[
  {
    "ActionTypes": [
      "LogonFailed",
      "LogonSuccess"
    ],
    "TableName": "IdentityLogonEvents"
  },
  {
    "ActionTypes": [
      "DNS query",
      "LDAP query",
      "LdapQuery",
      "SAMR query"
    ],
    "TableName": "IdentityQueryEvents"
  },
  {
    "ActionTypes": [
      "Account Constrained Delegation SPNs changed",
      "Account Constrained Delegation State changed",
      "Account Delegation changed",
      "Account Deleted changed",
      "Account disabled",
      "Account Disabled changed",
      "Account Display Name changed",
      "Account enabled",
      "Account expired",
      "Account Expiry Time changed",
      "Account Name changed",
      "Account password change failed",
      "Account Password changed",
      "Account Password expired",
      "Account Password Never Expires changed",
      "Account Password Not Required changed",
      "Account Path changed",
      "Account primary group ID changed",
      "Account Smart Card Required changed",
      "Account Supported Encryption Types changed",
      "Account Unlock changed",
      "Account Upn Name changed",
      "Active Directory security group created",
      "ADCS certificate issued",
      "ADFS DKM property read",
      "ADFS settings changed",
      "DES encryption restriction changed",
      "Device Account Created",
      "Device dNSHostName changed",
      "Device Operating System changed",
      "Directory Service replication",
      "Domain trusts enumerated",
      "Entra Connect password writeback failed",
      "GMSA password read",
      "Group Membership changed",
      "Group Policy display name changed",
      "Group Policy Object created",
      "Group Policy Object deleted",
      "Group Policy settings changed",
      "Kerberos preauthentication flag changed",
      "Plaintext password allow status changed",
      "Potential lateral movement path identified",
      "PowerShell execution",
      "Private Data Retrieval",
      "SAM account name changed",
      "Security Principal created",
      "Security Principal deleted changed",
      "Security Principal Display Name changed",
      "Security Principal Name changed",
      "Security Principal Path changed",
      "Security Principal Sam Name changed",
      "Sensitive DACL changed",
      "Service creation",
      "SID-History changed",
      "SMB session",
      "SmbFileCopy",
      "Task scheduling",
      "User Mail changed",
      "User Manager changed",
      "User Phone Number changed",
      "User Title changed",
      "Wmi execution"
    ],
    "TableName": "IdentityDirectoryEvents"
  },
  {
    "ActionTypes": [
      "Malware ZAP",
      "Manual Remediation",
      "Phish ZAP",
      "Spam ZAP"
    ],
    "TableName": "EmailPostDeliveryEvents"
  },
  {
    "ActionTypes": [
      "Malware ZAP",
      "Manual Remediation",
      "Phish ZAP",
      "Spam ZAP"
    ],
    "TableName": "MessagePostDeliveryEvents"
  },
  {
    "ActionTypes": [
      "ClickAllowed",
      "ClickBlocked",
      "ClickBlockedByTenantPolicy",
      "UrlErrorPage",
      "UrlScanInProgress"
    ],
    "TableName": "UrlClickEvents"
  },
  {
    "ActionTypes": [
      "OpenProcess",
      "ProcessCreated"
    ],
    "TableName": "DeviceProcessEvents"
  },
  {
