Defender Telemetry
Telemetry generated by Windows Defender about its internals.
Its Relevant if we can correlate the event with our attack process: Either a PID, or some kind of filename or filepath. Or the Event Name sounds interesting.
This list if from ETW Explorer v0.3 (2019) from a Windows 11 Pro.
Microsoft-Antimalware-AMFilter
GUID: {cfeb0608-330e-4410-b00d-56d8da9986e6}"
| Event Symbol Name | Arguments | Relevant |
|---|---|---|
| AMFilter_CacheFlush | n/a | |
| AMFilter_CacheRemove | File_ID | |
| AMFilter_CacheHit | File_ID | |
| AMFilter_CacheMiss | File_ID | |
| AMFilter_CacheAdd | File_ID | |
| AMFilter_SeqReadFlag | n/a | |
| AMFilter_TrustedProcess | Pid, Reason, Trusted, TotalTrusted, TotalUntrusted, Path | Y |
| AMFilter_ProcessContext | Pid, Reason, Flags, ProcessFilterFlags, ProcessName, VmHardenType, ExemptVmHardenedTypes | Y |
| AMFilter_FileScan | FileName, Reason, IoStatusBlockForNewFile | Y |
| AMFilter_DeleteStreamContext | File_ID | |
| AMFilter_FileScanResult | FileName, Reason, ScanStatus, State, ScanAttributes, FileId, USN | Y |
Microsoft-Antimalware-Engine
GUID: {0a002690-3839-4e3a-b3b6-96d8df868d99}
| Event Symbol Name | Arguments | Relevant |
|---|---|---|
| ScanrequestStart_V1 | Id, Type, Flags, ScanSource, ResourceCount, FirstResourceType, FirstResourcePath, ThreadTime | |
| ScanrequestStart_V2 | EngineId, Id, Type, Flags, ScanSource, ResourceCount, FirstResourceType, FirstResourcePath, ThreadTime | |
| ScanrequestStop_V1 | Id, Type, Flags, ScanSource, ResourceCount, FirstResourceType, FirstResourcePath, ThreadTime | |
| ScanrequestStop_V2 | EngineId, Id, Type, Flags, ScanSource, ResourceCount, FirstResourceType, FirstResourcePath, ThreadTime | |
| ScanrequestStop_V3 | EngineId, Id, Type, Flags, ScanSource, ResourceCount, FirstResourceType, FirstResourcePath, ThreadTime, StartQPC | |
| Message | Message | |
| Versions | EngineVersion, AVVersion, ASVersion | |
| StreamscanrequestStart_V1 | Id, Path, Process, Reason, ThreadTime, PID | y |
| StreamscanrequestStop_V1 | Id, Path, Process, Reason, ThreadTime, PID | y |
| Skippedfile | Path, Reason | |
| BehaviorMonitoringBmDetection | PID, GUID, Type, Name, SignatureId, ImagePath | y |
| BehaviorMonitoringBmProcessStart | PID, PPID, ImagePath, Flags | y |
| BehaviorMonitoringBmDriverLoad | PID, ImagePath | y |
| BehaviorMonitoringBmModuleLoad | PID, ImagePath | y |
| BehaviorMonitoringBmDocumentOpen | PID, ImageName, FileName | y |
| BehaviorMonitoringBmFileCreate | PID, FileName | y |
| BehaviorMonitoringBmFileChange | PID, FileName | y |
| BehaviorMonitoringBmFileDelete | PID, FileName | y |
| BehaviorMonitoringBmFileRename | PID, FileName, OldFileName | y |
| BehaviorMonitoringBmRegistryKeyCreate | PID, KeyPath | y |
| BehaviorMonitoringBmRegistryKeyRename | PID, KeyPath | y |
| BehaviorMonitoringBmRegistryKeyDelete | PID, KeyPath | y |
