Skip to main content
Skip table of contents

Axon Common Events List

Common Events represent a general category or set of categories assigned to a log message. Every log message that is fully processed by the processing engine has at least one Common Event assigned. Additional Common Events can be assigned based on rules created within Rule Builder.

These Common Events can also be used as Search terms to find logs that fall under the same classification. For more information and examples of Common Event searches, see Build a Search Query.

General Group

The Common Events below are all meant to be generic in nature. They serve to generally classify messages.

Name

Description

General Alert

Messages with a status of ALERT

General Critical

Messages with a status of CRITICAL or CRIT

General Error

Messages with a status of ERROR or ERR

General Information

Messages with a status of INFO

General Warning

Messages with a status of WARNING or WARN

General Emergency

Messages with a status of EMERGENCY or EMER

General Debug

Messages with a status of DEBUG or DEBG

Unassigned

Default Common Event assigned to messages if no other Common Events are assigned.

General Audit

Audit messages without a designated severity.

General Notice

Messages with a status of NOTICE

General Session Information

The message contains general session information.

Access Group

This group contains Common Events that describe access authorization and usage of resource objects such as files, processes, applications, and other system/application components.

Name

Description

Access Allowed

Access to a resource was allowed.

Access Denied

Access to a resource was blocked or denied.

Access Requested

Access to a resource was requested but not necessarily allowed or denied.

Access Terminated

Access to a resource was terminated. This implies that access to the object was originally allowed.

Kerberos Service Ticket Requested

A Kerberos Ticket Granting Service (TGS) ticket has been requested. Does not indicate the success or failure of the request.

Application Allowed

An application has been allowed to execute on the target host.

Application Blocked

An application has been prevented from executing on the target host.

External Device Allowed

An external device, such as a USB storage device, has been allowed to mount to the target host.

External Device Blocked

An external device, such as a USB storage device, has been blocked from mounting on the target host.

Token Issued

A token was successfully issued.

Token Issuance Failed

A token was failed to be issued.

Authentication Group

Authentication Common Events describe successful and failed authentication activity to a host or application.

Name

Description

General Authentication

Authentication activity was recorded.

Authentication Success

An authentication attempt resulted in success.

Authentication Failure

An authentication attempt resulted in failure.

Local Authentication

An authentication attempt was made to a local resource.

Remote Authentication

An authentication attempt was made to a remote resource.

Batch Authentication

An authentication attempt was made in "batch" mode. This is typically performed by scheduled task operations.

Service Authentication

An authentication attempt was made by a local service.

Admin Rights Granted

Local admin rights were granted to the authenticated or authenticating account.

Invalid Account

An authentication attempt failed due to the account name being invalid.

Invalid Password

An authentication attempt failed due to an invalid or wrong password.

Unauthorized Origin

An authentication attempt failed due to the source system or workstation not being authorized for access.

Expired Password

An authentication attempt failed due to an expired password.

Disabled Account

An authentication attempt failed due to the account being disabled.

Expired Account

An authentication attempt failed due to the account being expired.

Password Change Required

An authentication attempt failed due to the account needing a password change.

Account Logoff

An account was logged off.

Special Privileges Assigned

An account was granted special permissions, excluding admin rights.

Time Sync Error

An authentication attempt failed due to the origin and target host times being out of sync.

Interactive Login

An authentication attempt was made using Interactive Login.

Configuration Management

This group's Common Events describe configuration events affecting a host or system.

Name

Description

General Configuration

A configuration event was recorded.

Configuration Change Submitted

A configuration change has been submitted and is pending implementation.

Configuration Change Successful

A configuration change has been successfully applied.

Configuration Change Failed

A configuration change has failed to take effect.

Configuration Change Denied

A configuration change has been denied.

System Time Changed

The time of the local system has been modified.

Object Loaded

An object was loaded into the system or application. This includes actions such as loading or registering packages into the OS or application.

Network Interface Down

A network interface has been put into the down status.

Network Interface Up

A network interface has been put into the up status.

Domain Trust Created

A trust relationship was established between two Domains.

Domain Trust Modified

A trust relationship between two Domains was modified.

Domain Trust Removed

A trust relationship was removed between two Domains.

Configuration Deleted

A configuration deleted event was recorded.

Configuration Enabled

A configuration enabled event was recorded.

Configuration Disabled

A configuration disabled event was recorded.

Missing Data

Missing data was observed.

Invalid Data

Invalid data was observed.

Email Group

This group's Common Events describe all the events and activities related to email.

Name

Description

Email Delivered

The message was successfully delivered to the intended destination.

Email Expanded

The email body and recipient/sender list were expanded.

Email Delivery Failed

Email delivery was failed.

Email Delivery Pending

Email delivery is in a pending state.

Email Status

The email was recently received, but no other status data is yet available.

Email Spam

Email was categorized as spam.

Email Recipient Resolved

The exchange server expands and resolves all recipients in a message.

Email Identified As Not Spam

Email was identified as not spam.

IAM Group

Contains Identity and Access Management Common Events describing user, group, and role management activities.

