logpoint Field
eventdata_queryResults	result

Event ID: 23¶

Windows Field	Logpoint Field
eventdata_isExecutable	is_executable
eventdata_archived	is_archived

Event ID: 24¶

Windows Field	Logpoint Field
eventdata_archived	is_archived
eventdata_session	session

Event ID: 26¶

Windows Field	Logpoint Field
eventdata_isExecutable	is_executable

Event ID: 255¶

Windows Field	Logpoint Field
eventdata_iD	message_id

File Integrity Monitoring¶

Windows Field	Logpoint Field
Author	author
Command	command
Data	data
Description	description
Duration	duration
Priority	priority
URI	url
UserId	user_id
agent_id	agentx_agent_id
agent_ip	agentx_agent_address
agent_name	agentx_agent
decoder_name	agentx_decoder
manager_name	agentx_manager
rule_firedtimes	rule_trigger_count
rule_gdpr	gdpr
rule_gpg13	gpg13
rule_groups	rule_group
rule_hipaa	hipaa
rule_id	rule_trigger_id
rule_mitre_id	attack_id
rule_mitre_tactic	attack_category
rule_mitre_technique	attack_tag
rule_nist_800_53	nist_800_53
rule_pci_dss	pci_dss
rule_tsc	tsc
syscheck_arch	architecture
syscheck_attrs_after	attribute
syscheck_audit_process_id	process_id
syscheck_audit_process_name	process
syscheck_audit_user_id	user_id
syscheck_audit_user_name	user
syscheck_changed_attributes	changed_attribute
syscheck_diff	changed_content
syscheck_entry_type	registry_entry_type
syscheck_event	action
syscheck_gid_after	group_id
syscheck_gname_after	group
syscheck_inode_after	inode
syscheck_md5_after	hash
syscheck_md5_before	old_hash
syscheck_mode	mode
syscheck_mtime_after	modification_ts
syscheck_mtime_before	old_modification_ts
syscheck_path	path
syscheck_perm_after	permission
syscheck_sha1_after	hash_sha1
syscheck_sha1_before	old_hash_sha1
syscheck_sha256_after	hash_sha256
syscheck_sha256_before	old_hash_sha256
syscheck_size_after	datasize
syscheck_size_before	old_datasize
syscheck_uid_after	uid
syscheck_uname_after	owner
syscheck_value_name	registry_value_name
syscheck_value_type	registry_value_type
syscheck_win_perm_after	permission
syscheck_win_perm_before	old_permission
timestamp	event_received_ts

DHCP Module¶

Windows Field	Logpoint Field
system_eventSourceName	source
agent_labels_os_name	agentx_agent_os
AllowHardTerminate	allow_hard_terminate
AllowStartOnDemand	allow_start_on_demand
Arguments	argument
Author	author
ClassId	class_id
Command	command
Count	restart_failure_count
Data	data
DataOffset	data_offset
Date	date
DaysInterval	days_interval
Deadline	deadline
Delay	delay
Description	description
DisallowStartIfOnBatteries	disallow_start_if_on_batteries
DisallowStartOnRemoteAppSession	disallow_start_on_remote_app_session
Duration	duration
Enabled	enabled
Exclusive	exclusive
ExecutionTimeLimit	execution_time_limit
GroupId	group_id
Hidden	hidden
Interval	restart_failure_interval
LogonType	logon_type
MultipleInstancesPolicy	multiple_instance_policy
Period	period
Priority	priority
RandomDelay	random_delay
RestartOnIdle	restart_on_idle
RunLevel	run_level
RunOnlyIfIdle	run_only_if_idle
RunOnlyIfNetworkAvailable	run_only_if_network_available
SecurityDescriptor	sd
Source	source
StartBoundary	start_ts
StartWhenAvailable	start_when_available
StateChange	state_change
StateName	state_name
StopAtDurationEnd	stop_at_duration_end
StopIfGoingOnBatteries	stop_if_going_on_batteries
StopOnIdleEnd	stop_on_idle_end
URI	url
UseUnifiedSchedulingEngine	use_unified_scheduling_engine
UserId	user_id
WaitTimeout	wait_timeout
WakeToRun	wake_to_run
access_list	access_list
action	action
agent_id	agentx_agent_id
agent_ip	agentx_agent_address
agent_name	agentx_agent
decoder_name	agentx_decoder
description	description
eventdata_accessMask	access_mask
eventdata_accessReason	reason
eventdata_accountDomain	domain
eventdata_accountExpires	account_expire
eventdata_accountName	user
eventdata_additionalInfo	additional_information
eventdata_additionalInfo2	additional_information_2
eventdata_algorithmName	cipher
eventdata_attributeLDAPDisplayName	ldap_display
eventdata_attributeSyntaxOID	attribute_id
eventdata_attributeValue	attribute_value
eventdata_authenticationPackageName	package
eventdata_callerProcessId	caller_process_id
eventdata_callerProcessName	caller_process
eventdata_clientAddress	source_address
eventdata_clientCreationTime	creation_ts
eventdata_clientName	workstation
eventdata_clientProcessId	process_id
eventdata_clientProcessStartKey	process_start_key
eventdata_commandLine	command
eventdata_countOfCredentialsReturned	credentials_returned_count
eventdata_dSName	service
eventdata_dSType	service_type
eventdata_displayName	display_name
eventdata_domainName	domain
eventdata_domainPolicyChanged	policy
eventdata_domainSid	domain_id
eventdata_elevatedToken	elevated_token
eventdata_eventCountTotal	event_count
eventdata_eventIdx	event_idx
eventdata_fQDN	fqdn
eventdata_failureId	failure_id
eventdata_failureReason	reason
eventdata_fileName	file
eventdata_flags	flag
eventdata_groupMembership	group_membership
eventdata_handleId	handle_id
eventdata_impersonationLevel	impersonation_level
eventdata_ipAddress	source_address
eventdata_ipPort	source_port
eventdata_keyFilePath	path
eventdata_keyLength	key_length
eventdata_keyName	key
eventdata_keyType	key_type
eventdata_linkName	link
eventdata_lmPackageName	lm_package
eventdata_lockoutThreshold	lockout_threshold
eventdata_logonGuid	logon_guid
eventdata_logonHours	logon_hour
eventdata_logonID	logon_id
eventdata_logonProcessName	logon_process
eventdata_logonType	logon_type
eventdata_mandatoryLabel	integrity_id
eventdata_masterKeyId	master_key_id
eventdata_memberName	member
eventdata_memberSid	target_id
eventdata_newProcessId	target_process_id
eventdata_newProcessName	new_process
eventdata_newSd	new_sd
eventdata_newState	new_value
eventdata_newUacValue	new_value
eventdata_newValue	new_value
eventdata_newValueType	new_value_type
eventdata_objectClass	class
eventdata_objectDN	object_dn
eventdata_objectGUID	service_guid
eventdata_objectName	object_name
eventdata_objectServer	object_server
eventdata_objectType	object_type
eventdata_objectValueName	object_value
eventdata_oldUacValue	old_value
eventdata_oldValue	old_value
eventdata_oldValueType	old_value_type
eventdata_opCorrelationID	operation_id
eventdata_operation	action
eventdata_operationType	operation_type
eventdata_packageName	package
eventdata_parentProcessId	parent_process_id
eventdata_parentProcessName	parent_process
eventdata_passwordLastSet	password_last_set_ts
eventdata_preAuthType	pre_authentication_type
eventdata_primaryGroupId	group_id
eventdata_privilegeList	privilege
eventdata_processCreationTime	process_creation_ts
eventdata_processId	process_id
eventdata_processName	process
eventdata_profileChanged	profile
eventdata_properties	properties
eventdata_providerName	provider
eventdata_readOperation	operation_type
eventdata_recoveryKeyId	recover_id
eventdata_recoveryReason	reason
eventdata_recoveryServer	server
eventdata_resourceManager	resource_manager
eventdata_restrictedAdminMode	restricted_admin_mode
eventdata_restrictedSidCount	restricted_id_count
eventdata_returnCode	status_code
eventdata_rpcCallClientLocality	rpc_call_client_locality
eventdata_ruleAttr	attribute
eventdata_ruleId	rule_id
eventdata_ruleName	rule_name
eventdata_samAccountName	sam_account_name
eventdata_service	service
eventdata_serviceAccount	service_account
eventdata_serviceFileName	file
eventdata_serviceName	service
eventdata_serviceSid	service_id
eventdata_serviceStartType	start_type
eventdata_serviceType	object_type
eventdata_sessionId	session_id
eventdata_sessionName	session
eventdata_shareLocalPath	share_path
eventdata_shareName	share_name
eventdata_status	status_code
eventdata_subStatus	sub_status_code
eventdata_subjectDomainName	domain
eventdata_subjectLogonId	logon_id
eventdata_subjectUserName	user
eventdata_subjectUserSid	user_id
eventdata_targetDomainName	target_domain
eventdata_targetInfo	information
eventdata_targetLinkedLogonId	target_linked_logon_id
eventdata_targetLogonGuid	target_logon_guid
eventdata_targetLogonId	target_logon_id
eventdata_targetName	target_name
eventdata_targetServerName	server
eventdata_targetSid	target_id
eventdata_targetUserName	target_user
eventdata_targetUserSid	target_id
eventdata_taskName	task
eventdata_ticketEncryptionType	encryption_type
eventdata_ticketOptions	ticket_option
eventdata_tokenElevationType	token_elevation_type
eventdata_transactionId	transaction_id
eventdata_transmittedServices	transmitted_service
eventdata_type	type
eventdata_userAccountControl	user_account_control
eventdata_userPrincipalName	user_principal_name
eventdata_virtualAccount	virtual_account
eventdata_workstation	workstation
eventdata_workstationName	workstation
eventdata_binary	binary_data
id	id
integrity_label	integrity_label
location	location
logon_category	logon_category
manager_name	agentx_manager
message	message
object	object
right	right
rule_description	rule_description
rule_firedtimes	rule_trigger_count
rule_frequency	rule_frequency
rule_gdpr	gdpr
rule_gpg13	gpg13
rule_groups	rule_group
rule_hipaa	hipaa
rule_id	rule_trigger_id
rule_level	rule_level
rule_mail	is_rule_mail
rule_mitre_id	attack_id
rule_mitre_tactic	attack_category
rule_mitre_technique	attack_tag
rule_nist_800_53	nist_800_53
rule_pci_dss	pci_dss
rule_tsc	tsc
system_channel	channel
system_computer	host
system_eventID	event_id
system_eventRecordID	record
system_keywords	keyword
system_level	severity
system_opcode	opcode_value
system_processID	execution_process_id
system_providerGuid	guid
system_providerName	event_source
system_severityValue	log_level
system_systemTime	log_ts
system_task	task_value
system_threadID	execution_thread_id
system_version	version
timestamp	event_received_ts
data_id	event_id
EventTime	event_ts

