eventId and eventSubId Mapping

Table 1. eventId

eventId

Data Field Mapping

1

EVENT_PROCESS

2

EVENT_FILE

3

EVENT_CONNECTIO

4

EVENT_DNS

5

EVENT_REGISTRY

6

EVENT_ACCOUNT

7

EVENT_INTERNET

8

XDR_EVENT_MODIFIED_PROCESS

9

EVENT_WINDOWS_HOOK

10

EVENT_WINDOWS_EVENT

11

EVENT_AMSI

12

EVENT_WMI

Table 2. eventSubId

eventSubId

Data Field Mapping

1

XDR_PROCESS_OPEN

2

XDR_PROCESS_CREATE

3

XDR_PROCESS_TERMINATE

4

XDR_PROCESS_LOAD_IMAGE

101

XDR_FILE_CREATE

102

XDR_FILE_OPEN

103

XDR_FILE_DELETE

104

XDR_FILE_SET_SECURITY

105

XDR_FILE_COPY

106

XDR_FILE_MOVE

107

XDR_FILE_CLOSE

201

XDR_CONNECTION_CONNECT

202

XDR_CONNECTION_LISTEN

203

XDR_CONNECTION_CONNECT_INBOUND

204

XDR_CONNECTION_CONNECT_OUTBOUND

301

XDR_DNS_QUERY

401

XDR_REGISTRY_CREATE

402

XDR_REGISTRY_SET

403

XDR_REGISTRY_DELETE

404

XDR_REGISTRY_RENAME

501

XDR_ACCOUNT_ADD

502

XDR_ACCOUNT_DELETE

503

XDR_ACCOUNT_IMPERSONATE

504

XDR_ACCOUNT_MODIFY

601

XDR_INTERNET_OPEN

602

XDR_INTERNET_CONNECT

603

XDR_INTERNET_DOWNLOAD

701

XDR_MODIFIED_PROCESS_CREATE_REMOTETHREAD

702

XDR_MODIFIED_PROCESS_WRITE_MEMORY

801

XDR_WINDOWS_HOOK_SET

901

XDR_AMSI_EXECUTE