Name

Description

Account Added to Group

An account was added to a specified group.

Account Created

An account was created.

Account Deleted

An account was deleted.

Account Disabled

An account was disabled.

Account Enabled

An account was enabled.

Account Locked

An account was locked.

Account Modified

An account or an attribute of an account object was modified.

Account Modification Failed

An attempt to modify an account object failed.

Account Removed from Group

An account was removed from a specific group.

Account Unlocked

An account was unlocked.

Group Created

A group was created.

Group Deleted

A group was deleted.

Group Modified

A group, or an attribute of a group object, was modified. Does not include membership changes.

Password Modified

The password of an account was successfully modified.

Password Change Failed

An attempt to modify/change/reset an account's password failed.

Permissions Added

Permissions were added to an account.

Permissions Modified

Permissions were modified on an account.

Permissions Removed

Permissions were removed from an account.

General Account Info

Contains general information about an account.

Role Created

A role was created.

Role Modified

A role was modified.

Role Deleted

A role was deleted.

Role Assigned

A role was assigned to an account.

Role Removed

A role was removed from an account.

Account Compromised

The account was compromised.

Network Group

This group's Common Events describe actions taken to establish, terminate, or provide state of network sessions. Additional actions covered are those used to facilitate or otherwise enable network-based functionality, such as DNS and DHCP queries and responses.

Name

Description

IPSec Negotiation Failed

An IPSec tunnel negotiation failed

IPSec SA Ended

An IPSec Security Association ended.

IPSec SA Created

An IPSec Security Association was successfully created.

IPSec SA Deleted

An IPSec Security Association was deleted.

General IPSec Info

General IPSec information not directly indicating the creation, deletion, or termination of Security Associations or other aspects of establishing and closing IPSec tunnels.

Network Session Started

A network session has started.

Network Session Terminated

A network session has ended without error.

Network Traffic Allowed

Network traffic was allowed by a security control.

Network Traffic Denied

Network traffic was blocked by a security control.

DNS Query

A DNS Query has returned successfully.

DNS Query Failed

A DNS Query attempt has failed.

General Network Traffic

General network traffic that does not indicate the start/end of a session or an allow/deny response action.

DHCP Lease Renewed

An IP address assigned to a host via DHCP has had its lease renewed.

DHCP Lease Issued

An IP address has been assigned to a host through DHCP.

Firewall Service Error

An Error in the firewall service.

Failed Denial Of Service

Failed Denial of service message.

IPSEC Service Failed

The IPSEC service was failed.

Object Management

This group's Common Events describe actions taken involving objects, certificates, and scheduled tasks.

Name

Description

Certificate Issued

A Certificate has been issued by the Certification Authority.

Certificate Request Denied

The Certification Authority has denied the request for Certificate signing.

Certificate Request Pending

A Certificate Signing Request (CSR) is currently pending action by a Certification Authority.

Certificate Request Received

A Certificate Signing Request (CSR) has been received by a Certification Authority.

Certificate Revoked

A Certificate has been revoked, and made invalid, by the Certification Authority.

Object Attribute Modified

Message indicates that an attribute of a specific object or objects were modified. Does not include modifying the object's name or the permissions assigned to the object.

Object Created

An object was created.

Object Deleted

An object was deleted.

Object Modified

An object was modified.

Object Permissions Modified

The permissions on an object were modified.

Registry Value Modified

A Windows registry value was modified.

Scheduled Task Created

A scheduled task was created. Examples of this include Windows Scheduled Tasks and *nix cron jobs.

Scheduled Task Deleted

A scheduled task was deleted. Examples of this include Windows Scheduled Tasks and *nix cron jobs.

Scheduled Task Modified

A scheduled task eas modified. Examples of this include Windows Scheduled Tasks and *nix cron jobs.

Scheduled Task Disabled

A scheduled task was disabled. Examples of this include Windows Scheduled Tasks and *nix cron jobs.

Scheduled Task Enabled

A scheduled task was enabled. Examples of this include Windows Scheduled Tasks and *nix cron jobs.

Object Handle Closed

A handle to an object is closed.

Object Read

A read operation has been performed on an object.

Object Replicated

Attributes of an object were replicated.

Object Listed

An object was listed.

Object Not Applied

An object was not applied.

Request Blocked

A request was blocked.

Object Virtualized

An object was Virtualized.

Object Restored

An object was restored.

Object Added

An object was added.

Object Load Failed

An object loading failed.

Object Managed

An object is managed/controlled, whether device application or policy etc.

Object Unmanaged

An object is unmanaged/uncontrolled, whether device application or policy etc.

Policy Management

Policy Management Common Events describe activities related to the creation, modification, and deletion of policy objects. These are frequently used on network and security controls as well as auditing systems governed by policies.

Name

Description

General Policy Management

Describes general policy management activities.

Policy Created

A policy object was created.

Policy Modified

A policy object was modified.

Policy Assigned

A policy object was assigned to one or more targets.

Policy Removed

A policy was removed or disassociated from one or more targets.

Policy Enabled

A policy object was enabled.

Policy Disabled

A policy object was disabled.