DNS Module¶

Windows Field	Logpoint Field
EventReceivedTime	event_ts
SourceModuleName	source_module
SourceModuleType	source_type
EventTime	log_ts
ThreadId	thread_id
RemoteIP	source_address
QueryResponseIndicator	action
FlagsHex	flag
RecursionDesired	recursion_desired
RecursionAvailable	recursion_available
ResponseCode	status_code
QuestionType	record_type
QuestionName	domain
AuthoritativeAnswer	answer
SendReceiveIndicator	direction
Severity	log_level
SeverityValue	severity
AccessList	access
AccessMask	access_mask
AccessReason	reason
AccountDomain	domain
AccountExpires	account_expire
AccountName	user
AccountType	account_type
Account_name	account
Action	action
Activity	ID
ActivityID	activity_id
AdditionalInfo	additional_information
Address	source_address
AllowedToDelegateTo	allowed_to_delegate_to
AppCorrelationID	app_correlation_id
Application	application
AttributeLDAPDisplayName	ldap_display
AttributeSyntaxOID	attribute_Syntax_oid
AttributeValue	value
AuditPolicyChanges	policy
AuditSourceName	audit_source
AuthenticationPackageName	authentication_package
BufferSize	buffer_size
CallerIdentity	caller_identity
CallerProcessId	caller_process_id
CallerProcessName	caller_process
CalloutKey	callout_key
CalloutName	callout_name
Category	event_category
CategoryId	category_id
ChangeType	change_type
Channel	channel
ChannelID	channel_id
ClientAddress	source_address
ClientIP	source_address
ClientName	remote_user
ClientUserName	user
CommandLine	command
CommandName	command
CommandPath	command_path
CommandType	command_type
Command_Name	command
Computer	host
ComputerAccountChange	computer_account_change
Conditions	condition
ContentLength	content_length
ContextInfo	context_info
DCName	target_domain
DSName	ds_name
DSType	ds_type
DateAndTime	event_ts
DestAddress	destination_address
DestPort	destination_port
Details	detail
Direction	direction
DirtyPages	page_count
DisplayName	display_name
DnsHostName	dns_host
Domain	caller_domain
DomainName	domain
DomainPolicyChanged	domain_policy_changed
DomainSid	domain_id
ErrorCode	error_code
Event	event
EventData	event_data
EventID	event_id
EventId	event_id
EventRecordID	record_id
EventType	event_type
Event_ID	event_identifier
ExecutionProcessID	execution_process_id
ExecutionThreadID	execution_thread_id
FailureReason	reason
FileHash	hash
FileHashLength	file_hash_length
FileName	file
FilePath	path
FilePathLength	file_path_length
FilterId	filter_id
FilterKey	filter_key
FilterName	filter
FilterRTID	filter_rtid
FilterType	filter_type
Flags	flag
ForceLogoff	force_logoff
Fqdn	fqdn
FqdnLength	fqdn_length
GPOList	gpo
HTTPMethod	request_method
HandleId	handle_id
HiveName	hive
HiveNameLength	hive_length
HomeDirectory	home_directory
HomePath	home_path
HostApplication	application
HostId	host_id
Host_Application	application
Host_Name	host
Hostname	host
InterfaceIP	host_address
IpAddress	source_address
IpPort	source_port
KeyLength	key_length
KeysUpdated	key_count
Keywords	keyword
LayerId	layer_id
LayerKey	layer_key
LayerName	layer_name
LayerRTID	layer_rtid
LmPackageName	package
LocalPort	local_port
LockoutDuration	lockout_duration
LockoutObservationWindow	lockout_observation_window
LockoutThreshold	lockout_threshold
LogonGuid	logon_guid
LogonHours	logon_hour
LogonID	logon_id
LogonProcessName	logon_process
LogonType	logon_type
MachineAccountQuota	machine_account_quota
Machine_name	workstation
MappedName	mapped_name
MappingBy	authentication_package
MaxPasswordAge	maximum_password_age
MemberName	member
MemberSid	member_id
Message	message
MessageNumber	message_number
MessageTotal	message_total
Metric_Dimensions_DiagnosticCode	diagnostic_code
Metric_Dimensions_DiagnosticText	diagnostic
Metric_Dimensions_InstanceId	instance_id
Metric_Dimensions_UploadState	upload_state_code
Metric_Dimensions_UploadStateString	upload_state
Metric_Name	metric
MinPasswordAge	minimum_password_age
MinPasswordLength	minimum_password_length
MixedDomainMode	mixed_domain_mode
NewCommandState	command_state
NewEngineState	engine_state
NewProcessId	target_process_id
NewProcessName	new_process
NewProviderState	provider_state
NewSD	new_sd
NewSd	new_sd
NewState	new_state
NewTargetUserName	new_target_user
NewTime	new_ts
NewUacValue	new_value
NumberOfGroupPolicyObjects	gpo_count
ObjectClass	class
ObjectDN	object_dn
ObjectGUID	object_guid
ObjectName	object
ObjectServer	object_server
ObjectType	object_type
OldSD	old_sd
OldSd	old_sd
OldTargetUserName	old_target_user
OldTime	old_ts
OldUacValue	old_value
OpCorrelationID	op_correlation_id
Opcode	opcode
OpcodeValue	opcode_value
OperationType	type
PackageName	package
PacketData	packet_data
ParentProcessName	parent_process
PasswordHistoryLength	password_history_length
PasswordLastSet	password_last_set_ts
PasswordProperties	password_properties
PipelineId	pipeline_id
PolicyName	policy
PolicyNameLength	policy_length
Port	source_port
PreAuthType	pre_authentication_type
PreviousEngineState	old_engine_state
PrimaryGroupId	primary_group_id
PrivilegeList	privilege
ProcessID	process_id
ProcessId	process_id
ProcessName	process
Process_ID	event_process_id
Process_name	event_process
ProcessingMode	processing_mode
ProcessingTimeInMilliseconds	processing_time
ProfilePath	profile_path
Properties	properties
Protocol	protocol
ProviderGuid	provider_guid
ProviderKey	provider_key
ProviderName	provider
ProxyDNSname	proxy_dns
QNAME	domain
QTYPE	request_code
Querystring	query
RD	received_datasize
RecordNumber	record
RelativeTargetName	relative_target_name
RemoteMachineID	remote_machine_id
RemoteUserID	remote_user_id
RequestDetails	detail
RequestType	request_type
Request_URL	url
Request_path	path
ResourceManager	resource_manager
RestrictedSidCount	restricted_sid_count
RuleAttr	rule_attribute
RuleId	rule_id
RuleName	rule
RuleNameLength	rule_name_length
RuleSddl	rule_ssdl
RuleSddlLength	rule_ssdl_length
RunspaceId	runspace_id
SamAccountName	sam_account_name
ScriptBlockId	script_block_id
ScriptBlockText	script_block
ScriptBlock_ID	script_block_id
ScriptName	script
ScriptPath	script_path
SequenceNumber	sequence_number
Service	service
ServiceName	service
ServicePrincipalNames	service_principal_name
ServiceSid	service_id
SessionId	session_id
SessionName	session
ShareLocalPath	share_path
ShareName	share_name
SidHistory	sid_history
Source	source_address
SourceAddress	source_address
SourceHandleId	handle_id
SourceModuleType	source_module_type
SourceName	event_source
SourcePort	source_port
SourceProcessId	process_id
Source_Network_Address	source_address
Status	status
SubStatus	sub_status
SubcategoryGuid	sub_category_guid
SubcategoryId	sub_category_id
SubjectDomainName	domain
SubjectLogonId	logon_id
SubjectUserName	user
SubjectUserSid	user_id
TCP	tcp
TargetDomainName	target_domain
TargetInfo	target_information
TargetLogonGuid	target_logon_guid
TargetLogonId	target_logon_id
TargetProcessId	target_process_id
TargetServerName	target_server
TargetSid	target_id
TargetUser	target_user
TargetUserName	target_user
TargetUserSid	target_id
Targetedrelying	party
Task	event_task
TaskContentNew	task_content_new
TaskName	task
TaskValue	task_value
ThreadID	thread_id
Thread_ID	event_thread_id
Throughproxy	proxy
TicketEncryptionType	ticket_encryption_type
TicketOptions	ticket_option
TokenElevationType	token_elevation_type
TransactionId	transaction_id
TransmittedServices	transmitted_service
TreeDelete	tree_delete
UrlAbsolutePath	path
User	user
UserAccountControl	user_account_control
UserAgent	user_agent
UserData	user_data
UserID	user_id
UserId	user_id
UserName	user
UserParameters	user_parameter
UserPrincipalName	user_principal_name
UserSid	user_id
UserWorkstations	workstation
User_host_address	host_address
Version	version
VolumeGuid	volume_guid
VolumeName	volume
VolumeNameLength	volume_length
Workstation	workstation
WorkstationName	workstation
XID	exchange_id
client_request_id	request_id
agent_name	agentx_agent
agent_id	agentx_agent_id
decoder_name	agentx_decoder
manager_name	agentx_manager
agent_labels_os_name	agentx_agent_os
hostname	host
log_type	log_level
timestamp	event_received_ts
agent_ip	agentx_agent_address
rule_description	rule_description
rule_firedtimes	rule_trigger_count
rule_frequency	rule_frequency
rule_gdpr	gdpr
rule_gpg13	gpg13
rule_groups	rule_group
rule_hipaa	hipaa
rule_id	rule_trigger_id
rule_level	rule_level
rule_mail	is_rule_mail
rule_mitre_id	attack_id
rule_mitre_tactic	attack_category
rule_mitre_technique	attack_tag
rule_nist_800_53	nist_800_53
rule_pci_dss	pci_dss
rule_tsc	tsc
system_channel	channel
system_computer	host
system_eventID	event_id
system_eventRecordID	record_id
system_keywords	keyword
system_level	severity
system_message	message
system_opcode	opcode
system_processID	process_id
system_providerGuid	provider_guid
system_providerName	provider
system_severityValue	log_level
system_systemTime	log_ts
system_task	task
system_threadID	thread_id
system_version	version
timestamp	event_received_ts
eventdata_param1	param1
eventdata_param2	param2
eventdata_param3	param3

DNS Module Request Type¶

Request Code	Request Code ID	Description
A	1	IPv4 address record
AAAA	28	IPv6 address record
AFSDB	18	For Afs Data Base Location
ANY	255	All cached records
APL	42	Address Prefix List
ATMA	34	ATM Address
AXFR	252	Transfer Of An Entire Zone
CAA	257	Certification Authority Restriction
CDNSKEY	60	DNSKEY(S) The Child Wants Reflected in DS
CDS	59	Child DS
CERT	37	Certificate record
CNAME	5	Canonical name record
CSYNC	62	Child-To-Parent Synchronization
DHCID	49	DHCP identifier
DLV	32769	DNSSEC Lookaside Validation
DNAME	39	Delegation name record
DNSKEY	48	DNS Key record
DOA	259	Unassigned Digital Object Architecture
DS	43	Delegation Signer
EID	31	Endpoint Identifier
EUI48	108	An EUI-48 Address
EUI64	109	An EUI-64 Address
GPOS	27	Geographical Position
HINFO	13	Host Information
HIP 55	Host	Identity Protocol
HTTPS	65	HTTPS Binding
IPSECKEY	45	IPsec Key
ISDN	20	For ISDN Address
IXFR	251	Incremental Transfer
KEY	25	For Security Key
KX	36	Key Exchanger
LOC	29	Location Information
MAILA	254	Mail Agent RRs
MAILB	253	Mailbox-Related RRs
MB	7	A Mailbox Domain Name
MD	3	A Mail Destination
MF	4	A Mail Forwarder
MG	8	A Mail Group Member
MINFO	14	Mailbox Or Mail List Information
MR	9	A Mail Rename Domain Name
MX	15	Mail exchange record
NAPTR	35	Naming Authority Pointer
NIMLOC	32	Nimrod Locator
NS	2	Name server record
NSAP	22	For NSAP address, NSAP Style A Record
NSAP-PTR	23	For Domain Name Pointer, NSAP Style
NSEC	47	Next Secure record
NSEC3	50	Next Secure record version 3
NSEC3PARAM	51	NSEC3 parameters
NULL	10	A Null RR
NXT	30	Next Domain
OPENPGPKEY	61	OPENPGP Key
PTR	12	Pointer record
PX	26	X.400 Mail Mapping Information
RP	17	For Responsible Person
RRSIG	46	DNSSEC signature
RT	21	For Route Through
SIG	24	Signature
SMIMEA	53	S/MIME Cert Association
SOA	6	Start of authority record
SRV	33	Service locator
SSHFP	44	SSH Key Fingerprint
SVCB	64	Service Binding
TA	32768	DNSSEC Trust Authorities
TALINK	58	Trust Anchor LINK
TKEY	249	Transaction Key
TSIG	250	Transaction Signature
TXT	16	Text record
URI	256	Uniform Resource Identifier
WKS	11	A Well Known Service Description
X25	19	For X.25 PSDN Address
ZONEMD	63	Message Digests for DNS Zones

Windows Powershell¶

Event ID: 400¶

Windows Field	Logpoint Field
eventdata_NewEngineState	new_engine_status
eventdata_PreviousEngineState	old_engine_status
eventdata_SequenceNumber	sequence_number
eventdata_HostName	execution_host
eventdata_HostVersion	host_version
eventdata_HostId	host_id
eventdata_EngineVersion	engine_version
eventdata_RunspaceId	run_space_id
eventdata_HostApplication	host_application

Event ID: 403¶

Windows Field	Logpoint Field
eventdata_NewEngineState	new_engine_status
eventdata_PreviousEngineState	old_engine_status
eventdata_SequenceNumber	sequence_number
eventdata_HostName	execution_host
eventdata_HostVersion	host_version
eventdata_HostId	host_id
eventdata_EngineVersion	engine_version
eventdata_RunspaceId	run_space_id
eventdata_HostApplication	host_application

Event ID: 4100¶

Windows Field	Logpoint Field
eventdata_Script Name	script_path
eventdata_Severity	log_level
eventdata_Host Name	execution_host
eventdata_Host Version	host_version
eventdata_Host ID	host_id
eventdata_Host Application	host_application
eventdata_Engine Version	engine_version
eventdata_Runspace ID	run_space_id
eventdata_Pipeline ID	pipeline_id
eventdata_Command Name	command
eventdata_Command Type	command_type
eventdata_Sequence Number	sequence_number
eventdata_User	user
eventdata_Shell ID	shell_id

