DeviceEvents

DeviceEvents Schema #

Table description #

TableSection TableType TableSectionName Description
Devices Regular

Table retention #

HotDays ColdDays TotalInteractiveDays
30 0 30

Schema #

Name Description Type
AccountDomain Domain of the account String
AccountName User name of the account String
AccountSid Security Identifier (SID) of the account String
ActionType Type of activity that triggered the event String
AdditionalFields Additional information about the entity or event String
AppGuardContainerId Identifier for the virtualized container used by Application Guard to isolate browser activity String
CreatedProcessSessionId Windows session ID of the created process Int64
DeviceId Unique identifier for the device in the service String
DeviceName Fully qualified domain name (FQDN) of the device String
FileName Name of the file that the recorded action was applied to String
FileOriginIP IP address where the file was downloaded from String
FileOriginUrl URL where the file was downloaded from String
FileSize Size of the file in bytes Int64
FolderPath Folder containing the file that the recorded action was applied to String
InitiatingProcessAccountDomain Domain of the account that ran the process responsible for the event String
InitiatingProcessAccountName User name of the account that ran the process responsible for the event String
InitiatingProcessAccountObjectId Microsoft Entra object ID of the user account that ran the process responsible for the event String
InitiatingProcessAccountSid Security Identifier (SID) of the account that ran the process responsible for the event String
InitiatingProcessAccountUpn User principal name (UPN) of the account that ran the process responsible for the event String
InitiatingProcessCommandLine Command line used to run the process that initiated the event String
InitiatingProcessCreationTime Date and time when the process that initiated the event was started DateTime
InitiatingProcessFileName Name of the process file that initiated the event; if unavailable, the name of the process that initiated the event might be shown instead String
InitiatingProcessFileSize Size of the process (image file) that initiated the event Int64
InitiatingProcessFolderPath Folder containing the process (image file) that initiated the event String
InitiatingProcessId Process ID (PID) of the process that initiated the event Int64
InitiatingProcessLogonId Identifier for a logon session of the process that initiated the event. This identifier is unique on the same machine only between restarts. Int64
InitiatingProcessMD5 MD5 hash of the process (image file) that initiated the event String
InitiatingProcessParentCreationTime Date and time when the parent of the process responsible for the event was started DateTime
InitiatingProcessParentFileName Name of the parent process that spawned the process responsible for the event String
InitiatingProcessParentId Process ID (PID) of the parent process that spawned the process responsible for the event Int64
InitiatingProcessRemoteSessionDeviceName Device name of the remote device from which the initiating process’s RDP session was initiated String
InitiatingProcessRemoteSessionIP IP address of the remote device from which the initiating process’s RDP session was initiated String
InitiatingProcessSessionId Windows session ID of the initiating process Int64
InitiatingProcessSHA1 SHA-1 hash of the process (image file) that initiated the event String
InitiatingProcessSHA256 SHA-256 hash of the process (image file) that initiated the event. This field is usually not populated - use the SHA1 column when available. String
InitiatingProcessUniqueId Unique identifier of the initiating process; this is equal to the Process Start Key in Windows devices String
InitiatingProcessVersionInfoCompanyName Company name from the version information of the process (image file) responsible for the event String
InitiatingProcessVersionInfoFileDescription Description from the version information of the process (image file) responsible for the event String
InitiatingProcessVersionInfoInternalFileName Internal file name from the version information of the process (image file) responsible for the event String
InitiatingProcessVersionInfoOriginalFileName Original file name from the version information of the process (image file) responsible for the event String
InitiatingProcessVersionInfoProductName Product name from the version information of the process (image file) responsible for the event String
InitiatingProcessVersionInfoProductVersion Product version from the version information of the process (image file) responsible for the event String
IsInitiatingProcessRemoteSession Indicates whether the initiating process was run under a remote desktop protocol (RDP) session (true) or locally (false) Boolean
IsProcessRemoteSession Indicates whether the created process was run under a remote desktop protocol (RDP) session (true) or locally (false) Boolean
LocalIP IP address assigned to the local machine used during communication String
LocalPort TCP port on the local machine used during communication Int32
LogonId Identifier for a logon session. This identifier is unique on the same machine only between restarts Int64
MachineGroup String
MD5 MD5 hash of the file that the recorded action was applied to String
ProcessCommandLine Command line used to create the new process String
ProcessCreationTime Date and time the process was created DateTime
ProcessId Process ID (PID) of the newly created process Int64
ProcessRemoteSessionDeviceName Device name of the remote device from which the created process’s RDP session was initiated String
ProcessRemoteSessionIP IP address of the remote device from which the created process’s RDP session was initiated String
ProcessTokenElevation Indicates the type of token elevation applied to the newly created process. Possible values: TokenElevationTypeLimited (restricted), TokenElevationTypeDefault (standard), and TokenElevationTypeFull (elevated) String
RegistryKey Registry key that the recorded action was applied to String
RegistryValueData Data of the registry value that the recorded action was applied to String
RegistryValueName Name of the registry value that the recorded action was applied to String
RemoteDeviceName Name of the device that performed a remote operation on the affected machine. Depending on the event being reported, this name could be a fully-qualified domain name (FQDN), a NetBIOS name, or a host name without domain information. String
RemoteIP IP address that was being connected to String
RemotePort TCP port on the remote device that was being connected to Int32
RemoteUrl URL or fully qualified domain name (FQDN) that was being connected to String
ReportId Event identifier based on a repeating counter.To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns. Int64
SHA1 SHA-1 hash of the file that the recorded action was applied to String
SHA256 SHA-256 of the file that the recorded action was applied to String
SourceSystem String
TenantId String
TimeGenerated DateTime
Timestamp Date and time when the record was generated DateTime
Type String