| BehaviorMonitoringBmRegistryValueSet | PID, KeyPath, ValueName | y |
| BehaviorMonitoringBmRegistryValueDelete | PID, KeyPath, ValueName | y |
| BehaviorMonitoringBmNetworkConnect | PID | y |
| BehaviorMonitoringBmNetworkData | PID | y |
| BehaviorMonitoringBmNetworkListen | PID | y |
| BehaviorMonitoringBmNetworkAccept | PID | y |
| BehaviorMonitoringBmProcessTerminate | PID | y |
| BehaviorMonitoringBmNetworkDetection | PID, DetectionId | y |
| BehaviorMonitoringBmBootRecordChange | PID, RecordType, ImagePath, Path | y |
| BehaviorMonitoringBmRemoteThreadCreate | PID, TPID, TTID, ImageName | y |
| MessageUfsScanStart_V1 | FilePath, ThreadTime | y |
| UfsScanFileTaskStart_V2 | EngineId, FilePath, ThreadTime | y |
| MessageUfsScanStop_V1 | FilePath, ThreadTime | y |
| UfsScanFileTaskStop_V2 | EngineId, FilePath, ThreadTime | y |
| UfsScanFileTaskStop_V3 | EngineId, FilePath, ThreadTime, StartQPC | y |
| MessageUfsScanStart32_V1 | FilePath, PID, ThreadTime | y |
| UfsScanProcTaskStart_V2 | EngineId, FilePath, PID, ThreadTime | y |
| MessageUfsScanStop33_V1 | FilePath, PID, ThreadTime | y |
| UfsScanProcTaskStop_V2 | EngineId, FilePath, PID, ThreadTime | y |
| UfsScanProcTaskStop_V3 | EngineId, FilePath, PID, ThreadTime, StartQPC | y |
| CacheMOACAdd | ScanSource, EventType, Classification, Info, FileName, FileID, FileUSN, Result | y |
| CacheMOACLookup | ScanSource, EventType, Classification, Info, FileName, FileID, FileUSN, Result | y |
| CacheMOACRevoke | ScanSource, EventType, Classification, Info, FileName, FileID, FileUSN, Result | y |
| CacheCacheLookup | FileName, CacheName, Result | y |
| CacheCacheAdd | FileName, CacheName, Result | y |
| PersistedStoreTaskPersistedStoreAction | action, key, filename, result | y |
| PersistedStoreTaskPersistedStoreMaintenance | utilization, result | |
| PersistedStoreTaskPersistedStoreAnalyzeFile | key, filename, parentKey, result | y |
| ExpensiveOperationTaskExpensiveOperationBegin_V1 | Message, Name, Data, StartStop, ThreadTime | |
| MetaStoreTaskMetaStoreAction | action, vault, key, result | |
| MetaStoreTaskMetaStoreMaintenance | vault, records, result | |
| BehaviorMonitoringBmRegistryBlockSet | PID, KeyPath | y |
| BehaviorMonitoringBmRegistryBlockDelete | PID, KeyPath | y |
| BehaviorMonitoringBmRegistryBlockRename | PID, KeyPath | y |
| BehaviorMonitoringBmRegistryReplace | PID, KeyPath | y |
| BehaviorMonitoringBmRegistryRestore | PID, KeyPath | y |
| BehaviorMonitoringBmRegistryBlockReplace | PID, KeyPath | y |
| BehaviorMonitoringBmRegistryBlockRestore | PID, KeyPath | y |
| BehaviorMonitoringBmOpenProcess | PID, TargetPID, AccessMask, WasHardened | y |
| BehaviorMonitoringBmRegistryBlockCreate | PID, KeyPath | y |
| Message59 | VName, SigSeq, SigSha, Result | |
| BehaviorMonitoringBmEtw | PID, Channel, EventId | y |
| BehaviorMonitoringBmFolderCreate | PID, FolderName | y |
| BehaviorMonitoringBmScavengerTask | Count | |