Event ID: 4103¶

Windows Field	Logpoint Field
eventdata_Severity	log_level
eventdata_Host Name	execution_host
eventdata_Host Version	host_version
eventdata_Host ID	host_id
eventdata_Host Application	host_application
eventdata_Engine Version	engine_version
eventdata_Runspace ID	run_space_id
eventdata_Pipeline ID	pipeline_id
eventdata_Command Name	command
eventdata_Command Type	command_type
eventdata_Sequence Number	sequence_number
eventdata_User	user
eventdata_Shell ID	shell_id

Event ID: 4104¶

Windows Field	Logpoint Field
eventdata_path	path
eventdata_messageNumber	message_number
eventdata_messageTotal	message_count
eventdata_scriptBlockText	script_block
eventdata_scriptBlockId	script_block_id

Event ID: 53504¶

Windows Field	Logpoint Field
eventdata_param1	process_id
eventdata_param2	application_domain

Event ID: 600¶

Windows Field	Logpoint Field
eventdata_ProviderName	provider
eventdata_NewProviderState	provider_status
eventdata_SequenceNumber	sequence_number
eventdata_HostName	execution_host
eventdata_HostVersion	host_version
eventdata_HostId	host_id
eventdata_HostApplication	host_application

Event ID: 800¶

Windows Field	Logpoint Field
eventdata_DetailSequence	detail_sequence
eventdata_DetailTotal	detail_count
eventdata_SequenceNumber	sequence_number
eventdata_UserId	user_id
eventdata_HostName	execution_host
eventdata_HostVersion	host_version
eventdata_HostId	host_id
eventdata_EngineVersion	engine_version
eventdata_RunspaceId	run_space_id
eventdata_PipelineId	pipeline_id
eventdata_CommandLine	command
eventdata_HostApplication	host_application

Default Taxonomy of Powershell¶

Windows Field	Logpoint Field
eventdata_payload	payload
AllowHardTerminate	allow_hard_terminate
AllowStartOnDemand	allow_start_on_demand
Arguments	argument
Author	author
ClassId	class_id
Command	command
Count	restart_failure_count
Data	data
DataOffset	data_offset
Date	date
DaysInterval	days_interval
Deadline	deadline
Delay	delay
Description	description
DisallowStartIfOnBatteries	disallow_start_if_on_batteries
DisallowStartOnRemoteAppSession	disallow_start_on_remote_app_session
Duration	duration
Enabled	enabled
Exclusive	exclusive
ExecutionTimeLimit	execution_time_limit
GroupId	group_id
Hidden	hidden
Interval	restart_failure_interval
LogonType	logon_type
MultipleInstancesPolicy	multiple_instance_policy
Period	period
Priority	priority
RandomDelay	random_delay
RestartOnIdle	restart_on_idle
RunLevel	run_level
RunOnlyIfIdle	run_only_if_idle
RunOnlyIfNetworkAvailable	run_only_if_network_available
SecurityDescriptor	sd
Source	source
StartBoundary	start_ts
StartWhenAvailable	start_when_available
StateChange	state_change
StateName	state_name
StopAtDurationEnd	stop_at_duration_end
StopIfGoingOnBatteries	stop_if_going_on_batteries
StopOnIdleEnd	stop_on_idle_end
URI	url
UseUnifiedSchedulingEngine	use_unified_scheduling_engine
UserId	user_id
WaitTimeout	wait_timeout
WakeToRun	wake_to_run
access_list	access_list
action	action
agent_id	agentx_agent_id
agent_ip	agentx_agent_address
agent_name	agentx_agent
decoder_name	agentx_decoder
description	description
eventdata_accessMask	access_mask
eventdata_accessReason	reason
eventdata_accountDomain	domain
eventdata_accountExpires	account_expire
eventdata_accountName	user
eventdata_additionalInfo	additional_information
eventdata_additionalInfo2	additional_information_2
eventdata_algorithmName	cipher
eventdata_attributeLDAPDisplayName	ldap_display
eventdata_attributeSyntaxOID	attribute_id
eventdata_attributeValue	attribute_value
eventdata_authenticationPackageName	package
eventdata_callerProcessId	caller_process_id
eventdata_callerProcessName	caller_process
eventdata_clientAddress	source_address
eventdata_clientCreationTime	creation_ts
eventdata_clientName	workstation
eventdata_clientProcessId	process_id
eventdata_clientProcessStartKey	process_start_key
eventdata_commandLine	command
eventdata_countOfCredentialsReturned	credentials_returned_count
eventdata_dSName	service
eventdata_dSType	service_type
eventdata_displayName	display_name
eventdata_domainName	domain
eventdata_domainPolicyChanged	policy
eventdata_domainSid	domain_id
eventdata_elevatedToken	elevated_token
eventdata_eventCountTotal	event_count
eventdata_eventIdx	event_idx
eventdata_fQDN	fqdn
eventdata_failureId	failure_id
eventdata_failureReason	reason
eventdata_fileName	file
eventdata_flags	flag
eventdata_groupMembership	group_membership
eventdata_handleId	handle_id
eventdata_impersonationLevel	impersonation_level
eventdata_ipAddress	source_address
eventdata_ipPort	source_port
eventdata_keyFilePath	path
eventdata_keyLength	key_length
eventdata_keyName	key
eventdata_keyType	key_type
eventdata_linkName	link
eventdata_lmPackageName	lm_package
eventdata_lockoutThreshold	lockout_threshold
eventdata_logonGuid	logon_guid
eventdata_logonHours	logon_hour
eventdata_logonID	logon_id
eventdata_logonProcessName	logon_process
eventdata_logonType	logon_type
eventdata_mandatoryLabel	integrity_id
eventdata_masterKeyId	master_key_id
eventdata_memberName	member
eventdata_memberSid	target_id
eventdata_newProcessId	target_process_id
eventdata_newProcessName	new_process
eventdata_newSd	new_sd
eventdata_newState	new_value
eventdata_newUacValue	new_value
eventdata_newValue	new_value
eventdata_newValueType	new_value_type
eventdata_objectClass	class
eventdata_objectDN	object_dn
eventdata_objectGUID	service_guid
eventdata_objectName	object_name
eventdata_objectServer	object_server
eventdata_objectType	object_type
eventdata_objectValueName	object_value
eventdata_oldUacValue	old_value
eventdata_oldValue	old_value
eventdata_oldValueType	old_value_type
eventdata_opCorrelationID	operation_id
eventdata_operation	action
eventdata_operationType	operation_type
eventdata_packageName	package
eventdata_parentProcessId	parent_process_id
eventdata_parentProcessName	parent_process
eventdata_passwordLastSet	password_last_set_ts
eventdata_preAuthType	pre_authentication_type
eventdata_primaryGroupId	group_id
eventdata_privilegeList	privilege
eventdata_processCreationTime	process_creation_ts
eventdata_processId	process_id
eventdata_processName	process
eventdata_profileChanged	profile
eventdata_properties	properties
eventdata_providerName	provider
eventdata_readOperation	operation_type
eventdata_recoveryKeyId	recover_id
eventdata_recoveryReason	reason
eventdata_recoveryServer	server
eventdata_resourceManager	resource_manager
eventdata_restrictedAdminMode	restricted_admin_mode
eventdata_restrictedSidCount	restricted_id_count
eventdata_returnCode	status_code
eventdata_rpcCallClientLocality	rpc_call_client_locality
eventdata_ruleAttr	attribute
eventdata_ruleId	rule_id
eventdata_ruleName	rule_name
eventdata_samAccountName	sam_account_name
eventdata_service	service
eventdata_serviceAccount	service_account
eventdata_serviceFileName	file
eventdata_serviceName	service
eventdata_serviceSid	service_id
eventdata_serviceStartType	start_type
eventdata_sessionId	session_id
eventdata_sessionName	session
eventdata_shareLocalPath	share_path
eventdata_shareName	share_name
eventdata_status	status_code
eventdata_subStatus	sub_status_code
eventdata_subjectDomainName	domain
eventdata_subjectLogonId	logon_id
eventdata_subjectUserName	user
eventdata_subjectUserSid	user_id
eventdata_targetDomainName	target_domain
eventdata_targetInfo	information
eventdata_targetLinkedLogonId	target_linked_logon_id
eventdata_targetLogonGuid	target_logon_guid
eventdata_targetLogonId	target_logon_id
eventdata_targetName	target_name
eventdata_targetServerName	server
eventdata_targetSid	target_id
eventdata_targetUserName	target_user
eventdata_targetUserSid	target_id
eventdata_taskName	task
eventdata_ticketEncryptionType	encryption_type
eventdata_ticketOptions	ticket_option
eventdata_tokenElevationType	token_elevation_type
eventdata_transactionId	transaction_id
eventdata_transmittedServices	transmitted_service
eventdata_type	type
eventdata_userAccountControl	user_account_control
eventdata_userPrincipalName	user_principal_name
eventdata_virtualAccount	virtual_account
eventdata_workstation	workstation
eventdata_workstationName	workstation
id	id
integrity_label	integrity_label
location	location
logon_category	logon_category
manager_name	agentx_manager
message	message
object	object
right	right
rule_description	rule_description
rule_firedtimes	rule_trigger_count
rule_frequency	rule_frequency
rule_gdpr	gdpr
rule_gpg13	gpg13
rule_groups	rule_group
rule_hipaa	hipaa
rule_id	rule_trigger_id
rule_level	rule_level
rule_mail	is_rule_mail
rule_mitre_id	attack_id
rule_mitre_tactic	attack_category
rule_mitre_technique	attack_tag
rule_nist_800_53	nist_800_53
rule_pci_dss	pci_dss
rule_tsc	tsc
system_channel	channel
system_computer	host
system_eventID	event_id
system_eventRecordID	record
system_keywords	keyword
system_level	severity
system_opcode	opcode_value
system_processID	execution_process_id
system_providerGuid	guid
system_providerName	event_source
system_severityValue	log_level
system_systemTime	log_ts
system_task	task_value
system_threadID	execution_thread_id
system_version	version
timestamp	event_received_ts

Security Configuration Assessment¶

Windows Field	Logpoint Field
Author	author
Command	command
Data	data
Description	description
Duration	duration
Priority	priority
URI	url
UserId	user_id
agent_id	agentx_agent_id
agent_ip	agentx_agent_address
agent_name	agentx_agent
check_compliance_gpg_13	check_compliance_gpg13
check_references	check_reference
check_rules	check_rule
data_sca_check_compliance_cis_csc	check_compliance_cis_csc
data_sca_check_compliance_hipaa	check_compliance_hipaa
data_sca_check_compliance_nist_800_53	check_compliance_nist_800_53
data_sca_check_compliance_pci_dss	check_compliance_pci_dss
data_sca_check_compliance_tsc	check_compliance_tsc
data_sca_check_description	check_description
data_sca_check_file	check_file
data_sca_check_id	check_id
data_sca_check_rationale	check_rationale
data_sca_check_reason	check_reason
data_sca_check_references	check_reference
data_sca_check_registry	check_registry
data_sca_check_remediation	check_remediation
data_sca_check_result	check_result
data_sca_check_status	check_status
data_sca_check_title	check_title
data_sca_description	policy_description
data_sca_failed	fail_count
data_sca_file	policy_file
data_sca_invalid	invalid_count
data_sca_passed	pass_count
data_sca_policy	policy
data_sca_policy_id	policy_id
data_sca_scan_id	scan_id
data_sca_score	scan_score
data_sca_total_checks	total_count
data_sca_type	scan_type
decoder_name	agentx_decoder
description	policy_description
end_time	end_ts
failed	fail_count
file	policy_file
invalid	invalid_count
manager_name	agentx_manager
name	policy
passed	pass_count
policies	policy_id
references	policy_reference
rule_cis	cis
rule_cis_csc	cis_csc
rule_firedtimes	rule_trigger_count
rule_gdpr	gdpr
rule_gdpr_IV	gdpr_iv
rule_gpg13	gpg13
rule_gpg_13	gpg13
rule_groups	rule_group
rule_hipaa	hipaa
rule_id	rule_trigger_id
rule_mitre_id	attack_id
rule_mitre_tactic	attack_category
rule_mitre_technique	attack_tag
rule_nist_800_53	nist_800_53
rule_pci_dss	pci_dss
rule_tsc	tsc
score	scan_score
start_time	start_ts
timestamp	event_received_ts
total_checks	total_count
type	scan_type