    "ActionTypes": [
      "ConnectionAcknowledged",
      "ConnectionAttempt",
      "ConnectionFailed",
      "ConnectionFound",
      "ConnectionRequest",
      "ConnectionSuccess",
      "DnsConnectionInspected",
      "FtpConnectionInspected",
      "HttpConnectionInspected",
      "IcmpConnectionInspected",
      "InboundConnectionAccepted",
      "InboundInternetScanInspected",
      "ListeningConnectionCreated",
      "NetworkSignatureInspected",
      "NtlmAuthenticationInspected",
      "SmtpConnectionInspected",
      "SshConnectionInspected",
      "SslConnectionInspected"
    ],
    "TableName": "DeviceNetworkEvents"
  },
  {
    "ActionTypes": [
      "FileCreated",
      "FileDeleted",
      "FileModified",
      "FileRenamed"
    ],
    "TableName": "DeviceFileEvents"
  },
  {
    "ActionTypes": [
      "RegistryKeyCreated",
      "RegistryKeyDeleted",
      "RegistryKeyRenamed",
      "RegistryValueDeleted",
      "RegistryValueSet"
    ],
    "TableName": "DeviceRegistryEvents"
  },
  {
    "ActionTypes": [
      "LogonAttempted",
      "LogonFailed",
      "LogonSuccess"
    ],
    "TableName": "DeviceLogonEvents"
  },
  {
    "ActionTypes": "ImageLoaded",
    "TableName": "DeviceImageLoadEvents"
  },
  {
    "ActionTypes": [
      "AccountCheckedForBlankPassword",
      "AntivirusDefinitionsUpdated",
      "AntivirusDefinitionsUpdateFailed",
      "AntivirusDetection",
      "AntivirusEmergencyUpdatesInstalled",
      "AntivirusError",
      "AntivirusMalwareActionFailed",
      "AntivirusMalwareBlocked",
      "AntivirusReport",
      "AntivirusScanCancelled",
      "AntivirusScanCompleted",
      "AntivirusScanFailed",
      "AntivirusTroubleshootModeEvent",
      "AppControlAppInstallationAudited",
      "AppControlAppInstallationBlocked",
      "AppControlCIScriptAudited",
      "AppControlCIScriptBlocked",
      "AppControlCodeIntegrityDriverRevoked",
      "AppControlCodeIntegrityImageAudited",
      "AppControlCodeIntegrityImageRevoked",
      "AppControlCodeIntegrityOriginAllowed",
      "AppControlCodeIntegrityOriginAudited",
      "AppControlCodeIntegrityOriginBlocked",
      "AppControlCodeIntegrityPolicyAudited",
      "AppControlCodeIntegrityPolicyBlocked",
      "AppControlCodeIntegrityPolicyLoaded",
      "AppControlCodeIntegritySigningInformation",
      "AppControlExecutableAudited",
      "AppControlExecutableBlocked",
      "AppControlPackagedAppAudited",
      "AppControlPackagedAppBlocked",
      "AppControlPolicyApplied",
      "AppControlScriptAudited",
      "AppControlScriptBlocked",
      "AppGuardBrowseToUrl",
      "AppGuardCreateContainer",
      "AppGuardLaunchedWithUrl",
      "AppGuardResumeContainer",
      "AppGuardStopContainer",
      "AppGuardSuspendContainer",
      "AppLockerBlockExecutable",
      "AppLockerBlockPackagedApp",
      "AppLockerBlockPackagedAppInstallation",
      "AppLockerBlockScript",
      "AsrAbusedSystemToolAudited",
      "AsrAbusedSystemToolBlocked",
      "AsrAbusedSystemToolWarnBypassed",
      "AsrAdobeReaderChildProcessAudited",
      "AsrAdobeReaderChildProcessBlocked",
      "AsrAdobeReaderChildProcessWarnBypassed",
      "AsrExecutableEmailContentAudited",
      "AsrExecutableEmailContentBlocked",
      "AsrExecutableEmailContentWarnBypassed",