Action types #

Name Description
AccountCheckedForBlankPassword An account was checked for a blank password.
AntivirusDefinitionsUpdated Security intelligence updates for Windows Defender Antivirus were applied successfully.
AntivirusDefinitionsUpdateFailed Security intelligence updates for Windows Defender Antivirus were not applied.
AntivirusDetection Windows Defender Antivirus detected a threat.
AntivirusEmergencyUpdatesInstalled Emergency security intelligence updates for Windows Defender Antivirus were applied.
AntivirusError Windows Defender Antivirus encountered an error while taking action on malware or a potentially unwanted application.
AntivirusMalwareActionFailed Windows Defender Antivirus attempted to take action on malware or a potentially unwanted application but the action failed.
AntivirusMalwareBlocked Windows Defender Antivirus blocked files or activity involving malware potentially unwanted applications or suspicious behavior.
AntivirusReport Microsoft Defender Antivirus reported a threat, which can either be a memory, boot sector, or rootkit threat.
AntivirusScanCancelled A Windows Defender Antivirus scan was cancelled.
AntivirusScanCompleted A Windows Defender Antivirus scan completed successfully.
AntivirusScanFailed A Windows Defender Antivirus scan did not complete successfully.
AntivirusTroubleshootModeEvent The troubleshooting mode in Microsoft Defender Antivirus was used.
AppControlAppInstallationAudited Application control detected the installation of an untrusted app.
AppControlAppInstallationBlocked Application control blocked the installation of an untrusted app.
AppControlCIScriptAudited A script or MSI file generated by Windows LockDown Policy was audited.
AppControlCIScriptBlocked A script or MSI file generated by Windows LockDown Policy was blocked.
AppControlCodeIntegrityDriverRevoked Application control found a driver with a revoked certificate.
AppControlCodeIntegrityImageAudited Application control detected an executable file that violated code integrity policies.
AppControlCodeIntegrityImageRevoked Application control found an executable file with a revoked certificate.
AppControlCodeIntegrityOriginAllowed Application control allowed a file due to its good reputation (ISG) or installation source (managed installer).
AppControlCodeIntegrityOriginAudited Application control would have blocked a file due to its bad reputation (ISG) or installation source (managed installer) if the policy was enforced.
AppControlCodeIntegrityOriginBlocked Application control blocked a file due to its bad reputation (ISG) or installation source (managed installer).
AppControlCodeIntegrityPolicyAudited Application control detected a code integrity policy violation.
AppControlCodeIntegrityPolicyBlocked Application control blocked a code integrity policy violation.
AppControlCodeIntegrityPolicyLoaded An application control code integrity policy was loaded.
AppControlCodeIntegritySigningInformation Application control signing information was generated.
AppControlExecutableAudited Application control detected the use of an untrusted executable.
AppControlExecutableBlocked Application control blocked the use of an untrusted executable.
AppControlPackagedAppAudited Application control detected the use of an untrusted packaged app.
AppControlPackagedAppBlocked Application control blocked the installation of an untrusted packaged app.
AppControlPolicyApplied An application control policy was applied to the device.
AppControlScriptAudited Application control detected the use of an untrusted script.
AppControlScriptBlocked Application control blocked the use of an untrusted script.
AppGuardBrowseToUrl A URL was accessed from within an application guard container.
AppGuardCreateContainer Application guard initiated an isolated container.
AppGuardLaunchedWithUrl The opening of an untrusted URL has initiated an application guard container.
AppGuardResumeContainer Application guard resumed an isolated container from a suspended state.
AppGuardStopContainer Application guard stopped an isolated container.
AppGuardSuspendContainer Application guard suspended an isolated container.
AppLockerBlockExecutable AppLocker prevented an untrusted executable from running.
AppLockerBlockPackagedApp AppLocker prevented an untrusted packaged app from running.
AppLockerBlockPackagedAppInstallation AppLocker prevented the installation of an untrusted packaged app.
AppLockerBlockScript AppLocker prevented an untrusted script from running.