Default AgentX Taxonomy¶

Windows Field	Logpoint Field
AllowHardTerminate	allow_hard_terminate
AllowStartOnDemand	allow_start_on_demand
Arguments	argument
Author	author
ClassId	class_id
Command	command
Count	restart_failure_count
Data	data
DataOffset	data_offset
Date	date
DaysInterval	days_interval
Deadline	deadline
Delay	delay
Description	description
DisallowStartIfOnBatteries	disallow_start_if_on_batteries
DisallowStartOnRemoteAppSession	disallow_start_on_remote_app_session
Duration	duration
Enabled	enabled
Exclusive	exclusive
ExecutionTimeLimit	execution_time_limit
GroupId	group_id
Hidden	hidden
Interval	restart_failure_interval
LogonType	logon_type
MultipleInstancesPolicy	multiple_instance_policy
Period	period
Priority	priority
RandomDelay	random_delay
RestartOnIdle	restart_on_idle
RunLevel	run_level
RunOnlyIfIdle	run_only_if_idle
RunOnlyIfNetworkAvailable	run_only_if_network_available
SecurityDescriptor	sd
Source	source
StartBoundary	start_ts
StartWhenAvailable	start_when_available
StateChange	state_change
StateName	state_name
StopAtDurationEnd	stop_at_duration_end
StopIfGoingOnBatteries	stop_if_going_on_batteries
StopOnIdleEnd	stop_on_idle_end
URI	url
UseUnifiedSchedulingEngine	use_unified_scheduling_engine
UserId	user_id
WaitTimeout	wait_timeout
WakeToRun	wake_to_run
access_list	access_list
action	action
agent_id	agentx_agent_id
agent_ip	agentx_agent_address
agent_name	agentx_agent
decoder_name	agentx_decoder
description	description
eventdata_accessMask	access_mask
eventdata_accessReason	reason
eventdata_accountDomain	domain
eventdata_accountExpires	account_expire
eventdata_accountName	user
eventdata_additionalInfo	additional_information
eventdata_additionalInfo2	additional_information_2
eventdata_algorithmName	cipher
eventdata_attributeLDAPDisplayName	ldap_display
eventdata_attributeSyntaxOID	attribute_id
eventdata_attributeValue	attribute_value
eventdata_authenticationPackageName	package
eventdata_callerProcessId	caller_process_id
eventdata_callerProcessName	caller_process
eventdata_clientAddress	source_address
eventdata_clientCreationTime	creation_ts
eventdata_clientName	workstation
eventdata_clientProcessId	process_id
eventdata_clientProcessStartKey	process_start_key
eventdata_commandLine	command
eventdata_countOfCredentialsReturned	credentials_returned_count
eventdata_dSName	service
eventdata_dSType	service_type
eventdata_displayName	display_name
eventdata_domainName	domain
eventdata_domainPolicyChanged	policy
eventdata_domainSid	domain_id
eventdata_elevatedToken	elevated_token
eventdata_eventCountTotal	event_count
eventdata_eventIdx	event_idx
eventdata_fQDN	fqdn
eventdata_failureId	failure_id
eventdata_failureReason	reason
eventdata_fileName	file
eventdata_flags	flag
eventdata_groupMembership	group_membership
eventdata_handleId	handle_id
eventdata_impersonationLevel	impersonation_level
eventdata_ipAddress	source_address
eventdata_ipPort	source_port
eventdata_keyFilePath	path
eventdata_keyLength	key_length
eventdata_keyName	key
eventdata_keyType	key_type
eventdata_linkName	link
eventdata_lmPackageName	lm_package
eventdata_lockoutThreshold	lockout_threshold
eventdata_logonGuid	logon_guid
eventdata_logonHours	logon_hour
eventdata_logonID	logon_id
eventdata_logonProcessName	logon_process
eventdata_logonType	logon_type
eventdata_mandatoryLabel	integrity_id
eventdata_masterKeyId	master_key_id
eventdata_memberName	member
eventdata_memberSid	target_id
eventdata_newProcessId	target_process_id
eventdata_newProcessName	new_process
eventdata_newSd	new_sd
eventdata_newState	new_value
eventdata_newUacValue	new_value
eventdata_newValue	new_value
eventdata_newValueType	new_value_type
eventdata_objectClass	class
eventdata_objectDN	object_dn
eventdata_objectGUID	service_guid
eventdata_objectName	object_name
eventdata_objectServer	object_server
eventdata_objectType	object_type
eventdata_objectValueName	object_value
eventdata_oldUacValue	old_value
eventdata_oldValue	old_value
eventdata_oldValueType	old_value_type
eventdata_opCorrelationID	operation_id
eventdata_operation	action
eventdata_operationType	operation_type
eventdata_packageName	package
eventdata_parentProcessId	parent_process_id
eventdata_parentProcessName	parent_process
eventdata_passwordLastSet	password_last_set_ts
eventdata_preAuthType	pre_authentication_type
eventdata_primaryGroupId	group_id
eventdata_privilegeList	privilege
eventdata_processCreationTime	process_creation_ts
eventdata_processId	process_id
eventdata_processName	process
eventdata_profileChanged	profile
eventdata_properties	properties
eventdata_providerName	provider
eventdata_readOperation	operation_type
eventdata_recoveryKeyId	recover_id
eventdata_recoveryReason	reason
eventdata_recoveryServer	server
eventdata_resourceManager	resource_manager
eventdata_restrictedAdminMode	restricted_admin_mode
eventdata_restrictedSidCount	restricted_id_count
eventdata_returnCode	status_code
eventdata_rpcCallClientLocality	rpc_call_client_locality
eventdata_ruleAttr	attribute
eventdata_ruleId	rule_id
eventdata_ruleName	rule_name
eventdata_samAccountName	sam_account_name
eventdata_service	service
eventdata_serviceAccount	service_account
eventdata_serviceFileName	file
eventdata_serviceName	service
eventdata_serviceSid	service_id
eventdata_serviceStartType	start_type
eventdata_sessionId	session_id
eventdata_sessionName	session
eventdata_shareLocalPath	share_path
eventdata_shareName	share_name
eventdata_status	status_code
eventdata_subStatus	sub_status_code
eventdata_subjectDomainName	domain
eventdata_subjectLogonId	logon_id
eventdata_subjectUserName	user
eventdata_subjectUserSid	user_id
eventdata_targetDomainName	target_domain
eventdata_targetInfo	information
eventdata_targetLinkedLogonId	target_linked_logon_id
eventdata_targetLogonGuid	target_logon_guid
eventdata_targetLogonId	target_logon_id
eventdata_targetName	target_name
eventdata_targetServerName	server
eventdata_targetSid	target_id
eventdata_targetUserName	target_user
eventdata_targetUserSid	target_id
eventdata_taskName	task
eventdata_ticketEncryptionType	encryption_type
eventdata_ticketOptions	ticket_option
eventdata_tokenElevationType	token_elevation_type
eventdata_transactionId	transaction_id
eventdata_transmittedServices	transmitted_service
eventdata_type	type
eventdata_userAccountControl	user_account_control
eventdata_userPrincipalName	user_principal_name
eventdata_virtualAccount	virtual_account
eventdata_workstation	workstation
eventdata_workstationName	workstation
id	id
integrity_label	integrity_label
location	location
logon_category	logon_category
manager_name	agentx_manager
message	message
object	object
right	right
rule_description	rule_description
rule_firedtimes	rule_trigger_count
rule_frequency	rule_frequency
rule_gdpr	gdpr
rule_gpg13	gpg13
rule_groups	rule_group
rule_hipaa	hipaa
rule_id	rule_trigger_id
rule_level	rule_level
rule_mail	rule_mail
rule_mitre_id	attack_id
rule_mitre_tactic	attack_category
rule_mitre_technique	attack_tag
rule_nist_800_53	nist_800_53
rule_pci_dss	pci_dss
rule_tsc	tsc
system_channel	channel
system_computer	host
system_eventID	event_id
system_eventRecordID	record
system_keywords	keyword
system_level	severity
system_opcode	opcode_value
system_processID	execution_process_id
system_providerGuid	guid
system_providerName	event_source
system_severityValue	log_level
system_systemTime	log_ts
system_task	task_value
system_threadID	execution_thread_id
system_version	version
timestamp	event_received_ts

Active Response¶

Windows Field	Logpoint Field
agent_id	agentx_agent_id
agent_ip	agentx_agent_address
agent_labels_os_name	agentx_agent_os
agent_name	agentx_agent
data_parameters_program	program
data_parameters_keys	parameter_key
data_origin_module	origin_module
data_origin_name	origin
data_version	version
data_command	command
decoder_name	agentx_decoder
manager_name	agentx_manager
hostname	host
log_type	log_level
rule_description	rule_description
rule_firedtimes	rule_trigger_count
rule_frequency	rule_frequency
rule_gdpr	gdpr
rule_gpg13	gpg13
rule_groups	rule_group
rule_hipaa	hipaa
rule_id	rule_trigger_id
rule_level	rule_level
rule_mail	rule_mail
rule_mitre_id	attack_id
rule_mitre_tactic	attack_category
rule_mitre_technique	attack_tag
rule_nist_800_53	nist_800_53
rule_pci_dss	pci_dss
rule_tsc	tsc
timestamp	event_received_ts
os_query	query

OSQuery¶

Windows Field	Logpoint Field
agent_name	agentx_agent
decoder_name	agentx_decoder
manager_name	agentx_manager
agent_labels_os_name	agentx_agent_os
agent_ip	agentx_agent_address
agent_id	agentx_agent_id
rule_firedtimes	rule_trigger_count
rule_cis	cis
rule_cis_csc	cis_csc
rule_gdpr_IV	gdpr_iv
rule_gpg_13	gpg13
rule_gdpr	gdpr
rule_gpg13	gpg13
rule_groups	rule_group
rule_hipaa	hipaa
rule_id	rule_trigger_id
rule_mitre_id	attack_id
rule_mitre_tactic	attack_category
rule_mitre_technique	attack_tag
rule_nist_800_53	nist_800_53
rule_pci_dss	pci_dss
rule_tsc	tsc
timestamp	event_received_ts
data_osquery_action	action
data_osquery_counter	record_counter
data_osquery_decorations_host_uuid	host_uuid
data_osquery_decorations_os_name	os
data_osquery_decorations_username	user
data_osquery_epoch	epoch
data_osquery_hostIdentifier	host_id
data_osquery_name	event_type
data_osquery_numerics	is_numeric
data_osquery_unixTime	log_ts

Windows MSSQL Module¶

Windows Field	Logpoint Field
agent_id	agentx_agent_id
agent_ip	agentx_agent_address
agent_labels_os_name	agentx_agent_os
decoder_name	agentx_decoder
agent_name	agentx_agent
manager_name	agentx_manager
system_channel	channel
system_computer	host
system_eventID	event_id
system_eventRecordID	record
system_keywords	keyword
system_level	severity
system_opcode	opcode_value
system_processID	execution_process_id
system_providerGuid	guid
system_providerName	event_source
system_severityValue	log_level
system_systemTime	log_ts
system_task	task_value
system_threadID	execution_thread_id
system_version	version
rule_description	rule_description
rule_firedtimes	rule_trigger_count
rule_frequency	rule_frequency
rule_gdpr	gdpr
rule_gpg13	gpg13
rule_groups	rule_group
rule_hipaa	hipaa
rule_id	rule_trigger_id
rule_level	rule_level
rule_mail	is_rule_mail
rule_mitre_id	attack_id
rule_mitre_tactic	attack_category
rule_mitre_technique	attack_tag
rule_nist_800_53	nist_800_53
rule_pci_dss	pci_dss
rule_tsc	tsc
id	id
integrity_label	integrity_label
location	location
logon_category	logon_category
message	message
object	object
right	right
count	restart_failure_count
timestamp	event_received_ts
values	value
succeeded	is_succeeded
system_message	message
client_ip	source_address
duration_milliseconds	duration
host_name	host
event_time	event_ts
action	action
action_id	action_id
additional_information	additional_information
affected_rows	affected_rows
application_name	application
audit_schema_version	audit_schema_version
class_type	class_type
client_tls_version	source_tls_version
condition	condition
connection_id	connection_id
database_name	database
database_principal_id	database_principal_id
database_principal_name	database_principal_name
database_transaction_id	database_transaction_id
eventdata_binary	eventdata_binary
execution_thread_id	execution_thread_id
instance	instance
is_alert	is_alert
is_column_permission	is_column_permission
ledger_start_sequence_number	ledger_start_sequence_number
permission_bitmask	permission_bitmask
response_rows	response_rows
schema_name	schema_name
sequence_group_id	sequence_group_id
sequence_number	sequence_number
server_instance_name	server_instance
server_principal_id	server_principal_id
server_principal_name	server_principal_name
server_principal_sid	server_principal_sid
session	session
session_id	session_id
session_server_principal_name	session_server_principal_name
startup_type	startup_type
statement	statement
target_database_principal_id	target_database_principal_id
target_server_principal_id	target_server_principal_id
user_defined_event_id	user_defined_event_id
fields	field
table_name	table

Windows IIS Module¶

Event ID: 29¶

Windows Field	Logpoint Field
eventdata_configuration	configuration
eventdata_editOperationType	edit_operation_type
eventdata_physicalPath	path
eventdata_configPath	configuration_path

