Hostname of the event source
Process name that generated the event
Event Start Time
Application
Application name
Application vendor
Application version
Name of the application that generated the event
Source User login authentication ID (login id)
Command
Network destination
Network destination hostname
Network destination IPv4 address
Network destination IPv6 address
Network destination port
Source user group effective ID (egid)
Source user effective ID (euid)
File information
File MD5 Hashsum
File line number
File mode flags
File name
File system path
File permissions
File size in octets
IPv4 address of the event source
IPv6 address of the event source
The event message
The event message identifier
Process ID that generated the event
Event priority (ERROR|WARN|DEBUG|CRIT)
Process
Process ID (pid)
Process name
Thread identifier of the process
Event severity
Network source
Network source hostname
Network source IPv4 address
Network source IPv6 address
Network source port
Application subsystem responsible for generating the event
Syslog compatibility
Syslog facility value
Syslog priority value
Syslog Tag value
Syslog Protocol version (0=legacy/RFC3164; 1=RFC5424)
Numeric thread ID associated with the process generating the event
Source user account ID (uid)
User account
User account domain (NT Domain)
Group ID (gid)
Group name
User account ID (uid)
User account name
Source user name
Vendor of the event source application
Application version of the event source application
The primary type of action that was undertaken as part of the event. The status or result of the action should be detailed in the status field.
Access Event
A file, user account, network share, or other object has been accessed. If more is known regarding the access, use a more precise action such as read, write, or execute.
Alert Event
Memory/Space Allocation Event
Allow/Permit Event
Audit Event
Backup Event
Bind Event
Block Event
Clean/Scrub Infected Object Event
Close Event
Compress Event
Copy Event
An object was duplicated or copied. Commonly copied objects include files, partitions, and database tables.
Create Event
An object was created. Commonly created objects include files, accounts, and roles. If the object is a stream or session, then the action [open] must be used.
Decompress Event
Detect Event
Finding evidence of something as it is occurring, usually through the use of sensors or triggers. For example, an attack or exploit can be detected as it is occurring, or evidence of the event can be found through later searches.
Execute Event
An object (usually a file or memory) was run or executed.
Find Event
An object was found, usually as a result of a search or scan, such as an anti-virus product found malware or an IDS found suspicious packets.
Free Event
The deallocation or freeing of memory
Initialize Event
Initialize memory or set a buffer or variable to their initial values.
Initiate Event
Initiate an external connection, stream, or other object, usually as part of a hand-shake or other initialization process
Login Event
A user or other entity gains access to a system through a successful authentication or login attempt
Logout Event
An entity that has already gained access to a system or application (through a login action), ends their user account session. Another session can be established to the user account only through another successful logon action.
Move Event
An object was moved. Usually 'move' describes the moving of a file between directories. A 'move' may be implemented as a sequence of [copy] and [remove] actions.
Search Event
An actor (user or application) searched or queried for something. For 'search' actions, the object should contain the query of what was sought.
Start Event
A service, task, scan, or related object activity has begun.
Stop Event
A service, task, scan, or related activity was been stopped, usually by another process or user, or due to an error condition.
Upgrade Event
A type of [update] that upgrades an entire application, usually involving substantial changes and a change in major version numbers. For example, installing the Microsoft Windows XP Service Pack 2 (SP2) would upgrade a base Windows XP installation.
Violate Event
The infringement or breaking of a policy, rule, or other guideline.
Write Event
An object (usually a file or memory location) was written to.
The environment or domain of the event. Typical event domains include network (net), operating system (os), and application (app).
Application-level Event
Device-level Event
Network-based Event
The event is occurs within or is associated with the network
Operating System Event
The type of object that is targeted or otherwise affected by the event
User Account
Application
System BIOS
Device Driver
E-mail
Audit or Event Record
File
Network Flow
Network Connection
Network Packet
Process
Firewall, IDS, Malware, or similar Rule
User Session
System
Processing Thread
Vulnerability
The service the event involves. The service field value provides context to the event action or more precision to the event domain.
Audit Service
Authentication Service
Authorization Service
Backup Service
Database Service
E-mail Service
Event involves an e-mail server or service
Firewall Service
Web Service
The event involve a web service, such as an HTTP server
The end result or status of the event action identified by the action field.
Event Canceled
The event action was canceled
Event Errored
The event action terminated with an error
Event Failed
The event failed due to some unmet condition, such as an incorrect password
Event Ongoing
The event has started and has yet to complete. Another event should be sent to notify when the event completed and the final status
Event Success
The event completed successfully. For example, a successful user authentication event would be an instance where the authentication activity was successfully completed and the user was fully authenticated.
Event Status Unknown
The result state of an event occurrence was unknown. It was not known to the observer of the event whether or not the event successfully completed.
The type of object that initiated or started the event action identified by the action field.