AsrAbusedSystemToolAudited An attack surface reduction rule detected use of a copied or impersonated system tool.
AsrAbusedSystemToolBlocked An attack surface reduction rule blocked use of a copied or impersonated system tool.
AsrAbusedSystemToolWarnBypassed User excluded ASR block for “Block use of a copied or impersonated system tools” rule enabled in WARN mode.
AsrAdobeReaderChildProcessAudited An attack surface reduction rule detected Adobe Reader creating a child process.
AsrAdobeReaderChildProcessBlocked An attack surface reduction rule blocked Adobe Reader from creating a child process.
AsrAdobeReaderChildProcessWarnBypassed User excluded ASR block for “Block Adobe Reader from creating child processes” rule enabled in WARN mode.
AsrExecutableEmailContentAudited An attack surface reduction rule detected the launch of executable content from an email client and or webmail.
AsrExecutableEmailContentBlocked An attack surface reduction rule blocked executable content from an email client and or webmail.
AsrExecutableEmailContentWarnBypassed User excluded ASR block for “Block Launching of executable content from email attachment” rule enabled in WARN mode.
AsrExecutableOfficeContentAudited An attack surface reduction rule detected an Office application creating executable content.
AsrExecutableOfficeContentBlocked An attack surface reduction rule blocked an Office application from creating executable content.
AsrExecutableOfficeContentWarnBypassed User excluded ASR block for “Block Office applications from creating executable content” rule enabled in WARN mode.
AsrLsassCredentialTheftAudited An attack surface reduction rule detected possible credential theft from lsass.exe.
AsrLsassCredentialTheftBlocked An attack surface reduction rule blocked possible credential theft from lsass.exe.
AsrLsassCredentialTheftWarnBypassed User excluded ASR block for “Block credential stealing from the Windows local security authority subsystem (lsass.exe)” rule enabled in WARN mode.
AsrObfuscatedScriptAudited An attack surface reduction rule detected the execution of scripts that appear obfuscated.
AsrObfuscatedScriptBlocked An attack surface reduction rule blocked the execution of scripts that appear obfuscated.
AsrObfuscatedScriptWarnBypassed User excluded ASR block for “Block execution of potentially obfuscated scripts” rule enabled in WARN mode.
AsrOfficeChildProcessAudited An attack surface reduction rule detected an Office application spawning a child process.
AsrOfficeChildProcessBlocked An attack surface reduction rule blocked an Office application from creating child processes.
AsrOfficeChildProcessWarnBypassed User excluded ASR block for “Block all Office applications from creating child processes” rule enabled in WARN mode.
AsrOfficeCommAppChildProcessAudited An attack surface reduction rule detected an Office communication app attempting to spawn a child process.
AsrOfficeCommAppChildProcessBlocked An attack surface reduction rule blocked an Office communication app from spawning a child process.
AsrOfficeCommAppChildProcessWarnBypassed User excluded ASR block for “Block Office communication application from creating child processes” rule enabled in WARN mode.
AsrOfficeMacroWin32ApiCallsAudited An attack surface reduction rule detected Win32 API calls from Office macros.
AsrOfficeMacroWin32ApiCallsBlocked An attack surface reduction rule blocked Win32 API calls from Office macros.
AsrOfficeMacroWin32ApiCallsWarnBypassed User excluded ASR block for “Block Win32 API calls from Office macro” rule enabled in WARN mode.
AsrOfficeProcessInjectionAudited An attack surface reduction rule detected an Office application injecting code into other processes.
AsrOfficeProcessInjectionBlocked An attack surface reduction rule blocked an Office application from injecting code into other processes.
AsrOfficeProcessInjectionWarnBypassed User excluded ASR block for “Block Office applications from injecting code into other processes” rule enabled in WARN mode.
AsrPersistenceThroughWmiAudited An attack surface reduction rule detected an attempt to establish persistence through WMI event subscription.
AsrPersistenceThroughWmiBlocked An attack surface reduction rule blocked an attempt to establish persistence through WMI event subscription.
AsrPersistenceThroughWmiWarnBypassed User excluded ASR block for “Block persistence through WMI event subscription” rule enabled in WARN mode.