| BehaviorMonitoringBmProcessTainting | TaintReason, ReasonImagePath, ProcessImagePath | y |
| BehaviorMonitoringBmFolderRename | PID, FileName, OldFileName | y |
| BehaviorMonitoringBmFolderEnum | PID, FolderName | y |
| BehaviorMonitoringBmFileHardLink | PID, FileName, FileHardLinkName | y |
| ExpensiveOperationTaskExpensiveOperationEnd_V1 | Message, Name, Data, StartStop, ThreadTime, DeltaCPU, DeltaWall | y |
| Message68 | SigName, SigSeq, SigSha, SigTypeName, Time, Limit, FileName, VPath, FileSha1, PartialCRC1, PartialCRC2, PartialCRC3, FileSize | y |
| Message68_V1 | SigName, SigSeq, SigSha, SigTypeName, Dimension, Value, Limit, FileName, VPath, FileSha1, PartialCRC1, PartialCRC2, PartialCRC3, FileSize | y |
| Message69 | Guid, VolumeSize, Attributes, FilesCount, FileGuidsArray, FileSizeArray, CompressedFileSizeArray, FileNameArray, FileAttributesArray, EfiFileTypeArray, FileSha1Array, SmbiosAttributes | y |
| Message69_V1 | Guid, VolumeSize, Attributes, FilesCount, FileGuidsArray, FileSizeArray, CompressedFileSizeArray, FileNameArray, FileAttributesArray, EfiFileTypeArray, FileSha1Array, SmbiosAttributes, FileCRCsArray | y |
| BehaviorMonitoringBmProcessCreate | BasePath, CommandLine, PID, ParentPID, Flags, IntegrityLevel | y |
| BehaviorMonitoringBmFileCreateEx | PID, FileName | y |
| BehaviorMonitoringBmFileChangeEx | PID, FileName | y |
| BehaviorMonitoringProcessMonitorFlags | PID, filepath, flags, flags2low, flags2high | y |
| BehaviorMonitoringProcessMonitorFlags_V1 | EngineId, CreationTime, PID, filepath, flags, flags2low, flags2high, oldFlags, oldFlags2low, oldFlags2high | y |
| BehaviorMonitoringProcessMonitorFlags_V2 | EngineId, CreationTime, PID, filepath, flags, flags2low, flags2high, oldFlags, oldFlags2low, oldFlags2high, Source | y |
| SenseRemediationTask | Sha1, Sha256, SigSeq, SigSha, AllSigSeqs, AllSigShas, RealPath, VPath, EtwDataReportType, ReportType, EngineReportGuid, ResourceData, ResourceSchema, Determination, ActionStatus, ProcessID, ProcessCreationTime, ProcessPath, ThreatName, Classification, IsLatent, IsPassiveMode, ScanSource, ScanType, RtpProcessID, RtpProcessCreationTime, ProcessCommandLine, ExtraDataJson | y |
| Message75 | DeviceInfo, TCGEventsArray, PCRsArray | |
| SenseHeartbeatTask | JsonData | |
| SmsScanTaskSmsRequestMonitorProcessId | ProcessId, CreationTime, Level, EffectiveLevel, TriggerSigSeq, Origin | y |
| SmsScanTaskSmsRequestMonitorFilePath | ImageFilePath, Level, EffectiveLevel, TriggerSigSeq, Origin | y |
| SmsScanTaskSmsMonitoringStart | ProcessId, CreationTime, Level, TriggerSigSeq | y |
| SmsScanTaskSmsMonitoringStop | ProcessId, CreationTime, Level, TriggerSigSeq, StopReason | y |
| SmsScanTaskSmsScanStart | ProcessId, CreationTime, ScanReason | y |
| SmsScanTaskSmsScanStop | ProcessId, CreationTime, ScanReason, ScanResult | y |
| StartRundownTaskStart | EngineId | |