Policy Deleted

A policy object was deleted.

Compliance Success

The object is successfully compliant for policy, device, or application compliance.

Compliance Failure

The object fails compliance for policy, device, or application compliance.

General Compliance Information

The general compliance information.

Software Management

Software Management Common Events describe activities related to the installation, updating, or removal of software and applications.

Name

Description

Software Updated

An application or software update was completed successfully. This does not include signature updates.

Software Update Failed

An application or software update failed.

Software Installed

An application or software installation was completed successfully.

Software Install Failed

An application or software installation failed.

Software Uninstalled

An application or software was uninstalled.

Service Installed

A service or daemon was successfully installed.

Signature Update Successful

A signature update attempted by an application or device succeeded.

Signature Update Failed

A signature update attempted by an application or device failed.

Update Not Needed

An update check was performed against an application, software, or software component (including signatures) and an update is not required.

Status Group

This group's Common Events describe health and status activities at the system, application, and service levels.

Name

Description

Service Stopped

A service or daemon has been stopped or terminated and is no longer actively running.

Service Started

A service or daemon has started.

Log Cleared Successfully

A log file has been deleted or has had its content erased.

Log Full

A log file has reached the capacity allocated by the system or governing policy.

Backup Completed

A backup operation has been completed successfully.

System Started

A system or host has started.

System Shutdown

A system or host has, or is being shut down.

Auditing Error

An error was encountered during the auditing or logging process.

Process Started

A process was started on a host system.

Process Stopped

A running process was stopped/terminated on a host system.

General Health Information

The message contains general health information.

General Performance Information

The message contains general performance information.

Backup Failed

A backup operation failed to complete.

Restore Completed

A restore operation, typically from a backup, was completed successfully.

Restore Failed

A restore operation failed to complete.

Scheduled Task Ended

A scheduled task or job has ended/stopped.

Scheduled Task Started

A scheduled task or job has started.

Script Execution

A script, such as a PowerShell script, is being executed on the system.

Scan Completed

A security control has successfully completed a scan of a device, system, or application.

Scan Failed

A security control scan action failed.

Scan Paused

A security control scan has been paused.

Scan Started

A security control has started a scan of a device, system, or application.

Scan Stopped

A scan initiated by a security control has stopped.

General Backup Information

Messages describe high-level activity related to backups.

Device Inserted

A new device has been inserted into the system.

Device Removed

A device has been removed/ejected from a system.

Device Initialized

A device has been initialized on a system.

Package loaded

A package/DLL has been loaded by Windows service.

System Time Changed

System time was changed.

Token Assigned

A token was assigned to process.

Privilege Assigned

Privileged access was granted to an account.

Privilege Revoked

Privileged access was revoked from an account.

Integrity Violation

Integrity violation event was recorded.

CRL Published

Certificate Revocation List (CRL) was published by Certificate Services.

Key Retrieved

A key was retrieved by Certificate Services.

Certificate Imported

A Certificate was imported by Certificate Services.

Key Archived

A key was archived by Certificate Services.

Key Imported

Key was imported by Certificate Services.

Certificate Published

CA certificate was published by Certificate Services.

Group Assigned

A group was assigned to an object.

Audit Failure

Audit failure event was recorded.

Service Aborted

Services Stopped abnormally.

Cryptographic Operation

General Cryptographic Operation.

Cryptographic Failure

Cryptographic Operation Failure.

Registration Complete

An registration was completed successfully.

Registration Failure

The registration was failed.

New Device Found

The new device was found.

Hardware Installed

An hardware installation was completed successfully.

Request Failed to Validate

The request was not validated

Process Completed

The process completed successfully.

Request Validated

A request was validated successfully.

Threat Detection Group

This group's Common Events describe messages that detect real and potential threats. These types of messages originate from technologies such as Malware Detection and Response, Network/Host-based Antivirus, Intrusion Detection/Protection Systems, and Web Application Firewalls.

Name

Description

General Threat Detected

A security control has identified a threat. This is meant to be a general category for detections that do not fit another more specific category. This detection was not blocked by the control.

Threat Blocked

A security control has identified and blocked a threat.

Threat Allowed

A security control has identified a threat, but did not block or prevent it.

Threat Allowed by User

A security control identified and blocked a threat but that block was overridden by user action.

Threat Quarantined

A security control has identified and quarantined a threat.

Host Quarantined

A security control has quarantined, or contained, a host.

Host Quarantine Removed

A previously quarantined host has had the quarantine lifted.

General Detection Information

A security control is reporting on the status of an alert, case, or detection produced by that control.

Detection Updated

A security control has updated the status or details of an alert, case, or detection. This is typically done by a user.

Watchlist Hit

A security control has detected a file, process, other object, or behavior that matches a watchlist.

Suspicious Activity

An abnormal activity has been detected.

Malware

A security control has detected malware, which can be a Virus, Ransomware, Trojan, Adware, Spyware, etc.

Phishing

A security control has identified a Phishing alert, which can be Spear Phishing, Vishing, Email Phishing, Smishing, etc.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.