AsrPsexecWmiChildProcessAudited An attack surface reduction rule detected the use of PsExec or WMI commands to spawn a child process.
AsrPsexecWmiChildProcessBlocked An attack surface reduction rule blocked the use of PsExec or WMI commands to spawn a child process.
AsrPsexecWmiChildProcessWarnBypassed User excluded ASR block for “Block Process Creations originating from PSExec & WMI commands” rule enabled in WARN mode.
AsrRansomwareAudited An attack surface reduction rule detected ransomware activity.
AsrRansomwareBlocked An attack surface reduction rule blocked ransomware activity.
AsrRansomwareWarnBypassed User excluded ASR block for “Use advanced protection against ransomware” rule enabled in WARN mode.
AsrSafeModeRebootAudited An attack surface reduction rule detected a configuration attempt to reboot a device in Safe mode.
AsrSafeModeRebootBlocked An attack surface reduction rule blocked a configuration attempt to reboot a device in Safe mode.
AsrSafeModeRebootWarnBypassed User excluded ASR block for “Block rebooting machine in Safe Mode” rule enabled in WARN mode.
AsrScriptExecutableDownloadAudited An attack surface reduction rule detected JavaScript or VBScript code launching downloaded executable content.
AsrScriptExecutableDownloadBlocked An attack surface reduction rule blocked JavaScript or VBScript code from launching downloaded executable content.
AsrScriptExecutableDownloadWarnBypassed User excluded ASR block for “Block JavaScript or VBScript from launching downloaded executable content” rule enabled in WARN mode.
AsrUntrustedExecutableAudited An attack surface reduction rule detected the execution of an untrusted file that doesn’t meet criteria for age or prevalence.
AsrUntrustedExecutableBlocked An attack surface reduction rule blocked the execution of an untrusted file that doesn’t meet criteria for age or prevalence.
AsrUntrustedExecutableWarnBypassed User excluded ASR block for “Block executable files from running unless they meet a prevalence, age, or trusted list criteria” rule enabled in WARN mode.
AsrUntrustedUsbProcessAudited An attack surface reduction rule detected the execution of an untrusted and unsigned processes from a USB device.
AsrUntrustedUsbProcessBlocked An attack surface reduction rule blocked the execution of an untrusted and unsigned processes from a USB device.
AsrUntrustedUsbProcessWarnBypassed User excluded ASR block for “Block untrusted and unsigned processes that run from USB” rule enabled in WARN mode.
AsrVulnerableSignedDriverAudited An attack surface reduction rule detected a signed driver that has known vulnerabilities.
AsrVulnerableSignedDriverBlocked An attack surface reduction rule blocked a signed driver that has known vulnerabilities.
AsrVulnerableSignedDriverWarnBypassed User excluded ASR block for “Block abuse of in-the-wild exploited vulnerable signed drivers” rule enabled in WARN mode.
AsrWebShellOnServerAudited An attack surface reduction rule detected the creation of a webshell on a Windows Server machine.
AsrWebShellOnServerBlocked An attack surface reduction rule blocked webshell creation activity on a Windows Server machine.
AsrWebShellWarnBypassed User excluded ASR block for “Block Webshell creation for Servers” rule enabled in WARN mode.
AuditPolicyModification Changes in the Windows audit policy (which feed events to the event log).
BitLockerAuditCompleted An audit for BitLocker encryption was completed.
BluetoothPolicyTriggered A Bluetooth service activity was allowed or blocked by a device control policy.
BrowserLaunchedToOpenUrl A web browser opened a URL that originated as a link in another application.
BruteForceActivityDetected Brute-force attempts to sign in were detected by Microsoft Defender for Endpoint.
ControlFlowGuardViolation Control Flow Guard terminated an application after detecting an invalid function call
ControlledFolderAccessViolationAudited Controlled folder access detected an attempt to modify a protected folder.
ControlledFolderAccessViolationBlocked Controlled folder access blocked an attempt to modify a protected folder.
CreateRemoteThreadApiCall A thread that runs in the virtual address space of another process was created.
CredentialsBackup The backup feature in Credential Manager was initiated
DeviceBootAttestationInfo System Guard generated a boot-time attestation report.
DirectoryServiceObjectCreated An object was added to the directory service.
DirectoryServiceObjectModified An object in the directory service was modified.
