Hostname of the event source Process name that generated the event Event Start Time Application Application name Application vendor Application version Name of the application that generated the event Source User login authentication ID (login id) Command Network destination Network destination hostname Network destination IPv4 address Network destination IPv6 address Network destination port Source user group effective ID (egid) Source user effective ID (euid) File information File MD5 Hashsum File line number File mode flags File name File system path File permissions File size in octets IPv4 address of the event source IPv6 address of the event source The event message The event message identifier Process ID that generated the event Event priority (ERROR|WARN|DEBUG|CRIT) Process Process ID (pid) Process name Thread identifier of the process Event severity Network source Network source hostname Network source IPv4 address Network source IPv6 address Network source port Application subsystem responsible for generating the event Syslog compatibility Syslog facility value Syslog priority value Syslog Tag value Syslog Protocol version (0=legacy/RFC3164; 1=RFC5424) Numeric thread ID associated with the process generating the event Source user account ID (uid) User account User account domain (NT Domain) Group ID (gid) Group name User account ID (uid) User account name Source user name Vendor of the event source application Application version of the event source application The primary type of action that was undertaken as part of the event. The status or result of the action should be detailed in the status field. Access Event A file, user account, network share, or other object has been accessed. If more is known regarding the access, use a more precise action such as read, write, or execute. Alert Event Memory/Space Allocation Event Allow/Permit Event Audit Event Backup Event Bind Event Block Event Clean/Scrub Infected Object Event Close Event Compress Event Copy Event An object was duplicated or copied. Commonly copied objects include files, partitions, and database tables. Create Event An object was created. Commonly created objects include files, accounts, and roles. If the object is a stream or session, then the action [open] must be used. Decompress Event Detect Event Finding evidence of something as it is occurring, usually through the use of sensors or triggers. For example, an attack or exploit can be detected as it is occurring, or evidence of the event can be found through later searches. Execute Event An object (usually a file or memory) was run or executed. Find Event An object was found, usually as a result of a search or scan, such as an anti-virus product found malware or an IDS found suspicious packets. Free Event The deallocation or freeing of memory Initialize Event Initialize memory or set a buffer or variable to their initial values. Initiate Event Initiate an external connection, stream, or other object, usually as part of a hand-shake or other initialization process Login Event A user or other entity gains access to a system through a successful authentication or login attempt Logout Event An entity that has already gained access to a system or application (through a login action), ends their user account session. Another session can be established to the user account only through another successful logon action. Move Event An object was moved. Usually 'move' describes the moving of a file between directories. A 'move' may be implemented as a sequence of [copy] and [remove] actions. Search Event An actor (user or application) searched or queried for something. For 'search' actions, the object should contain the query of what was sought. Start Event A service, task, scan, or related object activity has begun. Stop Event A service, task, scan, or related activity was been stopped, usually by another process or user, or due to an error condition. Upgrade Event A type of [update] that upgrades an entire application, usually involving substantial changes and a change in major version numbers. For example, installing the Microsoft Windows XP Service Pack 2 (SP2) would upgrade a base Windows XP installation. Violate Event The infringement or breaking of a policy, rule, or other guideline. Write Event An object (usually a file or memory location) was written to. The environment or domain of the event. Typical event domains include network (net), operating system (os), and application (app). Application-level Event Device-level Event Network-based Event The event is occurs within or is associated with the network Operating System Event The type of object that is targeted or otherwise affected by the event User Account Application System BIOS Device Driver E-mail Audit or Event Record File Network Flow Network Connection Network Packet Process Firewall, IDS, Malware, or similar Rule User Session System Processing Thread Vulnerability The service the event involves. The service field value provides context to the event action or more precision to the event domain. Audit Service Authentication Service Authorization Service Backup Service Database Service E-mail Service Event involves an e-mail server or service Firewall Service Web Service The event involve a web service, such as an HTTP server The end result or status of the event action identified by the action field. Event Canceled The event action was canceled Event Errored The event action terminated with an error Event Failed The event failed due to some unmet condition, such as an incorrect password Event Ongoing The event has started and has yet to complete. Another event should be sent to notify when the event completed and the final status Event Success The event completed successfully. For example, a successful user authentication event would be an instance where the authentication activity was successfully completed and the user was fully authenticated. Event Status Unknown The result state of an event occurrence was unknown. It was not known to the observer of the event whether or not the event successfully completed. The type of object that initiated or started the event action identified by the action field.