The following table lists the Windows telemetry monitored and collected by the endpoint
agent.
For information about eventId and eventSubId mapping for the Search app, see eventId and eventSubId mapping.
|
Category
|
Sub-category
|
Details
|
|
PROCESS ACTIVITY
|
Process Creation
|
Collected through standard settings
|
|
Process Termination
|
Requires enabling hypersensitive mode
|
|
|
Process Access
|
Collected through standard settings
|
|
|
Image/Library Loaded
|
Collected through standard settings
|
|
|
Remote Thread Creation
|
Collected through standard settings
|
|
|
Process Tampering Activity
|
Collected through standard settings
|
|
|
FILE MANIPULATION
|
File Creation
|
Collected through standard settings
|
|
File Opened
|
Requires enabling hypersensitive mode
|
|
|
File Deletion
|
Requires enabling hypersensitive mode
|
|
|
File Modification
|
Collected through standard settings
|
|
|
File Renaming
|
Collected through standard settings
|
|
|
USER ACCOUNT ACTIVITY
|
Local Account Creation
|
Requires enabling hypersensitive mode
Collected via Windows Event ID 4720.
|
|
Local Account Modification
|
Requires enabling hypersensitive mode
Collected via Windows Event ID 4738.
|
|
|
Local Account Deletion
|
Requires enabling hypersensitive mode
|
|
|
Account Login
|
Collected via Windows EventLogs
Collected via Windows Event ID 4624.
|
|
|
Account Logoff
|
Collected via Windows EventLogs
Collected via Windows Event ID 4634.
|
|
|
NETWORK ACTIVITY
|
TCP Connection
|
Collected through standard settings
|
|
UDP Connection
|
Collected through standard settings
|
|
|
URL
|
Collected through standard settings
|
|
|
DNS Query
|
Collected through standard settings
|
|
|
File Downloaded
|
Collected through standard settings
|
|
|
HASH ALGORITHMS
|
MD5
|
Collected through standard settings
|
|
SHA
|
Collected through standard settings
|
|
|
REGISTRY ACTIVITY
|
Key/Value Creation
|
Collected through standard settings
|
|
Key/Value Creation
|
Collected through standard settings
|
|
|
Key/Value Deletion
|
Collected through standard settings
|
|
|
SCHEDULE TASK ACTIVITY
|
Scheduled Task Creation
|
Requires enabling hypersensitive mode
Collected via Windows EventLogs
Collected via Windows Event ID 4698.
|
|
Scheduled Task Modification
|
Requires enabling hypersensitive mode
Collected via Windows EventLogs
Collected via Windows Event ID 4702.
|
|
|
Scheduled Task Deletion
|
Requires enabling hypersensitive mode
Collected via Windows EventLogs
Collected via Windows Event ID 4699.
|
|
|
SERVICE ACTIVITY
|
Service Creation
|
Requires enabling hypersensitive mode
Collected via Windows EventLogs
Collected via Windows Event ID 4697/7045.
|
|
Service Modification
|
Requires enabling hypersensitive mode
Collected via Windows EventLogs
Only Start Type modification is collected via Windows Event ID 7040.
|
|
|
DRIVER/MODULE ACTIVITY
|
Driver Loaded
|
Requires enabling hypersensitive mode
|
|
NAMED PIPE ACTIVITY
|
Pipe Creation
|
Requires enabling hypersensitive mode
|
|
Pipe Connection
|
Requires enabling hypersensitive mode
|
|
|
WMI ACTIVITY
|
WmiEventConsumerToFilter
|
Collected via Windows EventLogs
Collected via Windows Event ID 5861.
|
|
WmiEventConsumer
|
Collected via Windows EventLogs
Collected via Windows Event ID 5861.
|
|
|
WmiEventFilter
|
Collected via Windows EventLogs
Collected via Windows Event ID 5861.
|
|
|
BITS JOBS ACTIVITY
|
BITS JOBS Activity
|
Collected via Windows EventLogs
Only creation of a new BITS job is collected via Windows Event ID 3.
|
|
POWERSHELL ACTIVITY
|
Script-Block Activity
|
Collected through standard settings
|