DnsQueryResponse A response to a DNS query was sent.
DpapiAccessed Decription of saved sensitive data encrypted using DPAPI.
DriverLoad A driver was loaded.
ExploitGuardAcgAudited Arbitrary code guard (ACG) in exploit protection detected an attempt to modify code page permissions or create unsigned code pages.
ExploitGuardAcgEnforced Arbitrary code guard (ACG) blocked an attempt to modify code page permissions or create unsigned code pages.
ExploitGuardChildProcessAudited Exploit protection detected the creation of a child process.
ExploitGuardChildProcessBlocked Exploit protection blocked the creation of a child process.
ExploitGuardEafViolationAudited Export address filtering (EAF) in exploit protection detected possible exploitation activity.
ExploitGuardEafViolationBlocked Export address filtering (EAF) in exploit protection blocked possible exploitation activity.
ExploitGuardIafViolationAudited Import address filtering (IAF) in exploit protection detected possible exploitation activity.
ExploitGuardIafViolationBlocked Import address filtering (IAF) in exploit protection blocked possible exploitation activity.
ExploitGuardLowIntegrityImageAudited Exploit protection detected the launch of a process from a low-integrity file.
ExploitGuardLowIntegrityImageBlocked Exploit protection blocked the launch of a process from a low-integrity file.
ExploitGuardNetworkProtectionAudited Network protection detected an attempt to access a malicious or unwanted IP address domain or URL.
ExploitGuardNetworkProtectionBlocked Network protection blocked a malicious or unwanted IP address domain or URL.
ExploitGuardNonMicrosoftSignedAudited Exploit protection detected the launch of a process from an image file that is not signed by Microsoft.
ExploitGuardNonMicrosoftSignedBlocked Exploit protection blocked the launch of a process from an image file that is not signed by Microsoft.
ExploitGuardRopExploitAudited Exploit protection detected possible return-object programming (ROP) exploitation.
ExploitGuardRopExploitBlocked Exploit protection blocked possible return-object programming (ROP) exploitation.
ExploitGuardSharedBinaryAudited Exploit protection detected the launch of a process from a remote shared file.
ExploitGuardSharedBinaryBlocked Exploit protection blocked the launch of a process from a file in a remote device.
ExploitGuardWin32SystemCallAudited Exploit protection detected a call to the Windows system API.
ExploitGuardWin32SystemCallBlocked Exploit protection blocked a call to the Windows system API.
FileTimestampModificationEvent File timestamp information was modified.
FirewallInboundConnectionBlocked A firewall or another application blocked an inbound connection using the Windows Filtering Platform.
FirewallInboundConnectionToAppBlocked The firewall blocked an inbound connection to an app.
FirewallOutboundConnectionBlocked A firewall or another application blocked an outbound connection using the Windows Filtering Platform.
FirewallServiceStopped The firewall service was stopped.
GetAsyncKeyStateApiCall The GetAsyncKeyState function was called. This function can be used to obtain the states of input keys and buttons.
GetClipboardData The GetClipboardData function was called. This function can be used obtain the contents of the system clipboard.
LdapSearch An LDAP search was performed.
LogonRightsSettingEnabled Interactive logon rights on the machine were granted to a user.
MemoryRemoteProtect A process has modified the protection mask for a memory region used by another process. This might allow execution of content from non-executable memory.
NamedPipeEvent A named pipe was created or opened.
NetworkProtectionUserBypassEvent A user has bypassed network protection and accessed a blocked IP address, domain, or URL.
NetworkShareObjectAccessChecked A request was made to access a file or folder shared on the network and permissions to the share was evaluated.
NetworkShareObjectAdded A file or folder was shared on the network.
NetworkShareObjectDeleted A file or folder shared on the network was deleted.
NetworkShareObjectModified A file or folder shared on the network was modified.
NtAllocateVirtualMemoryApiCall Memory was allocated for a process.
NtAllocateVirtualMemoryRemoteApiCall Memory was allocated for a process remotely.
NtMapViewOfSectionRemoteApiCall A section of a process’s memory was mapped by calling the function NtMapViewOfSection.
NtProtectVirtualMemoryApiCall The protection attributes for allocated memory was modified.
