eventId
|
eventId
|
Data Field Mapping
|
|
1
|
TELEMETRY_PROCESS
|
|
2
|
TELEMETRY_FILE
|
|
3
|
TELEMETRY_CONNECTION
|
|
4
|
TELEMETRY_DNS
|
|
5
|
TELEMETRY_REGISTRY
|
|
6
|
TELEMETRY_ACCOUNT
|
|
7
|
TELEMETRY_INTERNET
|
|
8
|
TELEMETRY_MODIFIED_PROCESS
|
|
9
|
TELEMETRY_WINDOWS_HOOK
|
|
10
|
TELEMETRY_WINDOWS_EVENT
|
|
11
|
TELEMETRY_AMSI
|
|
12
|
TELEMETRY_WMI
|
|
13
|
TELEMETRY_MEMORY
|
|
14
|
TELEMETRY_BM
|
eventSubId
|
eventSubId
|
Data Field Mapping
|
|
1
|
TELEMETRY_PROCESS_OPEN
|
|
2
|
TELEMETRY_PROCESS_CREATE
|
|
3
|
TELEMETRY_PROCESS_TERMINATE
|
|
4
|
TELEMETRY_PROCESS_LOAD_IMAGE
|
|
5
|
TELEMETRY_PROCESS_EXECUTE
|
|
6
|
TELEMETRY_PROCESS_CONNECT
|
|
7
|
TELEMETRY_PROCESS_TRACME
|
|
101
|
TELEMETRY_FILE_CREATE
|
|
102
|
TELEMETRY_FILE_OPEN
|
|
103
|
TELEMETRY_FILE_DELETE
|
|
104
|
TELEMETRY_FILE_SET_SECURITY
|
|
105
|
TELEMETRY_FILE_COPY
|
|
106
|
TELEMETRY_FILE_MOVE
|
|
107
|
TELEMETRY_FILE_CLOSE
|
|
108
|
TELEMETRY_FILE_MODIFY_TIMESTAMP
|
|
109
|
TELEMETRY_FILE_MODIFY
|
|
201
|
TELEMETRY_CONNECTION_CONNECT
|
|
202
|
TELEMETRY_CONNECTION_LISTEN
|
|
203
|
TELEMETRY_CONNECTION_CONNECT_INBOUND
|
|
204
|
TELEMETRY_CONNECTION_CONNECT_OUTBOUND
|
|
301
|
TELEMETRY_DNS_QUERY
|
|
401
|
TELEMETRY_REGISTRY_CREATE
|
|
402
|
TELEMETRY_REGISTRY_SET
|
|
403
|
TELEMETRY_REGISTRY_DELETE
|
|
404
|
TELEMETRY_REGISTRY_RENAME
|
|
501
|
TELEMETRY_ACCOUNT_ADD
|
|
502
|
TELEMETRY_ACCOUNT_DELETE
|
|
503
|
TELEMETRY_ACCOUNT_IMPERSONATE
|
|
504
|
TELEMETRY_ACCOUNT_MODIFY
|
|
601
|
TELEMETRY_INTERNET_OPEN
|
|
602
|
TELEMETRY_INTERNET_CONNECT
|
|
603
|
TELEMETRY_INTERNET_DOWNLOAD
|
|
701
|
TELEMETRY_MODIFIED_PROCESS_CREATE_REMOTETHREAD
|
|
702
|
TELEMETRY_MODIFIED_PROCESS_WRITE_MEMORY
|
|
703
|
TELEMETRY_MODIFIED_PROCESS_WRITE_PROCESS
|
|
704
|
TELEMETRY_MODIFIED_PROCESS_READ_PROCESS
|
|
705
|
TELEMETRY_MODIFIED_PROCESS_WRITE_PROCESS_NAME
|
|
801
|
TELEMETRY_WINDOWS_HOOK_SET
|
|
901
|
TELEMETRY_AMSI_EXECUTE
|
|
1001
|
TELEMETRY_MEMORY_MODIFY
|
|
1002
|
TELEMETRY_MEMORY_MODIFY_PERMISSION
|
|
1003
|
TELEMETRY_MEMORY_READ
|
|
1101
|
TELEMETRY_BM_INVOKE
|
|
1102
|
TELEMETRY_BM_INVOKE_API
|