| StartRundownTaskStop | EngineId | |
| EndRundownTaskStart | EngineId | |
| EndRundownTaskStop | EngineId | |
| EngineTaskStart | EngineId, EngineVersion, AVVersion, ASVersion | |
| EngineTaskStop | EngineId, EngineVersion, AVVersion, ASVersion | |
| EngineTaskDCStart | EngineId, EngineVersion, AVVersion, ASVersion | |
| EngineTaskDCStop | EngineId, EngineVersion, AVVersion, ASVersion | |
| UfsScanFileTaskDCStart | EngineId, FilePath | y |
| UfsScanFileTaskDCStart_V1 | EngineId, FilePath, ThreadId, StartQPC | y |
| UfsScanFileTaskDCStop | EngineId, FilePath | y |
| UfsScanFileTaskDCStop_V1 | EngineId, FilePath, ThreadId, StartQPC | y |
| UfsScanProcTaskDCStart | EngineId, FilePath, PID | y |
| UfsScanProcTaskDCStart_V1 | EngineId, FilePath, PID, ThreadId, StartQPC | y |
| UfsScanProcTaskDCStop | EngineId, FilePath, PID | y |
| UfsScanProcTaskDCStop_V1 | EngineId, FilePath, PID, ThreadId, StartQPC | y |
| BehaviorMonitoringBmFileOverwrite | ProcessId, CreationTime, FileName, FirstOffsetWritten, LastOffsetWritten, SmallestOffsetWritten, BiggestOffsetWritten, TotalSizeOfWrites, TotalSizeOfAppends, NumberOfWrites | y |
| SenseOnboardingInfoTask | OnboardedInfo | |
| ScanrequestDCStart | EngineId, Id, Type, Flags, ScanSource, ResourceCount, FirstResourceType, FirstResourcePath | |
| ScanrequestDCStart_V1 | EngineId, Id, Type, Flags, ScanSource, ResourceCount, FirstResourceType, FirstResourcePath, ThreadId, StartQPC | |
| ScanrequestDCStop | EngineId, Id, Type, Flags, ScanSource, ResourceCount, FirstResourceType, FirstResourcePath | |
| ScanrequestDCStop_V1 | EngineId, Id, Type, Flags, ScanSource, ResourceCount, FirstResourceType, FirstResourcePath, ThreadId, StartQPC | |
| BehaviorMonitoringProcessMonitorFlagsDCStart | EngineId, CreationTime, PID, flags, flags2low, flags2high | y |
| BehaviorMonitoringProcessMonitorFlagsDCStop | EngineId, CreationTime, PID, flags, flags2low, flags2high | y |
| EngineLoadTaskStart | EngineId, EngineVersion, AVVersion, ASVersion | |
| EngineLoadTaskStop | EngineId, EngineVersion, AVVersion, ASVersion | |
| BehaviorMonitoringBmFileSequentialRead | PID, FileName | y |
| BehaviorMonitoringBmInternal | PID, FeatureId, FirstParam, SecondParam | y |
| BehaviorMonitoringBmRegistry | PID, EventId, KeyPath, ValueName, OldValue, NewValue, UserMode, FeatureType | y |
| BehaviorMonitoringBmInternalStateDCStart | EngineId, LiveContextCount, TotalContextCount | |
| BehaviorMonitoringBmInternalStateDCStop | EngineId, LiveContextCount, TotalContextCount | |
| SenseExclusionTask | Type, Scope, ResourceType, TargetResource, ParentResource, DetectionName, UserName | |
| BehaviorMonitoringBmProcessContextStart | PID, ProcessContextId, ImagePath | y |
| BehaviorMonitoringBmProcessContextStop | PID, ProcessContextId, TerminationTime | y |
| BehaviorMonitoringBmNotificationHandleStart | PID, AttrId, AttrSeq, AttrSubset | y |
