Axon Common Events List
Common Events represent a general category or set of categories assigned to a log message. Every log message that is fully processed by the processing engine has at least one Common Event assigned. Additional Common Events can be assigned based on rules created within Rule Builder.
These Common Events can also be used as Search terms to find logs that fall under the same classification. For more information and examples of Common Event searches, see Build a Search Query.
General Group
The Common Events below are all meant to be generic in nature. They serve to generally classify messages.
Name | Description |
|---|---|
General Alert | Messages with a status of ALERT |
General Critical | Messages with a status of CRITICAL or CRIT |
General Error | Messages with a status of ERROR or ERR |
General Information | Messages with a status of INFO |
General Warning | Messages with a status of WARNING or WARN |
General Emergency | Messages with a status of EMERGENCY or EMER |
General Debug | Messages with a status of DEBUG or DEBG |
Unassigned | Default Common Event assigned to messages if no other Common Events are assigned. |
General Audit | Audit messages without a designated severity. |
General Notice | Messages with a status of NOTICE |
General Session Information | The message contains general session information. |
Access Group
This group contains Common Events that describe access authorization and usage of resource objects such as files, processes, applications, and other system/application components.
Name | Description |
|---|---|
Access Allowed | Access to a resource was allowed. |
Access Denied | Access to a resource was blocked or denied. |
Access Requested | Access to a resource was requested but not necessarily allowed or denied. |
Access Terminated | Access to a resource was terminated. This implies that access to the object was originally allowed. |
Kerberos Service Ticket Requested | A Kerberos Ticket Granting Service (TGS) ticket has been requested. Does not indicate the success or failure of the request. |
Application Allowed | An application has been allowed to execute on the target host. |
Application Blocked | An application has been prevented from executing on the target host. |
External Device Allowed | An external device, such as a USB storage device, has been allowed to mount to the target host. |
External Device Blocked | An external device, such as a USB storage device, has been blocked from mounting on the target host. |
Token Issued | A token was successfully issued. |
Token Issuance Failed | A token was failed to be issued. |
Authentication Group
Authentication Common Events describe successful and failed authentication activity to a host or application.
Name | Description |
|---|---|
General Authentication | Authentication activity was recorded. |
Authentication Success | An authentication attempt resulted in success. |
Authentication Failure | An authentication attempt resulted in failure. |
Local Authentication | An authentication attempt was made to a local resource. |
Remote Authentication | An authentication attempt was made to a remote resource. |
Batch Authentication | An authentication attempt was made in "batch" mode. This is typically performed by scheduled task operations. |
Service Authentication | An authentication attempt was made by a local service. |
Admin Rights Granted | Local admin rights were granted to the authenticated or authenticating account. |
Invalid Account | An authentication attempt failed due to the account name being invalid. |
Invalid Password | An authentication attempt failed due to an invalid or wrong password. |
Unauthorized Origin | An authentication attempt failed due to the source system or workstation not being authorized for access. |
Expired Password | An authentication attempt failed due to an expired password. |
Disabled Account | An authentication attempt failed due to the account being disabled. |
Expired Account | An authentication attempt failed due to the account being expired. |
Password Change Required | An authentication attempt failed due to the account needing a password change. |
Account Logoff | An account was logged off. |
Special Privileges Assigned | An account was granted special permissions, excluding admin rights. |
Time Sync Error | An authentication attempt failed due to the origin and target host times being out of sync. |
Interactive Login | An authentication attempt was made using Interactive Login. |
Configuration Management
This group's Common Events describe configuration events affecting a host or system.
