System

DRIVER_CHANGE Generated when a Driver is changed. Platforms: { "PROCESS_ID": 0, "SVC_DISPLAY_NAME": "HbsAcq", "SVC_NAME": "HbsAcq", "SVC_STATE": 1, "SVC_TYPE": 1, "TIMESTAMP": 1517377895873 }

FILE_CREATE Generated when a file is created. Platforms: { "FILE_PATH": "C:\\Users\\dev\\AppData\\Local\\Microsoft\\Windows\\WebCache\\V01tmp.log", "TIMESTAMP": 1468335271948 } FILE_DELETE Generated when a file is delete...

DNS_REQUEST Generated from DNS responses and therefore includes both the requested domain and the response from the server. If the server responds with multiple responses (as allowed by the DNS protocol) the N answers will become N DNS_REQUEST eve...

CODE_IDENTITY Unique combinations of file hash and file path. Event is emitted the first time the combination is seen, but only when the binary is executed or loaded. Therefore it's a great event to look for hashes without being overwhelmed by pro...

General references on the Windows registry are available here and here . LimaCharlie's EDR Sensor observes the Windows Registry from kernel-mode. Registry hive naming conventions are specific to the operating system version, but may also have a...

AUTORUN_CHANGE Generated when an Autorun is changed. Platforms: SERVICE_CHANGE Generated when a Service is changed. Platforms: { "PROCESS_ID": 0, "SVC_TYPE": 32, "DLL": "%SystemRoot%\\system32\\wlidsvc.dll", "S...

USER_OBSERVED Generated the first time a user is observed on a host. Platforms: { "TIMESTAMP": 1479241363009, "USER_NAME": "root" }

VOLUME_MOUNT This event is generated when a volume is mounted. Platforms: { "VOLUME_PATH": "E:", "DEVICE_NAME": "\\Device\\HarddiskVolume3" } VOLUME_UNMOUNT This event is generated when a volume is unmounted. Plat...