Event ID: 50¶

Windows Field	Logpoint Field
eventdata_configPath	configuration_path

AgentX Labels¶

Linux¶

Unix Audit Labels¶

Event Type	Labels
ACCT_LOCK	User,Account,Lock
ACCT_UNLOCK	User,Account,Unlock
ADD_GROUP	Group,Management,Add
ADD_USER	User,Account,Management,Create
ANOM_ABEND	Process,End,Abnormal
ANOM_ACCESS_FS	File,Access,End,Abnormal
ANOM_ADD_ACCT	User,Account,Management,Create,End,Abnormal
ANOM_AMTU_FAIL	Machine,Test,Fail,Detect
ANOM_CRYPTO_FAIL	System,Fail
ANOM_DEL_ACCT	User,Account,Management,Delete,End,Abnormal
ANOM_EXEC	File,Execute,End,Abnormal
ANOM_LOGIN_ACCT	User,Login,End,Abnormal
ANOM_LOGIN_FAILURES	User,Login,Limit,Reach
ANOM_LOGIN_LOCATION	User,Login,Attempt,Forbidden,Location
ANOM_LOGIN_SESSIONS	User,Login,Session,Limit,Reach
ANOM_LOGIN_TIME	User,Login,Fail
ANOM_MAX_DAC	Access,Control,Fail,Limit,Reach
ANOM_MAX_MAC	Access,Control,Fail,Limit,Reach
ANOM_MK_EXEC	Create,Executable,File
ANOM_MOD_ACCT	User,Account,Management,Change,End,Abnormal
ANOM_PROMISCUOUS	Mode,Change
ANOM_RBAC_FAIL	Role,Base,Access,Control,Selftest,Fail
ANOM_RBAC_INTEGRITY_FAIL	Role,Base,Access,Control,File,Integrity,Test,Fail
ANOM_ROOT_TRANS	User,Privilege,Escalation
BPRM_FCAPS	Program,Execute,Filesystem
CHGRP_ID	Group,ID,Change
CHUSER_ID	User,ID,Change
CONFIG_CHANGE	Audit,System,Configuration,Change
CRED_ACQ	User,Account,Management,Credential,Assign
CRED_DISP	User,Account,Management,Credential,Dispose
CRED_REFR	User,Account,Management,Credential,Refresh
CRYPTO_FAILURE_USER	Operation,Fail
CRYPTO_LOGIN	User,Login,Attempt
CRYPTO_LOGOUT	User,Logoff,Attempt
CRYPTO_REPLAY_USER	Replay,Attack,Detect
DAEMON_ABORT	Daemon,Stop,Error
DAEMON_ACCEPT	Audit,Daemon,Remote,Connection,Accept
DAEMON_CLOSE	Audit,Daemon,Remote,Connection,Close
DAEMON_CONFIG	Daemon,Configuration,Change,Detect
DAEMON_END	Daemon,Stop
DAEMON_RESUME	Audit,Daemon,Resume,Logging
DAEMON_START	Audit,Daemon,Start
DEL_GROUP	Group,Account,Management,Delete
DEL_USER	User,Account,Management,Delete
DEV_ALLOC	Device,Allocation
DEV_DEALLOC	Device,Deallocation
EOE	Event,End
GRP_AUTH	Group,Authentication
INTEGRITY_RULE	Record,Policy,Rule
INTEGRITY_STATUS	Integrity,Verification,Status
LOGIN	User,Login
MAC_MAP_ADD	Domain,Map,Add
MAC_MAP_DEL	Domain,Map,Delete
MAC_POLICY_LOAD	Policy,File,Load
MAC_STATUS	Mode,Change
PATH	File,Path,Info
RESP_ACCT_LOCK	User,Account,Lock
RESP_ACCT_LOCK_TIMED	User,Account,Lock
RESP_ACCT_REMOTE	User,Account,Lock,Remote,Session
RESP_ACCT_UNLOCK_TIMED	User,Account,Unlock
RESP_ALERT	Alert,Email,Send
RESP_EXEC	IDS,Response,Threat,Program,Execute
RESP_HALT	System,Shutdown
RESP_KILL_PROC	Process,End
RESP_SINGLE	System,Mode,Change
RESP_TERM_ACCESS	Session,End
RESP_TERM_LOCK	Terminal,Lock
ROLE_ASSIGN	User,Role,Assign
ROLE_MODIFY	User,Role,Change
ROLE_REMOVE	User,Role,Remove
SELINUX_ERR	Internal,Error,Detect
SERVICE_START	Service,Start
SERVICE_STOP	Service,Stop
SYSTEM_BOOT	System,Boot
SYSTEM_RUNLEVEL	System,Run,Level,Change
SYSTEM_SHUTDOWN	System,Shutdown
USER_ACCT	User,Authorization,Attempt,Detect
USER_AVC	Message,Generate
USER_AUTH	User,Authentication
USER_CHAUTHTOK	User,Account,Management,Password,Change
USER_CMD	Command,Execute
USER_START	Session,Start
USER_END	Session,End
USER_ERR	User,State,Error,Detect
USER_LOGIN	User,Login
USER_LOGOUT	User,Logoff
USER_MAC_POLICY_LOAD	Policy,Load
USER_MGMT	User,Account,Management,Attribute,Change
USER_ROLE_CHANGE	User,Account,Management,Role,Change
USER_SELINUX_ERR	User,Error,Detect
USER_UNLABELED_EXPORT	Object,Export
USYS_CONFIG	User,System,Configuration,Change,Detect
VIRT_CONTROL	Virtual,Machine,Control
VIRT_RESOURCE	Virtual,Machine,Resource,Assign

Status	Labels
success	Successful
failed	Fail

Unix Sysmon Labels¶

Event ID	Labels
1	Process,Create
3	Network,Connection,Detect
4	Service,State,Change
5	Process,End
11	File,Create,Overwrite
16	Sysmon,Configuration,Change
23	File,Delete

File Integrity Monitoring Labels¶

Action	Labels
added	Add
deleted	Delete
modified	Modify

Registry	Labels
true	Registry
false	File

Unix Generic Labels¶

Event Source	Labels
auth	Authentication
pam	PAM
pam_authenticate	Authentication
pam_krb5	Authentication
pam_sm_authenticate	Authentication

Object	Labels
access	Access
account	Account
address	Address
authentication	Authentication
authentication token	Authentication,Token
backup	Backup
bad protocol version	Bad,Protocol,Version
check	Check
client	Client
command	Command
condition	Condition
configuration	Configuration
connect	Connect
connection	Connection
credential cache file	Credential,Cache,File
disconnect	Disconnect
entry	Entry
expiration	Expire
file	File
firewall rules	Firewall,Rule
flow control	Flow,Control
home directory	Directory
identification string	Identification
index files	Index,File
information	Information
internal module	Internal,Module
link	Link
login	Login
login keyring	Login,Keyring
module	Module
modules	Module
new password	Password
new user login	New,User,Login
notification	Notification
packet	Packet
packet(s)	Packet
pam creds	PAM,Credentials
pam_close_session	PAM,Session,Close
pam_sm_acct_mgmt	PAM,Account,Management
password	Password
password expiry	Password,Expiry
php session files	Session,File
policy	Policy
process	Process
protocol major versions	Protocol,Version
remote web server	Remote,Web,Server
requirement	Requirement
samba password database	Password,Database
security	Security
server	Server
service	Service
service instance	Service
session	Session
session setup	Session
shadow information	Shadow,Information
signal	Signal
socket	Socket
subsystem	Subsystem
threshold	Threshold
user	User
user’s login	User,Login
user’s login information	User,Login,Information
userauth	User,Authentication
temporary directories	Temporary,Directory

Process	Labels
auth	Authentication
groupadd	Group,Management
groupdel	Group,Management
su	Su
useradd	Management
userdel	Management
usermod	Management

Status	Labels
down	Down
error	Error
fail	Fail
failed	Fail
failure	Fail
failures	Fail
finished	Finish
illegal	Illegal
incomplete	Incomplete
incorrect	Incorrect
invalid	Invalid
locked	Lock
no longer valid	Invalid
not acceptable	Accept,Deny
not allowed	Deny
not available	Unavailable
not starting	Start,Fail
not valid	Invalid
no available	Unavailable
ok	Successful
pass	Pass
postponed	Postpone
reject	Reject
rejected	Reject
stop	Stop
stopped	Stop
succeeded	Successful
success	Successful
successful	Successful
successfully	Successful
terminating	End
terminated	End
timeout	Timeout
unknown	Unknown
up	Up
valid	Valid
violation	Violation

Sig_Index	Labels
3	Account,Management
11	Service
12	Service
19	Group,Management
20	User,Password
21	Login,Attempt
25	Request
27	Group,Create
29	IP
31	User,Account,Management
32	User,Account,Management
33	Group,Management
35	Account,Management
36	Account
38	Information
41	Off
62	Service
86	Session
88	Management
91	Limit
108	URL,Connection
110	Successful
111	Successful
118	User,Authentication
124	Account,Absent
125	Authentication,Fail
132	Reverse,Map
136	Key,Match,Find
139	Request
141	Connection
147	Connection,Unavailable
169	Read,Connection,Reset
171	Authentication,Attempt,Fail
173	Account
178	Resolve
185	Keystroke,Logging,State
187	User,Absent
193	Service
194	Scope
198	Service

Active Response Labels¶

Message	Labels
starting	Start
failed	Fail
ending	End
successfully unisolated	Host,UnIsolate
successfully isolated	Host,Isolate

Status	Labels
success	Successful
fail	Fail

Command	Labels
delete	Delete
add	Add

Windows¶

Windows Sysmon Labels¶

Event ID	Labels
1	Process,Create
2	File,Create,Time,Change
3	Network,Connection,Detect
4	Service,State,Change
5	Process,End
6	Driver,Load
7	Image,Load
8	Remote,Thread,Create
9	Raw,Access,Read
10	Process,Access
11	File,Create,Overwrite
13	Registry,Value,Set
12	Registry,Key,Map
14	Registry,Key,Map
15	File,Create,Stream,Hash
16	Sysmon,Configuration,Change
17	Pipe,Create
18	Pipe,Connect
19	WMI,Filter,Registration
20	WMI,Consumer,Registration
21	WMI,Consumer,Filter,Bind
22	DNS,Query,Execute
23	File,Delete
24	Clipboard,Change,Detect
25	Process,Tamper
26	File,Delete
27	File,Block,Executable
255	Service,Error

PowerShell Labels¶

Event ID	Labels
800	Command,Execute,Detail
501	Command,Stop
500	Command,Start
600	Registry,Start
400	Engine,State,Change
403	Engine,State,Change
300	Drive,Find,Unable
4104	Create,Script
40961	PowerShell,Console,Start,Up
53504	Start,IPC,Thread
40962	PowerShell,Console,Ready

DHCP Labels for IPv4¶

Event ID	Description	Labels
0	The log was started	Log,Start
1	The log was stopped	Log,Stop
2	The log was temporarily paused due to low disk space	Log,Pause,Low,Disk
10	A new IP address was leased to a client	New,Address,Lease
11	A lease was renewed by a client	Lease,Renew
12	A lease was released by a client	Lease,Release
13	An IP address was found to be in use on the network	Address,Use
14	A lease request could not be satisfied because the scope’s address pool was exhausted	Lease,Fail,Request
15	A lease was denied	Lease,Deny
16	A lease was deleted	Lease,Delete
17	A lease was expired and DNS records for an expired leases have not been deleted	Lease,Expire
18	A lease was expired and DNS records were deleted	Lease,Expire,DNS,Record,Delete
20	A BOOTP address was leased to a client	BOOTP,Lease,Address
21	A dynamic BOOTP address was leased to a client	Dynamic,BOOTP,Lease,Address
22	A BOOTP request could not be satisfied because the scope’s address pool for BOOTP was exhausted	BOOTP,Request,Fail
23	A BOOTP IP address was deleted after checking to see it was not in use	BOOTP,Address,Delete
24	IP address cleanup operation has began	Address,Clean,Start
25	IP address cleanup statistics	Address,Clean,Statistics
30	DNS update request to the named DNS server	DNS,Update,Request
31	DNS update failed	DNS,Update,Fail
32	DNS update successful	DNS,Update,Successful
33	Packet dropped due to NAP policy	Packet,Drop,NAP,Policy
34	DNS update request failed as the DNS update request queue limit exceeded	DNS,Update,Request,Fail,Queue,Exceed
35	DNS update request failed	DNS,Update,Request,Fail
36	Packet dropped because the server is in failover standby role or the hash of the client ID does not match	Packet,Drop