Name | Description |
|---|---|
General Configuration | A configuration event was recorded. |
Configuration Change Submitted | A configuration change has been submitted and is pending implementation. |
Configuration Change Successful | A configuration change has been successfully applied. |
Configuration Change Failed | A configuration change has failed to take effect. |
Configuration Change Denied | A configuration change has been denied. |
System Time Changed | The time of the local system has been modified. |
Object Loaded | An object was loaded into the system or application. This includes actions such as loading or registering packages into the OS or application. |
Network Interface Down | A network interface has been put into the down status. |
Network Interface Up | A network interface has been put into the up status. |
Domain Trust Created | A trust relationship was established between two Domains. |
Domain Trust Modified | A trust relationship between two Domains was modified. |
Domain Trust Removed | A trust relationship was removed between two Domains. |
Configuration Deleted | A configuration deleted event was recorded. |
Configuration Enabled | A configuration enabled event was recorded. |
Configuration Disabled | A configuration disabled event was recorded. |
Missing Data | Missing data was observed. |
Invalid Data | Invalid data was observed. |
Email Group
This group's Common Events describe all the events and activities related to email.
Name | Description |
|---|---|
Email Delivered | The message was successfully delivered to the intended destination. |
Email Expanded | The email body and recipient/sender list were expanded. |
Email Delivery Failed | Email delivery was failed. |
Email Delivery Pending | Email delivery is in a pending state. |
Email Status | The email was recently received, but no other status data is yet available. |
Email Spam | Email was categorized as spam. |
Email Recipient Resolved | The exchange server expands and resolves all recipients in a message. |
Email Identified As Not Spam | Email was identified as not spam. |
IAM Group
Contains Identity and Access Management Common Events describing user, group, and role management activities.
Name | Description |
|---|---|
Account Added to Group | An account was added to a specified group. |
Account Created | An account was created. |
Account Deleted | An account was deleted. |
Account Disabled | An account was disabled. |
Account Enabled | An account was enabled. |
Account Locked | An account was locked. |
Account Modified | An account or an attribute of an account object was modified. |
Account Modification Failed | An attempt to modify an account object failed. |
Account Removed from Group | An account was removed from a specific group. |
Account Unlocked | An account was unlocked. |
Group Created | A group was created. |
Group Deleted | A group was deleted. |
Group Modified | A group, or an attribute of a group object, was modified. Does not include membership changes. |
Password Modified | The password of an account was successfully modified. |
Password Change Failed | An attempt to modify/change/reset an account's password failed. |
Permissions Added | Permissions were added to an account. |
Permissions Modified | Permissions were modified on an account. |
Permissions Removed | Permissions were removed from an account. |
General Account Info | Contains general information about an account. |
Role Created | A role was created. |
Role Modified | A role was modified. |
Role Deleted | A role was deleted. |
Role Assigned | A role was assigned to an account. |
Role Removed | A role was removed from an account. |
Account Compromised | The account was compromised. |
Network Group
This group's Common Events describe actions taken to establish, terminate, or provide state of network sessions. Additional actions covered are those used to facilitate or otherwise enable network-based functionality, such as DNS and DHCP queries and responses.
Name | Description |
|---|---|
IPSec Negotiation Failed | An IPSec tunnel negotiation failed |
IPSec SA Ended | An IPSec Security Association ended. |
IPSec SA Created | An IPSec Security Association was successfully created. |
IPSec SA Deleted | An IPSec Security Association was deleted. |
General IPSec Info | General IPSec information not directly indicating the creation, deletion, or termination of Security Associations or other aspects of establishing and closing IPSec tunnels. |
Network Session Started | A network session has started. |
Network Session Terminated | A network session has ended without error. |
Network Traffic Allowed | Network traffic was allowed by a security control. |
Network Traffic Denied | Network traffic was blocked by a security control. |
DNS Query | A DNS Query has returned successfully. |
DNS Query Failed | A DNS Query attempt has failed. |
General Network Traffic | General network traffic that does not indicate the start/end of a session or an allow/deny response action. |
DHCP Lease Renewed | An IP address assigned to a host via DHCP has had its lease renewed. |
DHCP Lease Issued | An IP address has been assigned to a host through DHCP. |
Firewall Service Error | An Error in the firewall service. |
Failed Denial Of Service | Failed Denial of service message. |
IPSEC Service Failed | The IPSEC service was failed. |
Object Management
This group's Common Events describe actions taken involving objects, certificates, and scheduled tasks.