| BehaviorMonitoringBmNotificationHandleStop | PID, AttrId, AttrSeq, AttrSubset, MatchedThreatsNumber, IsMultiProcMatch, IsMultiProcDetection | y |
| BehaviorMonitoringBmCloudCallStart | PID, DetectionName, SigSeq | y |
| BehaviorMonitoringBmCloudCallStop | PID, DetectionName, SigSeq, CloudResponse | y |
Microsoft-Antimalware-Engine-Instrumentation
GUID: {68621c25-df8d-4a6b-aabc-19a22e296a7c}
| Event Symbol Name | Arguments | Relevant |
|---|---|---|
| DatadrivensignaturetaskStart_V1 | Type, Name, FileName, VPath | Y |
| DatadrivensignaturetaskStop_V1 | Type, Name, FileName, VPath | Y |
Microsoft-Antimalware-Protection
GUID: {e4b70372-261f-4c54-8fa6-a5a7914d73da}
| Event Symbol Name | Arguments | Relevant |
|---|---|---|
| FastMemScanStart | DwordData | ? |
| FastMemScanStop | DwordData | ? |
| AllowedUrlExclusionCheckStart | Description | |
| AllowedUrlExclusionCheckStop | DwordData | |
| FastMemScanCacheStart | n/a | |
| FastMemScanCacheStop | DwordData | |
| MpData | Description |
Microsoft-Antimalware-RTP
GUID: {8e92deef-5e17-413b-b927-59b2f06a3cfc}
| Event Symbol Name | Arguments | Relevant |
|---|---|---|
| RTPPassthroughStart | n/a | |
| RTPPassthroughStop | n/a | |
| RTPPluginStart | n/a | |
| RTPPluginStop | n/a | |
| RTPFilterLoad | n/a | |
| RTPFilterUnload | n/a | |
| RTPSetEngine | n/a | |
| RTPFlushCache | n/a | |
| RTPScanTimeout | n/a | |
| RTPEnabled | n/a | |
| RTPDisabled | n/a | |
| RTPConfigUpdate | n/a | |
| RTPSetRegistryMonitoring | n/a | |
| RTPThreatDetection | File | |
| RTPSampleDetection | File | |
| RTPLofiDetection | File | |
| RTPExpensiveDetection | File | |
| RTPBMDetection | n/a | |
| RTPSeqRead | n/a | |
| RTPSuspend | n/a | |
| RTPResume | n/a | |
| RTPPriority | Description, PreviousValue, IntendedValueOrHResult, LatestValue | |
| DlpPerfOperationStart | Operation, SubOperation, AccessCheck | |
| DlpPerfOperationStop | Operation, SubOperation, AccessCheck | |
| DCEvent | Timestamp, ActionType, Access, Policy, MachineName, MediaName, ClassName, ClassGuid, UserName, VendorId, ProductId, DeviceId, InstanceId, SerialNumber, BusType, FilePath, FileSize, Tag, DomainAuthenticatedNetworkPresent, ActiveVPNConnections, ProcessImageName, PolicyId, AccessChainRuleIds, AccessChainRuleEntryIds, PrinterPortName | |
| DCEvent26 | Timestamp, Policy, PolicyRuleId, DuplicatedOperation, MachineName, UserName, ClassName, MediaName, InstanceId, SerialNumber, VendorId, ProductId, DeviceFilePath, EvidenceFileSize, EvidenceFileLocation, Tag | |
| RTPFileScanResult | FileName, ScanReason, FileId, USN, RtpScanResult, RtpScanAction, DoNotCache, Flags, ScanResult, hr | |
| DCEvent28 | Timestamp, CurrentGrantedAccess, MaximumPossibleGrantedAccess, CurrentDeniedAccess, MinimumGuaranteedDeniedAccess, MachineName, UserName, ClassName, MediaName, BusType, DeviceId, InstanceId, SerialNumber, VendorId, ProductId, DomainAuthenticatedNetworkPresent, ActiveVPNConnections, ActiveNetworks, DevicePolicyGroupMembership | |