DHCP Labels for IPv6¶

Event ID	Description	Labels
11000	DHCPv6 Solicit	Solicit
11001	DHCPv6 Advertise	Advertise
11002	DHCPv6 Request	Request
11003	DHCPv6 Confirm	Confirm
11004	DHCPv6 Renew	Renew
11005	DHCPv6 Rebind	Rebind
11006	DHCPv6 Decline	Decline
11007	DHCPv6 Release	Release
11008	DHCPv6 Information Request	Information,Request
11009	DHCPv6 Scope Full	Scope,Full
11010	DHCPv6 Started	Start
11011	DHCPv6 Stopped	Stop
11012	DHCPv6 Audit log paused	Log,Pause
11013	DHCPv6 Log File	Log,File
11014	DHCPv6 Bad Address	Address,Bad
11015	DHCPv6 Address is already in use	Address,duplicate
11016	DHCPv6 Client deleted	Client,Delete,Successful
11017	DHCPv6 DNS record not deleted	Delete,Fail
11018	DHCPv6 Expired	Expire
11019	DHCPv6 Leases Expired and Leases Deleted	Lease,Expire,Delete
11020	DHCPv6 Database cleanup begin	Database,Clean,Start
11021	DHCPv6 Database cleanup end	Database,Cleanup,End
11022	DNS IPv6 Update Request	DNS,Update,Request
11023	DNS IPv6 Update Failed	DNS,Update,Fail
11024	DNS IPv6 Update Successful	DNS,Update,Successful
11028	DNS IPv6 update request failed as the DNS update request queue limit exceeded	Update,Request,Fail
11029	DNS IPv6 update request failed	DNS,Update,Request,Fail
11030	DHCPv6 stateless client records purged	Client,Record,Purge
11031	DHCPv6 stateless client record is purged as the purge interval has expired for this client record	Client,Record,Purge
11032	DHCPV6 Information Request from IPV6 Stateless Client	Request,Client,Stateless

File Integrity Monitoring Labels¶

Action	Labels
added	Add
deleted	Delete
modified	Modify

Registry	Labels
true	Registry
false	File

Security Compliance Assessment Labels¶

Check Result	Labels
passed	Pass
failed	Fail

DNS Labels¶

Check Result	Labels
Snd	Send
Rcv	Receive
Query	Query
Response	Response
Q	Query
NOERROR	Successful,Update
FORMERR	Format,Error
SERVFAIL	Server,Fail
A	Host,Record
NS	Nameserver,Record
CNAME	Alias,Record
PTR	Reverse,Lookup,Record
MX	Mail,Exchange,Record
SRV	Service,Record
IXFR	Increment,Zone,Transfer,Record
AXFR	Standard,Zone,Transfer,Record
Standard Query	Query
Notify	Notify
Update	Update

Windows MSSQL Module Labels¶

Event ID Labels¶

Check Result	Labels
33205	Audit
18453	User,Login,Successful
18454	User,Login,Successful
18456	User,Login
17137	Start,Database,Successful
3198	Resume,Database
18264	Database,Backup
3197	Database,Stop
3014	Database,Backup,Successful
17177	Server,Information
5084	Set,Database,Disable
8957	Command,Execute,Successful
26022	Server,Listen
15457	Configuration,Change
49917 Default

Log Level Labels¶

Check Result	Labels
AUDIT_SUCCESS	Successful
AUDIT_FAILURE	Fail

Action Labels¶

Check Result	Labels
Insert Into	Insert
Create Table	Create,Table
Select Top	Select,Top
Delete Top	Delete,Top
Truncate Table	Truncate,Table
Delete From	Delete
Select From	Select
Select	Select
Drop Table	Drop,Table
Restore	Restore
View	View
Alter Table	Alter,Table
Alter	Alter
Login	Login
Truncate	Truncate
Create User	Create,User
Create Login	Create,Login
Update Top	Update,Top
Update	Update
Drop Login	Drop,Login
Drop User	Drop,User
Create	Create
Delete	Delete
Delete Top	Delete,Top
Delete	Delete
Drop	Drop
Select	Select

Windows Security Auditing Labels¶

Sub Status Code	Labels
0xc000005e	Server,Unavailable
0xc0000064	Account,Unavailable
0xc000006a	Password,Incorrect
0xc000006d	Bad,Account
0xc000006e	Account,Unknown,Bad,Password
0xc000006f	Outside,Normal,Hour
0xc0000070	Workstation,Restrict
0xc0000071	Expire,Password
0xc0000072	Account,Disable
0xc00000dc	Sam,Server,Incorrect,State
0xc0000133	Clock,Synchronize,Fail
0xc000015b	Request,Fail
0xc000018c	Trust,Relation,Fail
0xc0000192	Logon,Service,Start,Fail
0xc0000193	Account,Expire
0xc0000224	Require,Password,Change
0xc0000225	Windows,Error
0xc0000234	Account,Lock
0xc0000413	Deny,Firewall

Access List	Labels
%%4416	File,Read,Open
%%4417	File,Write
%%4418	File,Write,Modify
%%4419	File
%%4420	File
%%4421	File,Execute,Traverse
%%4422	File,Delete,Child
%%4423	File
%%4424	File
%%1537	File,Delete
%%1538	File
%%1539	File,Access,Right,Change
%%1540	File
%%1541	File,Synchronize
%%1542	File

Logon Type	Labels
2	Interactive
3	Network
4	Batch
5	Service
7	Unlock
8	Network,Cleartext
9	New,Credential
10	Remote,Interactive
11	Cache,Interactive

Operation Type	Labels
value added	Add
value deleted	Remove

Class	Labels
user	User

Status Code	Labels
0x0	Service,Successful
0xc000006a	Password,Incorrect
0xc0000224	Require,Password,Change

Event Category	Labels
removable storage	Removable,Storage

Logon Process	Labels
kerberos	Kerberos

Event ID	Labels
108	Application,Notice,Filter,Policy,Change
1502	Policy,Notice
1704	Group,Policy
4608	System,Up
4610	Package,Application,Up
4611	Application,Process,Up
4614	Package,Application,Up
4615	Invalid,System,Warning
4616	System,Time,Change
4624	User,Login,Successful
4625	Fail,Login,User
4634	User,Logoff
4647	User,Logoff
4648	Login,Attempt,Explicit,Credential
4649	Attack,Detect
4653	Negotiation,Fail
4656	Object,Access
4657	System,Configuration,Change
4658	Object,Close
4659	Object,Access,Attempt
4660	Object,Delete
4661	Object,Access
4662	Object,Access
4663	Object,Access,Attempt
4664	Link,System,Notice
4670	Object,Permission,Change
4672	Privilege,Assign
4673	Privilege,Service,Call
4674	Operation,Object,Access
4675	Application,Warning
4688	Application,Up,Process,Create
4689	Process,Exit,Application,Down
469	Protection,Application,Up
4690	Duplicate,Object,Handle
4692	Backup,Application,Up
4695	Protection,Remove,Suspicious,Application
4697	Application,Service
4698	Application,Service,Schedule,Task,Create
4699	Application,Service,Schedule,Task,Delete
4700	Application,Up,Schedule,Task,Enable
4701	Application,Down,Schedule,Task,Disable
4702	Application,Service,Schedule,Task,Update
4703	Token,Valid
4704	Authorization,Policy,Change,Assign,User,Valid
4705	Authorization,Policy,Change,Remove,User,Valid
4706	Authorization,Policy,Change,Trust,Application,Service,Create
4707	Authorization,Policy,Change,Trust,Application,Service,Remove
4709	Application,Notice,Filter,Policy,Change
4710	Application,Notice,Filter,Policy,Change
4713	Kerberos,Authentication,Policy,Change
4714	Authorization,Encrypt,Data,Recovery,Policy,Change
4715	Object,Audit,Policy,Change
4716	Authentication,Policy,Trust,Domain,Information,Change
4717	Authentication,Policy,Change,Allow,System,Security,Access
4718	Authentication,Policy,Change,Remove,System,Security,Access
4719	System,Audit,Policy,Change
4720	User,Account,Create,Management
4722	User,Account,Enable,Management
4723	User,Account,Management,Password,Change
4724	User,Password,Reset,Account,Management
4725	User,Account,Disable,Management
4726	User,Account,Management,Delete
4727	Global,Security,Group,Management,Create
4728	Global,Security,Group,Management,Member,Add,User
4729	Global,Security,Group,Management,Member,Remove,User
4730	Global,Security,Group,Management,Remove
4731	Local,Security,Group,Management,Create
4732	Local,Security,Group,Management,Member,Add,User
4733	Local,Security,Group,Management,Member,Remove,User
4734	Local,Security,Group,Management,Remove
4735	Local,Security,Group,Management,Change
4737	Global,Security,Group,Management,Change
4738	User,Account,Change,Management
4739	Other,Account,Management,Domain,Policy,Change
4740	User,Account,Lock,Management
4741	Computer,Account,Create,Management
4742	Computer,Account,Change,Management
4743	Computer,Account,Remove,Management
4744	Local,Distribution,Group,Management,Create
4745	Local,Distribution,Group,Management,Change
4746	Local,Distribution,Group,Management,Member,Add,User
4747	Local,Distribution,Group,Management,Member,Remove,User
4748	Local,Distribution,Group,Management,Remove
4749	Global,Distribution,Group,Management,Create
4750	Global,Distribution,Group,Management,Change
4751	Global,Distribution,Group,Management,Member,Add,User
4752	Global,Distribution,Group,Management,Member,Remove,User
4753	Global,Distribution,Group,Management,Remove
4754	Universal,Security,Group,Management,Create
4755	Universal,Security,Group,Management,Change
4756	Universal,Security,Group,Management,Member,Add,User
4757	Universal,Security,Group,Management,Member,Remove,User
4758	Universal,Security,Group,Management,Remove
4759	Universal,Distribution,Group,Management,Create
4760	Universal,Distribution,Group,Management,Change
4761	Universal,Distribution,Group,Management,Member,Add,User
4762	Universal,Distribution,Group,Management,Member,Remove,User
4763	Universal,Distribution,Group,Management,Remove
4764	Security,Group,Management,Type,Change
4767	User,Account,Unlock,Management
4768	Kerberos,Authentication,Request
4769	Kerberos,Service,Request
4770	Kerberos,Service,Renew
4771	Kerberos,Authentication,Fail,User
4774	Account,Map
4776	Credentials,System,Notice
4778	Session,Reconnect
4779	Session,Disconnect
4780	User,Account,Management
4781	User,Account,Management,Name,Change
4783	Application,Group,Management,Create
4784	Application,Group,Management,Change
4785	Application,Member,Add,Group,Management
4786	Application,Group,Management,Member,Remove
4787	Application,User,Add,Group,Management
4788	Application,Group,Management,user,Remove
4789	Application,Group,Remove,Management
4790	Application,Group,Management,LDAP,Query,Create
4791	Application,Group,Management,Change
4792	Application,Group,Management,LDAP,Query,Remove
4793	Other,Account,Management,Password,Policy,API,Call
4794	Attempt,Restore,Password,User,Account,Management
4798	Local,Group
4800	Application,Notice
4816	Violation,Detect,Application,Error
4817	Policy,Notice,Audit,Change
4864	Application,Notice,Authentication,Policy,Change
4865	Authentication,Policy,Change,Add,Forest,Information
4866	Authentication,Policy,Change,Remove,Forest,Information
4867	Authentication,Policy,Change,Forest,Information
4868	Deny,Request,Certificate,Application,Service
4869	Certificate,Application,Service,Resubmit,Request
4870	Certificate,Application,Service,Revoke
4871	Certificate,Application,Service,Receive,Request
4872	Certificate,Application,Service,Publish,List
4873	Certificate,Application,Service,Request,Change
4875	Certificate,Application,Service,Request,Shutdown
4876	Certificate,Application,Service,Backup,Start
4877	Certificate,Application,Service,Backup,Complete
4878	Certificate,Application,Service,Restore,Start
4879	Certificate,Application,Service,Restart,Complete
4880	Certificate,Application,Service,Start
4881	Certificate,Application,Service,Stop
4882	Application,Configuration,Change
4883	Certificate,Application,Service,Key,Retrieve
4884	Certificate,Application,Service,Import
4885	Application,Configuration,Change
4886	Certificate,Application,Service,Receive,Request
4887	Certificate,Application,Service,Approve,Request
4888	Certificate,Application,Service,Deny,Request
4890	Setting,Change,Certificate,Application,Service
4891	Application,Configuration,Change
4892	Application,Configuration,Change
4893	Certificate,Application,Service,Archive,Key
4894	Certificate,Application,Service,Archive,Import,Key
4895	Certificate,Application,Service,Publish
4896	Application,Configuration,Change
4897	Application,Configuration,Change
4898	Certificate,Application,Service,Load,Template
4899	Certificate,Application,Service,Template,Update
4902	Audit,Policy,Table,Create,Change
4904	Attempt,System,Notice,Audit,Policy,Change,Security,Event,Register
4905	System,Notice,Audit,Policy,Change,Attempt,Security,Event,Unregister
4906	Audit,Policy,Value,Change
4907	Audit,Policy,Setting,Change
4908	Policy,Notice,Audit,Change
4912	Audit,Policy,Change
4928	Application,Service,Establish
4929	Application,Service,Remove
4930	Application,Configuration,Change
4931	Application,Service
4932	Application,Service
4933	Application,Service
4935	Application,Service,Start
4936	Application,Service,End
4937	Object,Delete
4944	Application,Network,Notice,MPSSVC,Policy,Change
4945	Application,Network,Notice,MPSSVC,Policy,Change
4946	Application,Configuration,Change,MPSSVC,Policy
4947	Application,Configuration,Change,MPSSVC,Policy
4948	Application,Configuration,Change,MPSSVC,Policy
4949	Application,Configuration,Change,MPSSVC,Policy
950	Application,Configuration,Change,MPSSVC,Policy
4951	Network,Application,Warning,MPSSVC,Policy,Change
4952	Network,Application,Warning,MPSSVC,Policy,Change
4953	Network,Application,Warning,MPSSVC,Policy,Change
4954	Firewall,Policy,Notice
4956	Application,Notice
4957	Network,Application,Error,MPSSVC,Policy,Change
4958	Network,Application,Error,MPSSVC,Policy,Change
4985	Transaction,Change
5024	Network,Application,Up
5025	Firewall,Service,Stop
5027	Network,Application,Error
5031	Firewall,Block,Suspicious,Network
5032	Network,Application,Error
5033	Firewall,Driver,Start
5034	Firewall,Driver,Stop
5035	Firewall,Driver,Fail
5037	Firewall,Drive,Critical,Error
5038	Application,Error,File,Image,Hash,Invalid
5056	Application,Up
5058	File,Application,Service
5059	Migration,Application,Service
5061	Application,Up
5136	Directory,Service,Object,Change
5137	Directory,Service,Object,Create
5138	Directory,Service,Object,Undelete
5139	Directory,Service,Access,Object,Move
5140	Network,Object,Access
5141	Directory,Service,Object,Delete
5142	Network,Object,Access
5143	Network,Object,Access
5144	Network,Object,Access
5145	Network,Object,Access
515	Block,Suspicious,Network
5152	Block,Suspicious,Network
5153	Block,Suspicious,Network
5154	Allow,Connection
5156	Allow,Connection
5157	Deny,Connection
5158	Bind,Allow
5159	Block,Suspicious,Network
530	Login,Fail
5376	Credentials,Backup,User,Account,Management
5377	Credentials,Backup,Restore,User,Account,Management
544	System,Configuration,Change
5440	System,Notice,Filter,Policy,Change
5441	System,Notice,Filter,Policy,Change
5442	System,Notice,Filter,Policy,Change
5443	System,Notice,Filter,Policy,Change
5444	System,Notice,Filter,Policy,Change
5446	System,Configuration,Change
5447	System,Configuration,Change
5448	System,Configuration,Change,Filter,Policy
5449	System,Configuration,Change,Filter,Policy
5450	System,Notice,Filter,Policy,Change
5478	Service,Start,Successful,Application,Up
5479	Service,Shutdown,Successful,Application,Down
5480	Service,Fail,Security,Risk,Application,Error
5483	Service,Fail,Initialize,Server
5484	Server,Down
5485	Service,Fail,Process,Filter
5712	Application,Up
592	Application,Up
6005	Event,Log,Start
6006	Clean,Shutdown
6008	Bad,Shutdown
6009	System,Boot
6144	Security,Policy,Apply
6145	Policy,Warning,Other,Change
6272	Network,Connection,Allow
6273	Access,Deny,Suspicious,Network
6274	Deny,User,Request
6276	Quarantine,User
6277	Allow,User,Access
6278	Connection,Allow
6279	Lock,User,Account
6280	Unlock,User,Account
6410	Package,Application,Up
6416	External,Device,USB
6422	Package,Application,Up