OpenProcessApiCall The OpenProcess function was called indicating an attempt to open a handle to a local process and potentially manipulate that process.
PasswordChangeAttempt An attempt to change a user password was made.
PlistPropertyModified A property in the plist was modified.
PnpDeviceAllowed Device control allowed a trusted plug and play (PnP) device.
PnpDeviceBlocked Device control blocked an untrusted plug and play (PnP) device.
PnpDeviceConnected A plug and play (PnP) device was attached.
PowerShellCommand A PowerShell alias function filter cmdlet external script application script workflow or configuration was executed from a PowerShell host process.
PrintJobBlocked Device control prevented an untrusted printer from printing.
ProcessCreatedUsingWmiQuery A process was created using Windows Management Instrumentation (WMI).
ProcessPrimaryTokenModified A process’s primary token was modified.
PTraceDetected A process trace (ptrace) was found to have occurred on this device.
QueueUserApcRemoteApiCall An asynchronous procedure call (APC) was scheduled to execute in a user-mode thread.
ReadProcessMemoryApiCall The ReadProcessMemory function was called indicating that a process read data from the process memory of another process.
RemoteDesktopConnection A Remote Desktop connection was established
RemoteWmiOperation A Windows Management Instrumentation (WMI) operation was initiated from a remote device.
RemovableStorageFileEvent Removable storage file activity matched a device control removable storage access control policy.
RemovableStoragePolicyTriggered Device control detected an attempted read/write/execute event from a removable storage device.
SafeDocFileScan A document was sent to the cloud for analysis while in protected view.
ScheduledTaskCreated A scheduled task was created.
ScheduledTaskDeleted A scheduled task was deleted.
ScheduledTaskDisabled A scheduled task was turned off.
ScheduledTaskEnabled A scheduled task was turned on.
ScheduledTaskUpdated A scheduled task was updated.
ScreenshotTaken A screenshot was taken.
SecurityGroupCreated A security group was created
SecurityGroupDeleted A security group was deleted.
SecurityLogCleared The security log was cleared.
SensitiveFileRead A file that matched DLP policy was accessed or processes that are reading sensitive files such as ssh keys, Outlook mail archives etc.
ServiceInstalled A service was installed. This is based on Windows event ID 4697, which requires the advanced security audit setting Audit Security System Extension.
SetThreadContextRemoteApiCall The context of a thread was set from a user-mode process.
ShellLinkCreateFileEvent A specially crafted link file (.lnk) was generated. The link file contains unusual attributes that might launch malicious code along with a legitimate file or application.
SmartScreenAppWarning SmartScreen warned about running a downloaded application that is untrusted or malicious.
SmartScreenExploitWarning SmartScreen warned about opening a web page that contains an exploit.
SmartScreenUrlWarning SmartScreen warned about opening a low-reputation URL that might be hosting malware or is a phishing site.
SmartScreenUserOverride A user has overridden a SmartScreen warning and continued to open an untrusted app or a low-reputation URL.
TamperingAttempt An attempt to change Microsoft Defender XDR settings was made.
UntrustedWifiConnection A connection was established to an open Wi-Fi access point that is set to connect automatically.
UsbDriveDriveLetterChanged The drive letter assigned to a mounted USB storage device was modified
UsbDriveMounted A USB storage device was mounted as a drive.
UsbDriveUnmounted A USB storage device was unmounted.
UserAccountAddedToLocalGroup A user was added to a security-enabled local group.
UserAccountCreated A local SAM account or a domain account was created.
UserAccountDeleted A user account was deleted.
UserAccountModified A user account was modified.
UserAccountRemovedFromLocalGroup A user was removed from a security-enabled local group.
WmiBindEventFilterToConsumer A filter for WMI events was bound to a consumer. This enables listening for all kinds of system events and triggering corresponding actions, including potentially malicious ones.
WriteToLsassProcessMemory The WriteProcessMemory function was called indicating that a process has written data into memory for another process.

Schema changes #

Date Action
2024-10-18 Table added to tracking