| DCEvent29 | Timestamp, State |
Microsoft-Antimalware-Scan-Interface
GUID: {2a576b87-09a7-520e-c21a-4942f0271d67}
| Event Symbol Name | Arguments | Relevant |
|---|---|---|
| task_0 | session, scanStatus, scanResult, appname, contentname, contentsize, originalsize, content, hash, contentFiltered | ? |
| task_0_V1 | session, scanStatus, scanResult, appname, contentname, contentsize, originalsize, content, hash, contentFiltered, hashoriginalcontent | ? |
Microsoft-Antimalware-Service
GUID: {751ef305-6c6e-4fed-b847-02ef79d26aef}
| Event Symbol Name | Arguments |
|---|---|
| ServiceOnDemandScanStart | Description |
| ServiceOnDemandScanStop | n/a |
| ServiceCacheBuildStart | n/a |
| ServiceCacheBuildStop | n/a |
| ServiceLoadEngineStart | n/a |
| ServiceLoadEngineStop | n/a |
| ServiceReloadEngineStart | n/a |
| ServiceReloadEngineStop | n/a |
| ServiceSyncStart | n/a |
| ServiceSyncStop | n/a |
| ServiceAsyncStart | n/a |
| ServiceAsyncStop | n/a |
| ServiceShutdown | n/a |
| ServiceProcessScanStart | n/a |
| ServiceProcessScanStop | n/a |
| EngineTask | Description |
| ServiceTask | Description |
| ServiceClean | Description |
| MOAC_CacheHit | File_ID, USN |
| MOAC_CacheMiss | File_ID, USN |
| MOAC_CacheAdd | File_ID, USN |
| MOAC_CacheDelete | File_ID, USN |
| MOAC_CacheFlush | n/a |
| ServiceRoutineCleanup | n/a |
| ServiceRoutineVerification | n/a |
| ServiceRoutineCacheMaintenance | n/a |
| ServiceVersion_V1 | ServiceVersion, OsIsFreshInstall |
| ServiceEngineUpdateStart | n/a |
| ServiceEngineUpdateStop | n/a |
| CacheState | TrustedUSN, TrustedState, SFCState |
| SFCBuildStart | n/a |
| SFCBuildStop | n/a |
| Spynet_EventSpynetRequired | n/a |
| Spynet_EventCloudRequest | n/a |
| Spynet_EventSendTelemetry | n/a |
| Spynet_MpCmdRunStart | n/a |
| Spynet_GenerateReportStart | n/a |
| Spynet_GenerateReportComplete | Bytes |
| Spynet_HandleResponseStart | n/a |
| Spynet_HandleResponseComplete | n/a |
| Spynet_SendReportStart | n/a |
| Spynet_SendReportComplete | n/a |
| MpCmdRun_CreateProcess | Command |
| Spynet_MpCmdRunCreateTimer | n/a |
| Spynet_MpCmdRunTimerTrigger | n/a |
| IOAVScanTriggeredStart | n/a |
| Sense_RemediationInfoThreat | Sha1, Sha256, MD5, ProcessID, ProcessCreationTime, ProcessPath, ThreatName, RealPath, WasExecutingWhileDetected, Action, RemediationErrorCode, DetectionTime, User, UserSid, ResourceSchema, DetectionGuid, Classification, SchemaParamAndDataDelimiter, SchemaParamList, SchemaParamDataList, DetectionSource, IsPassiveMode, SigSeq, SigSha, isCritical, ThreatTrackingId, PlatformVersion, PlatformUpdateTime, EngineVersion, EngineUpdateTime, ASSignatureVersion, ASSignatureUpdateTime, AVSignatureVersion, AVSignatureUpdateTime, BlockThreatExecSubCategory, PropertyBag, AllowThreatExpirationUTC |