Active Response Labels¶

Message	Labels
starting	Start
failed	Fail
ending	End
successfully unisolated	Host,UnIsolate
successfully isolated	Host,Isolate

Status	Labels
success	Successful
fail	Fail

Command	Labels
delete	Delete
add	Add

OSQuery Labels¶

Message	Labels
removed	Remove

Windows¶

Windows Security Auditing¶

Event ID	Message
1100	The event logging service has shut down
1101	Audit events have been dropped by the transport
1102	The audit log was cleared
1104	The security Log is now full
1105	Event log automatic backup
1108	The event logging service encountered an error
4608	Windows is starting up
4609	Windows is shutting down
4610	An authentication package has been loaded by the Local Security Authority
4611	A trusted logon process has been registered with the Local Security Authority
4612	Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits
4614	A notification package has been loaded by the Security Account Manager
4615	Invalid use of LPC port
4616	The system time was changed
4618	A monitored security event pattern has occurred
4621	Administrator recovered system from CrashOnAuditFail
4622	A security package has been loaded by the Local Security Authority
4624	An account was successfully logged on
4625	An account failed to log on
4626	User/Device claims information
4627	Group membership information
4634	An account was logged off
4646	IKE DoS-prevention mode started
4647	User initiated logoff
4648	A logon was attempted using explicit credentials
4649	A replay attack was detected
4650	An IPsec Main Mode security association was established
4651	An IPsec Main Mode security association was established
4652	An IPsec Main Mode negotiation failed
4653	An IPsec Main Mode negotiation failed
4654	An IPsec Quick Mode negotiation failed
4655	An IPsec Main Mode security association ended
4656	A handle to an object was requested
4657	A registry value was modified
4658	The handle to an object was closed
4659	A handle to an object was requested with intent to delete
4660	An object was deleted
4661	A handle to an object was requested
4662	An operation was performed on an object
4663	An attempt was made to access an object
4664	An attempt was made to create a hard link
4665	An attempt was made to create an application client context
4666	An application attempted an operation
4667	An application client context was deleted
4668	An application was initialized
4670	Permissions on an object were changed
4671	An application attempted to access a blocked ordinal through the TBS
4672	Special privileges assigned to new logon
4673	A privileged service was called
4674	An operation was attempted on a privileged object
4675	SIDs were filtered
4688	A new process has been created
4689	A process has exited
4690	An attempt was made to duplicate a handle to an object
4691	Indirect access to an object was requested
4692	Backup of data protection master key was attempted
4693	Recovery of data protection master key was attempted
4694	Protection of auditable protected data was attempted
4695	Unprotection of auditable protected data was attempted
4696	A primary token was assigned to process
4697	A service was installed in the system
4698	A scheduled task was created
4699	A scheduled task was deleted
4700	A scheduled task was enabled
4701	A scheduled task was disabled
4702	A scheduled task was updated
4703	A token right was adjusted
4704	A user right was assigned
4705	A user right was removed
4706	A new trust was created to a domain
4707	A trust to a domain was removed
4709	IPsec Services was started
4710	IPsec Services was disabled
4711	PAStore Engine
4712	IPsec Services encountered a potentially serious failure
4713	Kerberos policy was changed
4714	Encrypted data recovery policy was changed
4715	The audit policy (SACL) on an object was changed
4716	Trusted domain information was modified
4717	System security access was granted to an account
4718	System security access was removed from an account
4719	System audit policy was changed
4720	A user account was created
4722	A user account was enabled
4723	An attempt was made to change an account’s password
4724	An attempt was made to reset an accounts password
4725	A user account was disabled
4726	A user account was deleted
4727	A security-enabled global group was created
4728	A member was added to a security-enabled global group
4729	A member was removed from a security-enabled global group
4730	A security-enabled global group was deleted
4731	A security-enabled local group was created
4732	A member was added to a security-enabled local group
4733	A member was removed from a security-enabled local group
4734	A security-enabled local group was deleted
4735	A security-enabled local group was changed
4737	A security-enabled global group was changed
4738	A user account was changed
4739	Domain Policy was changed
4740	A user account was locked out
4741	A computer account was created
4742	A computer account was changed
4743	A computer account was deleted
4744	A security-disabled local group was created
4745	A security-disabled local group was changed
4746	A member was added to a security-disabled local group
4747	A member was removed from a security-disabled local group
4748	A security-disabled local group was deleted
4749	A security-disabled global group was created
4750	A security-disabled global group was changed
4751	A member was added to a security-disabled global group
4752	A member was removed from a security-disabled global group
4753	A security-disabled global group was deleted
4754	A security-enabled universal group was created
4755	A security-enabled universal group was changed
4756	A member was added to a security-enabled universal group
4757	A member was removed from a security-enabled universal group
4758	A security-enabled universal group was deleted
4759	A security-disabled universal group was created
4760	A security-disabled universal group was changed
4761	A member was added to a security-disabled universal group
4762	A member was removed from a security-disabled universal group
4763	A security-disabled universal group was deleted
4764	A groups type was changed
4765	SID History was added to an account
4766	An attempt to add SID History to an account failed
4767	A user account was unlocked
4768	A Kerberos authentication ticket (TGT) was requested
4769	A Kerberos service ticket was requested
4770	A Kerberos service ticket was renewed
4771	Kerberos pre-authentication failed
4772	A Kerberos authentication ticket request failed
4773	A Kerberos service ticket request failed
4774	An account was mapped for logon
4775	An account could not be mapped for logon
4776	The domain controller attempted to validate the credentials for an account
4777	The domain controller failed to validate the credentials for an account
4778	A session was reconnected to a Window Station
4779	A session was disconnected from a Window Station
4780	The ACL was set on accounts which are members of administrators groups
4781	The name of an account was changed
4782	The password hash an account was accessed
4783	A basic application group was created
4784	A basic application group was changed
4785	A member was added to a basic application group
4786	A member was removed from a basic application group
4787	A non-member was added to a basic application group
4788	A non-member was removed from a basic application group
4789	A basic application group was deleted
4790	An LDAP query group was created
4791	A basic application group was changed
4792	An LDAP query group was deleted
4793	The Password Policy Checking API was called
4794	An attempt was made to set the Directory Services Restore Mode administrator password
4797	An attempt was made to query the existence of a blank password for an account
4798	A user’s local group membership was enumerated
4799	A security-enabled local group membership was enumerated
4800	The workstation was locked
4801	The workstation was unlocked
4802	The screen saver was invoked
4803	The screen saver was dismissed
4816	RPC detected an integrity violation while decrypting an incoming message
4817	Auditing settings on object were changed
4818	Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy
4819	Central Access Policies on the machine have been changed
4820	A Kerberos Ticket-granting-ticket (TGT) was denied because the device does not meet the access control restrictions
4821	A Kerberos service ticket was denied because the user, device, or both does not meet the access control restrictions
4822	NTLM authentication failed because the account was a member of the Protected User group
4823	NTLM authentication failed because access control restrictions are required
4824	Kerberos preauthentication by using DES or RC4 failed because the account was a member of the Protected User group
4825	A user was denied the access to Remote Desktop. By default, users are allowed to connect only if they are members of the Remote
Desktop	Users group or Administrators group
4826	Boot Configuration Data loaded
4830	SID History was removed from an account
4864	A namespace collision was detected
4865	A trusted forest information entry was added
4866	A trusted forest information entry was removed
4867	A trusted forest information entry was modified
4868	The certificate manager denied a pending certificate request
4869	Certificate Services received a resubmitted certificate request
4870	Certificate Services revoked a certificate
4871	Certificate Services received a request to publish the certificate revocation list (CRL)
4872	Certificate Services published the certificate revocation list (CRL)
4873	A certificate request extension changed
4874	One or more certificate request attributes changed
4875	Certificate Services received a request to shut down
4876	Certificate Services backup started
4877	Certificate Services backup completed
4878	Certificate Services restore started
4879	Certificate Services restore completed
4880	Certificate Services started
4881	Certificate Services stopped
4882	The security permissions for Certificate Services changed
4883	Certificate Services retrieved an archived key
4884	Certificate Services imported a certificate into its database
4885	The audit filter for Certificate Services changed
4886	Certificate Services received a certificate request
4887	Certificate Services approved a certificate request and issued a certificate
4888	Certificate Services denied a certificate request
4889	Certificate Services set the status of a certificate request to pending
4890	The certificate manager settings for Certificate Services changed
4891	A configuration entry changed in Certificate Services
4892	A property of Certificate Services changed
4893	Certificate Services archived a key
4894	Certificate Services imported and archived a key
4895	Certificate Services published the CA certificate to Active Directory Domain Services
4896	One or more rows have been deleted from the certificate database
4897	Role separation enabled
4898	Certificate Services loaded a template
4899	A Certificate Services template was updated
4900	Certificate Services template security was updated
4902	The Per-user audit policy table was created
4904	An attempt was made to register a security event source
4905	An attempt was made to unregister a security event source
4906	The CrashOnAuditFail value has changed
4907	Auditing settings on object were changed
4908	Special Groups Logon table modified
4909	The local policy settings for the TBS were changed
4910	The group policy settings for the TBS were changed
4911	Resource attributes of the object were changed
4912	Per User Audit Policy was changed
4913	Central Access Policy on the object was changed
4928	An Active Directory replica source naming context was established
4929	An Active Directory replica source naming context was removed
4930	An Active Directory replica source naming context was modified
4931	An Active Directory replica destination naming context was modified
4932	Synchronization of a replica of an Active Directory naming context has begun
4933	Synchronization of a replica of an Active Directory naming context has ended
4934	Attributes of an Active Directory object were replicated
4935	Replication failure begins
4936	Replication failure ends
4937	A lingering object was removed from a replica
4944	The following policy was active when the Windows Firewall started
4945	A rule was listed when the Windows Firewall started
4946	A change has been made to Windows Firewall exception list. A rule was added
4947	A change has been made to Windows Firewall exception list. A rule was modified
4948	A change has been made to Windows Firewall exception list. A rule was deleted
4949	Windows Firewall settings were restored to the default values
4950	A Windows Firewall setting has changed
4951	A rule has been ignored because its major version number was not recognized by Windows Firewall
4952	Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall
4953	A rule has been ignored by Windows Firewall because it could not parse the rule
4954	Windows Firewall Group Policy settings has changed. The new settings have been applied
4956	Windows Firewall has changed the active profile
4957	Windows Firewall did not apply the following rule
4958	Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer
4960	IPsec dropped an inbound packet that failed an integrity check
4961	IPsec dropped an inbound packet that failed a replay check