      "AsrExecutableOfficeContentAudited",
      "AsrExecutableOfficeContentBlocked",
      "AsrExecutableOfficeContentWarnBypassed",
      "AsrLsassCredentialTheftAudited",
      "AsrLsassCredentialTheftBlocked",
      "AsrLsassCredentialTheftWarnBypassed",
      "AsrObfuscatedScriptAudited",
      "AsrObfuscatedScriptBlocked",
      "AsrObfuscatedScriptWarnBypassed",
      "AsrOfficeChildProcessAudited",
      "AsrOfficeChildProcessBlocked",
      "AsrOfficeChildProcessWarnBypassed",
      "AsrOfficeCommAppChildProcessAudited",
      "AsrOfficeCommAppChildProcessBlocked",
      "AsrOfficeCommAppChildProcessWarnBypassed",
      "AsrOfficeMacroWin32ApiCallsAudited",
      "AsrOfficeMacroWin32ApiCallsBlocked",
      "AsrOfficeMacroWin32ApiCallsWarnBypassed",
      "AsrOfficeProcessInjectionAudited",
      "AsrOfficeProcessInjectionBlocked",
      "AsrOfficeProcessInjectionWarnBypassed",
      "AsrPersistenceThroughWmiAudited",
      "AsrPersistenceThroughWmiBlocked",
      "AsrPersistenceThroughWmiWarnBypassed",
      "AsrPsexecWmiChildProcessAudited",
      "AsrPsexecWmiChildProcessBlocked",
      "AsrPsexecWmiChildProcessWarnBypassed",
      "AsrRansomwareAudited",
      "AsrRansomwareBlocked",
      "AsrRansomwareWarnBypassed",
      "AsrSafeModeRebootAudited",
      "AsrSafeModeRebootBlocked",
      "AsrSafeModeRebootWarnBypassed",
      "AsrScriptExecutableDownloadAudited",
      "AsrScriptExecutableDownloadBlocked",
      "AsrScriptExecutableDownloadWarnBypassed",
      "AsrUntrustedExecutableAudited",
      "AsrUntrustedExecutableBlocked",
      "AsrUntrustedExecutableWarnBypassed",
      "AsrUntrustedUsbProcessAudited",
      "AsrUntrustedUsbProcessBlocked",
      "AsrUntrustedUsbProcessWarnBypassed",
      "AsrVulnerableSignedDriverAudited",
      "AsrVulnerableSignedDriverBlocked",
      "AsrVulnerableSignedDriverWarnBypassed",
      "AsrWebShellOnServerAudited",
      "AsrWebShellOnServerBlocked",
      "AsrWebShellWarnBypassed",
      "AuditPolicyModification",
      "BitLockerAuditCompleted",
      "BluetoothPolicyTriggered",
      "BrowserLaunchedToOpenUrl",
      "BruteForceActivityDetected",
      "CertificateServicesApprovedCertificateRequest",
      "CertificateServicesLoadedTemplate",
      "CertificateServicesReceivedCertificateRequest",
      "ControlFlowGuardViolation",
      "ControlledFolderAccessViolationAudited",
      "ControlledFolderAccessViolationBlocked",
      "CreateRemoteThreadApiCall",
      "CredentialsBackup",
      "DeviceBootAttestationInfo",
      "DirectoryServiceObjectCreated",
      "DirectoryServiceObjectModified",
      "DnsQueryResponse",
      "DpapiAccessed",
      "DriverLoad",
      "ExploitGuardAcgAudited",
      "ExploitGuardAcgEnforced",
      "ExploitGuardChildProcessAudited",
      "ExploitGuardChildProcessBlocked",
      "ExploitGuardEafViolationAudited",
      "ExploitGuardEafViolationBlocked",
      "ExploitGuardIafViolationAudited",
      "ExploitGuardIafViolationBlocked",
      "ExploitGuardLowIntegrityImageAudited",
      "ExploitGuardLowIntegrityImageBlocked",
      "ExploitGuardNetworkProtectionAudited",
      "ExploitGuardNetworkProtectionBlocked",
      "ExploitGuardNonMicrosoftSignedAudited",
      "ExploitGuardNonMicrosoftSignedBlocked",