| Sense_HipsFGInfo | RuleId, isAudit, Sha1, Sha256, MD5, FileSize, ProcessID, ProcessCreationTime, ProcessIntegrityLevel, ProcessPath, TargetPath, SigSeq, SigSha, CommandLine, DetectionTime, TargetIdentified, ParentCommandLine, InvolvedFile, InheritanceFlags, RuleType, RuleState, SessionId, UserName |
| Sense_NetworkFilterLookup | IsAudit, Uri, ProcessId, ProcessCreationTime, UserSid, ResponseCategory, IsWarn, DisplayName, IocId |
| Sense_NetworkFilterConnectionInfo | LocalIpAddressLength, LocalIpAddress, RemoteIpAddressLength, RemoteIpAddress, ProcessId, ProcessCreationTime, UserSid, ProcessName, Uri, RequestHeaders, ResponseHeaders, ConnectionType |
| Sense_DlpInfo | RuleId, State, EventTimestamp, Action, Process, ProcessId, Source, Target, SessionId |
| Sense_DlpEventInfo | UniqueId, TotalSourceFiles, CurrentIndexOfSourceFile, PolicyVersion, PolicyRuleId, EnforcementLevel, IsActionBypass, EventTimestamp, ActionType, Process, ProcessId, ProcessCreationTime, Source, Target, SessionId, UserSid |
| Sense_DlpStatusInfo | StatusCode, StatusDetails |
| Sense_NetworkFilterBreakTheGlass | Allow, UserOverrideKey, FriendlyName, Uri, ProcessId, ProcessCreationTime, UserSid, ResponseCategory, IocId |
| Sense_HipsAsrUserExclusionInfo | RuleId, RuleState, SessionId, TargetIdentified, Parent, Target, InvolvedFile, ProcessId, ProcessCreationTime |
| Sense_NetworkFilterDnsQuestion | DnsServerAddressLength, DnsServerIpAddress, QueryName, QueryType, ClassType, ProcessId, ProcessCreationTime, UserSid, ProcessName |
| Sense_NetworkFilterDnsAnswer | DnsServerAddressLength, DnsServerIpAddress, AnswerName, Ttl, RecordType, ResourceRecord, ProcessId, ProcessCreationTime, UserSid, ProcessName |
| Sense_NetworkFilterVolumeNotification | IsIncoming, SourceIpLength, SourceIp, DestinationIpLength, DestinationIp, Size, DestinationDNSName, ProcessId, ProcessCreationTime, UserSid, ProcessName, ConnectionType, IsBehindProxy |
| Sense_TroubleshootingModeNotification | TS_State, TS_PreviousState, TS_StartUTC, TS_ExpirationUTC, TS_ExpirationMinutesLeft, TS_StateChangeSource, TS_StateChangeReason, TS_QuotaMinutesLeft, PlatformVersion, EngineVersion |
| Sense_NetworkFilterTlsAlert | TlsServerAddressLength, TlsServerIpAddress, TlsAlertLevel, TlsAlertDescription, ProcessId, ProcessCreationTime, UserSid, ProcessName |
| RbM_RollbackComplete | Timestamp, RollbackVersion |
| StartRundownTaskStart | Description |
| StartRundownTaskStop | Description |
| EndRundownTaskStart | Description |
| EndRundownTaskStop | Description |
| Sense_TamperProtectionNotification | DetectionTime, TP_State, TP_Scenario, TP_ResourceType, TP_ResourceName, TP_ResourceOldState, TP_ResourceNewState, TP_IsBlocked, TP_IsUserMode, ProcessName, ProcessId, ProcessCreationTime |
| Sense_AiRuntimeModelEvent | FullPath, Version, FileSize, FrameworkType, Sha256, JsonModelMetadata |
| Sense_AiRuntimeMcpEvent | Version, TransportType, ServerName, CommandName, CommandArgs, UrlEndpoint, Environment, Headers |