4962	IPsec dropped an inbound packet that failed a replay check
4963	IPsec dropped an inbound clear text packet that should have been secured
4964	Special groups have been assigned to a new logon
4965	IPsec received a packet from a remote computer with an incorrect Security Parameter Index (SPI)
4976	During Main Mode negotiation, IPsec received an invalid negotiation packet
4977	During Quick Mode negotiation, IPsec received an invalid negotiation packet
4978	During Extended Mode negotiation, IPsec received an invalid negotiation packet
4979	IPsec Main Mode and Extended Mode security associations were established
4980	IPsec Main Mode and Extended Mode security associations were established
4981	IPsec Main Mode and Extended Mode security associations were established
4982	IPsec Main Mode and Extended Mode security associations were established
4983	An IPsec Extended Mode negotiation failed
4984	An IPsec Extended Mode negotiation failed
4985	The state of a transaction has changed
5024	The Windows Firewall Service has started successfully
5025	The Windows Firewall Service has been stopped
5027	The Windows Firewall Service was unable to retrieve the security policy from the local storage
5028	The Windows Firewall Service was unable to parse the new security policy
5029	The Windows Firewall Service failed to initialize the driver
5030	The Windows Firewall Service failed to start
5031	The Windows Firewall Service blocked an application from accepting incoming connections on the network
5032	Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network
5033	The Windows Firewall Driver has started successfully
5034	The Windows Firewall Driver has been stopped
5035	The Windows Firewall Driver failed to start
5037	The Windows Firewall Driver detected critical runtime error. Terminating
5038	Code integrity determined that the image hash of a file is not valid
5039	A registry key was virtualized
5040	A change has been made to IPsec settings. An Authentication Set was added
5041	A change has been made to IPsec settings. An Authentication Set was modified
5042	A change has been made to IPsec settings. An Authentication Set was deleted
5043	A change has been made to IPsec settings. A Connection Security Rule was added
5044	A change has been made to IPsec settings. A Connection Security Rule was modified
5045	A change has been made to IPsec settings. A Connection Security Rule was deleted
5046	A change has been made to IPsec settings. A Crypto Set was added
5047	A change has been made to IPsec settings. A Crypto Set was modified
5048	A change has been made to IPsec settings. A Crypto Set was deleted
5049	An IPsec Security Association was deleted
5050	An attempt to programmatically disable the Windows Firewall using a call to INetFwProfile.FirewallEnabled(FALSE)
5051	A file was virtualized
5056	A cryptographic self test was performed
5057	A cryptographic primitive operation failed
5058	Key file operation
5059	Key migration operation
5060	Verification operation failed
5061	Cryptographic operation
5062	A kernel-mode cryptographic self test was performed
5063	A cryptographic provider operation was attempted
5064	A cryptographic context operation was attempted
5065	A cryptographic context modification was attempted
5066	A cryptographic function operation was attempted
5067	A cryptographic function modification was attempted
5068	A cryptographic function provider operation was attempted
5069	A cryptographic function property operation was attempted
5070	A cryptographic function property operation was attempted
5071	Key access denied by Microsoft key distribution service
5120	OCSP Responder Service Started
5121	OCSP Responder Service Stopped
5122	A Configuration entry changed in the OCSP Responder Service
5123	A configuration entry changed in the OCSP Responder Service
5124	A security setting was updated on OCSP Responder Service
5125	A request was submitted to OCSP Responder Service
5126	Signing Certificate was automatically updated by the OCSP Responder Service
5127	The OCSP Revocation Provider successfully updated the revocation information
5136	A directory service object was modified
5137	A directory service object was created
5138	A directory service object was undeleted
5139	A directory service object was moved
5140	A network share object was accessed
5141	A directory service object was deleted
5142	A network share object was added
5143	A network share object was modified
5144	A network share object was deleted
5145	A network share object was checked to see whether client can be granted desired access
5146	The Windows Filtering Platform has blocked a packet
5147	A more restrictive Windows Filtering Platform filter has blocked a packet
5148	The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be
discarded
5149	The DoS attack has subsided and normal processing is being resumed
5150	The Windows Filtering Platform has blocked a packet
5151	A more restrictive Windows Filtering Platform filter has blocked a packet
5152	The Windows Filtering Platform blocked a packet
5153	A more restrictive Windows Filtering Platform filter has blocked a packet
5154	The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections
5155	The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections
5156	The Windows Filtering Platform has allowed a connection
5157	The Windows Filtering Platform has blocked a connection
5158	The Windows Filtering Platform has permitted a bind to a local port
5159	The Windows Filtering Platform has blocked a bind to a local port
5168	Spn check for SMB/SMB2 fails
5169	A directory service object was modified
5170	A directory service object was modified during a background cleanup task
5376	Credential Manager credentials were backed up
5377	Credential Manager credentials were restored from a backup
5378	The requested credentials delegation was disallowed by policy
5379	Credential Manager credentials were read
5380	Vault Find Credential
5381	Vault credentials were read
5382	Vault credentials were read
5440	The following callout was present when the Windows Filtering Platform Base Filtering Engine started
5441	The following filter was present when the Windows Filtering Platform Base Filtering Engine started
5442	The following provider was present when the Windows Filtering Platform Base Filtering Engine started
5443	The following provider context was present when the Windows Filtering Platform Base Filtering Engine started
5444	The following sub-layer was present when the Windows Filtering Platform Base Filtering Engine started
5446	A Windows Filtering Platform callout has been changed
5447	A Windows Filtering Platform filter has been changed
5448	A Windows Filtering Platform provider has been changed
5449	A Windows Filtering Platform provider context has been changed
5450	A Windows Filtering Platform sub-layer has been changed
5451	An IPsec Quick Mode security association was established
5452	An IPsec Quick Mode security association ended
5453	An IPsec negotiation with a remote computer failed because the IKE and AuthIP IPsec Keying Modules (IKEEXT) service is not started
5456	PAStore Engine applied Active Directory storage IPsec policy on the computer
5457	PAStore Engine failed to apply Active Directory storage IPsec policy on the computer
5458	PAStore Engine applied locally cached copy of Active Directory storage IPsec policy on the computer
5459	PAStore Engine failed to apply locally cached copy of Active Directory storage IPsec policy on the computer
5460	PAStore Engine applied local registry storage IPsec policy on the computer
5461	PAStore Engine failed to apply local registry storage IPsec policy on the computer
5462	PAStore Engine failed to apply some rules of the active IPsec policy on the computer
5463	PAStore Engine polled for changes to the active IPsec policy and detected no changes
5464	PAStore Engine polled for changes to the active IPsec policy, detected changes, and applied them to IPsec Services
5465	PAStore Engine received a control for forced reloading of IPsec policy and processed the control successfully
5466	PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory cannot be reached, and will use
the	cached copy of the Active Directory IPsec policy instead
5467	PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, and found no
changes	to the policy
5468	PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, found changes to
the	policy, and applied those changes
5471	PAStore Engine loaded local storage IPsec policy on the computer
5472	PAStore Engine failed to load local storage IPsec policy on the computer
5473	PAStore Engine loaded directory storage IPsec policy on the computer
5474	PAStore Engine failed to load directory storage IPsec policy on the computer
5477	PAStore Engine failed to add quick mode filter
5478	IPsec Services has started successfully
5479	IPsec Services has been shut down successfully
5480	IPsec Services failed to get the complete list of network interfaces on the computer
5483	IPsec Services failed to initialize RPC server. IPsec Services could not be started
5484	IPsec Services has experienced a critical failure and has been shut down
5485	IPsec Services failed to process some IPsec filters on a plug-and-play event for network interfaces
5632	A request was made to authenticate to a wireless network
5633	A request was made to authenticate to a wired network
5712	A Remote Procedure Call (RPC) was attempted
5888	An object in the COM+ Catalog was modified
5889	An object was deleted from the COM+ Catalog
5890	An object was added to the COM+ Catalog
6144	Security policy in the group policy objects has been applied successfully
6145	One or more errors occured while processing security policy in the group policy objects
6272	Network Policy Server granted access to a user
6273	Network Policy Server denied access to a user
6274	Network Policy Server discarded the request for a user
6275	Network Policy Server discarded the accounting request for a user
6276	Network Policy Server quarantined a user
6277	Network Policy Server granted access to a user but put it on probation because the host did not meet the defined health policy
6278	Network Policy Server granted full access to a user because the host met the defined health policy
6279	Network Policy Server locked the user account due to repeated failed authentication attempts
6280	Network Policy Server unlocked the user account
6281	Code Integrity determined that the page hashes of an image file are not valid..
6400	BranchCache: Received an incorrectly formatted response while discovering availability of content
6401	BranchCache: Received invalid data from a peer. Data discarded
6402	BranchCache: The message to the hosted cache offering it data is incorrectly formatted
6403	BranchCache: The hosted cache sent an incorrectly formatted response to the client’s message to offer it data
6404	BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate
6405	BranchCache: instances of event occurred
6406	Registered to Windows Firewall to control filtering
6408	Registered product failed and Windows Firewall is now controlling the filtering
6409	BranchCache: A service connection point object could not be parsed
6410	Code integrity determined that a file does not meet the security requirements to load into a process. This could be due to the use of shared
sections	or other issues
6416	A new external device was recognized by the system
6417	The FIPS mode crypto selftests succeeded
6418	The FIPS mode crypto selftests failed
6419	A request was made to disable a device
6420	A device was disabled
6421	A request was made to enable a device
6422	A device was enabled
6423	The installation of this device is forbidden by system policy
6424	The installation of this device was allowed, after having previously been forbidden by policy
8191	Highest System-Defined Audit Message Value

Windows Sysmon¶

Event ID	Message
1	Process Create
2	File creation time changed
3	Network connection detected
4	Sysmon service state changed
5	Process terminated
6	Driver loaded
7	Image loaded
8	CreateRemoteThread detected
9	RawAccessRead detected
10	Process accessed
11	File created
12	Registry object added or deleted
13	Registry value set
14	Registry object renamed
15	File Stream Created
16	Sysmon config state changed
17	Pipe Created
18	Pipe Connected
19	WmiEventFilter activity detected
20	WmiEventConsumer activity detected
21	WmiEventConsumerToFilter activity detected
22	DNS query
23	File Delete archived
24	Clipboard changed
25	Process Tampering
26	File Delete logged
27	File Block Executable
255	Error report

DNS¶

Event ID	Message
NOERROR	DNS Query completed successfully
FORMERR	DNS Query Format Error
SERVFAIL	Server failed to complete the DNS request
NXDOMAIN	Domain name does not exist
NOTIMP	Function not implemented
REFUSED	The server refused to answer for the query
YXDOMAIN	Name that should not exist, does exist
XRRSET	RRset that should not exist, does exist
NOTAUTH	Server not authoritative for the zone
NOTZONE	Name not in zone
YXRRSET	RR Set Exists when it should not
NXRRSET	RR Set that should exist does not
BADVERS	Bad OPT Version
BADSIG	TSIG Signature Failure
BADKEY	Key not recognized
BADTIME	Signature out of time window
BADMODE	Bad TKEY Mode
BADNAME	Duplicate key name
BADALG	Algorithm not supported
BADTRUNC	Bad Truncation
BADCOOKIE	Bad/missing Server Cookie

Helpful?