eventId and eventSubId Mapping
|
eventId |
Data Field Mapping |
|---|---|
|
1 |
TELEMETRY_PROCESS |
|
2 |
TELEMETRY_FILE |
|
3 |
TELEMETRY_CONNECTION |
|
4 |
TELEMETRY_DNS |
|
5 |
TELEMETRY_REGISTRY |
|
6 |
TELEMETRY_ACCOUNT |
|
7 |
TELEMETRY_INTERNET |
|
8 |
TELEMETRY_MODIFIED_PROCESS |
|
9 |
TELEMETRY_WINDOWS_HOOK |
|
10 |
TELEMETRY_WINDOWS_EVENT |
|
11 |
TELEMETRY_AMSI |
|
12 |
TELEMETRY_WMI |
|
13 |
TELEMETRY_MEMORY |
|
14 |
TELEMETRY_BM |
|
eventSubId |
Data Field Mapping |
|---|---|
|
1 |
TELEMETRY_PROCESS_OPEN |
|
2 |
TELEMETRY_PROCESS_CREATE |
|
3 |
TELEMETRY_PROCESS_TERMINATE |
|
4 |
TELEMETRY_PROCESS_LOAD_IMAGE |
|
5 |
TELEMETRY_PROCESS_EXECUTE |
|
6 |
TELEMETRY_PROCESS_CONNECT |
|
7 |
TELEMETRY_PROCESS_TRACME |
|
101 |
TELEMETRY_FILE_CREATE |
|
102 |
TELEMETRY_FILE_OPEN |
|
103 |
TELEMETRY_FILE_DELETE |
|
104 |
TELEMETRY_FILE_SET_SECURITY |
|
105 |
TELEMETRY_FILE_COPY |
|
106 |
TELEMETRY_FILE_MOVE |
|
107 |
TELEMETRY_FILE_CLOSE |
|
108 |
TELEMETRY_FILE_MODIFY_TIMESTAMP |
|
109 |
TELEMETRY_FILE_MODIFY |
|
201 |
TELEMETRY_CONNECTION_CONNECT |
|
202 |
TELEMETRY_CONNECTION_LISTEN |
|
203 |
TELEMETRY_CONNECTION_CONNECT_INBOUND |
|
204 |
TELEMETRY_CONNECTION_CONNECT_OUTBOUND |
|
301 |
TELEMETRY_DNS_QUERY |
|
401 |
TELEMETRY_REGISTRY_CREATE |
|
402 |
TELEMETRY_REGISTRY_SET |
|
403 |
TELEMETRY_REGISTRY_DELETE |
|
404 |
TELEMETRY_REGISTRY_RENAME |
|
501 |
TELEMETRY_ACCOUNT_ADD |
|
502 |
TELEMETRY_ACCOUNT_DELETE |
|
503 |
TELEMETRY_ACCOUNT_IMPERSONATE |
|
504 |
TELEMETRY_ACCOUNT_MODIFY |
|
601 |
TELEMETRY_INTERNET_OPEN |
|
602 |
TELEMETRY_INTERNET_CONNECT |
|
603 |
TELEMETRY_INTERNET_DOWNLOAD |
|
701 |
TELEMETRY_MODIFIED_PROCESS_CREATE_REMOTETHREAD |
|
702 |
TELEMETRY_MODIFIED_PROCESS_WRITE_MEMORY |
|
703 |
TELEMETRY_MODIFIED_PROCESS_WRITE_PROCESS |
|
704 |
TELEMETRY_MODIFIED_PROCESS_READ_PROCESS |
|
705 |
TELEMETRY_MODIFIED_PROCESS_WRITE_PROCESS_NAME |
|
801 |
TELEMETRY_WINDOWS_HOOK_SET |
|
901 |
TELEMETRY_AMSI_EXECUTE |
|
1001 |
TELEMETRY_MEMORY_MODIFY |
|
1002 |
TELEMETRY_MEMORY_MODIFY_PERMISSION |
|
1003 |
TELEMETRY_MEMORY_READ |
|
1101 |
TELEMETRY_BM_INVOKE |
|
1102 |
TELEMETRY_BM_INVOKE_API |