      "ExploitGuardRopExploitAudited",
      "ExploitGuardRopExploitBlocked",
      "ExploitGuardSharedBinaryAudited",
      "ExploitGuardSharedBinaryBlocked",
      "ExploitGuardWin32SystemCallAudited",
      "ExploitGuardWin32SystemCallBlocked",
      "ExternalDeviceConnected",
      "ExternalDeviceDisconnected",
      "FileTimestampModificationEvent",
      "FirewallInboundConnectionBlocked",
      "FirewallInboundConnectionToAppBlocked",
      "FirewallOutboundConnectionBlocked",
      "FirewallServiceStopped",
      "GetAsyncKeyStateApiCall",
      "GetClipboardData",
      "LdapSearch",
      "LogonRightsSettingEnabled",
      "MemoryRemoteProtect",
      "NamedPipeEvent",
      "NetworkProtectionUserBypassEvent",
      "NetworkShareObjectAccessChecked",
      "NetworkShareObjectAdded",
      "NetworkShareObjectDeleted",
      "NetworkShareObjectModified",
      "NtAllocateVirtualMemoryApiCall",
      "NtAllocateVirtualMemoryRemoteApiCall",
      "NtMapViewOfSectionRemoteApiCall",
      "NtProtectVirtualMemoryApiCall",
      "OpenProcessApiCall",
      "PasswordChangeAttempt",
      "PlistPropertyModified",
      "PnpDeviceAllowed",
      "PnpDeviceBlocked",
      "PnpDeviceConnected",
      "PowerShellCommand",
      "PrintJobBlocked",
      "ProcessCreatedUsingWmiQuery",
      "ProcessPrimaryTokenModified",
      "PTraceDetected",
      "QueueUserApcRemoteApiCall",
      "ReadProcessMemoryApiCall",
      "RemoteDesktopConnection",
      "RemoteWmiOperation",
      "RemovableStorageFileEvent",
      "RemovableStoragePolicyTriggered",
      "SafeDocFileScan",
      "ScheduledTaskCreated",
      "ScheduledTaskDeleted",
      "ScheduledTaskDisabled",
      "ScheduledTaskEnabled",
      "ScheduledTaskUpdated",
      "ScreenshotTaken",
      "SecurityGroupCreated",
      "SecurityGroupDeleted",
      "SecurityLogCleared",
      "SensitiveFileRead",
      "ServiceInstalled",
      "SetThreadContextRemoteApiCall",
      "ShellLinkCreateFileEvent",
      "SmartScreenAppWarning",
      "SmartScreenExploitWarning",
      "SmartScreenUrlWarning",
      "SmartScreenUserOverride",
      "TamperingAttempt",
      "UntrustedWifiConnection",
      "UsbDriveDriveLetterChanged",
      "UsbDriveMounted",
      "UsbDriveUnmounted",
      "UserAccountAddedToLocalGroup",
      "UserAccountCreated",
      "UserAccountDeleted",
      "UserAccountModified",
      "UserAccountPasswordResetAttempt",
      "UserAccountRemovedFromLocalGroup",
      "WmiBindEventFilterToConsumer",
      "WriteToLsassProcessMemory"
    ],
    "TableName": "DeviceEvents"
  },
  {
    "ActionTypes": [
      "ContainedRestrictedUserSmbFileOpenBlocked",
      "ContainedUserLogonBlocked",
      "ContainedUserLogonBlockedByDomainController",
      "ContainedUserRemoteDesktopSessionDisconnected",
      "ContainedUserRemoteDesktopSessionStopped",
      "ContainedUserRpcAccessBlocked",
      "ContainedUserSmbFileOpenBlocked",
      "ContainedUserSmbFileOpenBlockedAggregation",
      "ContainedUserSmbSessionStopped",
      "GroupPolicyAccessBlocked",
      "GroupPolicyHardeningPolicyApplied",
      "GroupPolicyHardeningPolicyRemoved",
      "SafeBootBlocked",
      "SafeBootGuardPolicyApplied",
      "SafeBootGuardPolicyRemoved"
    ],
    "TableName": "DisruptionAndResponseEvents"
  }
]