Name | Description |
|---|---|
Certificate Issued | A Certificate has been issued by the Certification Authority. |
Certificate Request Denied | The Certification Authority has denied the request for Certificate signing. |
Certificate Request Pending | A Certificate Signing Request (CSR) is currently pending action by a Certification Authority. |
Certificate Request Received | A Certificate Signing Request (CSR) has been received by a Certification Authority. |
Certificate Revoked | A Certificate has been revoked, and made invalid, by the Certification Authority. |
Object Attribute Modified | Message indicates that an attribute of a specific object or objects were modified. Does not include modifying the object's name or the permissions assigned to the object. |
Object Created | An object was created. |
Object Deleted | An object was deleted. |
Object Modified | An object was modified. |
Object Permissions Modified | The permissions on an object were modified. |
Registry Value Modified | A Windows registry value was modified. |
Scheduled Task Created | A scheduled task was created. Examples of this include Windows Scheduled Tasks and *nix cron jobs. |
Scheduled Task Deleted | A scheduled task was deleted. Examples of this include Windows Scheduled Tasks and *nix cron jobs. |
Scheduled Task Modified | A scheduled task eas modified. Examples of this include Windows Scheduled Tasks and *nix cron jobs. |
Scheduled Task Disabled | A scheduled task was disabled. Examples of this include Windows Scheduled Tasks and *nix cron jobs. |
Scheduled Task Enabled | A scheduled task was enabled. Examples of this include Windows Scheduled Tasks and *nix cron jobs. |
Object Handle Closed | A handle to an object is closed. |
Object Read | A read operation has been performed on an object. |
Object Replicated | Attributes of an object were replicated. |
Object Listed | An object was listed. |
Object Not Applied | An object was not applied. |
Request Blocked | A request was blocked. |
Object Virtualized | An object was Virtualized. |
Object Restored | An object was restored. |
Object Added | An object was added. |
Object Load Failed | An object loading failed. |
Object Managed | An object is managed/controlled, whether device application or policy etc. |
Object Unmanaged | An object is unmanaged/uncontrolled, whether device application or policy etc. |
Policy Management
Policy Management Common Events describe activities related to the creation, modification, and deletion of policy objects. These are frequently used on network and security controls as well as auditing systems governed by policies.
Name | Description |
|---|---|
General Policy Management | Describes general policy management activities. |
Policy Created | A policy object was created. |
Policy Modified | A policy object was modified. |
Policy Assigned | A policy object was assigned to one or more targets. |
Policy Removed | A policy was removed or disassociated from one or more targets. |
Policy Enabled | A policy object was enabled. |
Policy Disabled | A policy object was disabled. |
Policy Deleted | A policy object was deleted. |
Compliance Success | The object is successfully compliant for policy, device, or application compliance. |
Compliance Failure | The object fails compliance for policy, device, or application compliance. |
General Compliance Information | The general compliance information. |
Software Management
Software Management Common Events describe activities related to the installation, updating, or removal of software and applications.
Name | Description |
|---|---|
Software Updated | An application or software update was completed successfully. This does not include signature updates. |
Software Update Failed | An application or software update failed. |
Software Installed | An application or software installation was completed successfully. |
Software Install Failed | An application or software installation failed. |
Software Uninstalled | An application or software was uninstalled. |
Service Installed | A service or daemon was successfully installed. |
Signature Update Successful | A signature update attempted by an application or device succeeded. |
Signature Update Failed | A signature update attempted by an application or device failed. |
Update Not Needed | An update check was performed against an application, software, or software component (including signatures) and an update is not required. |
Status Group
This group's Common Events describe health and status activities at the system, application, and service levels.
Name | Description |
|---|---|
Service Stopped | A service or daemon has been stopped or terminated and is no longer actively running. |
Service Started | A service or daemon has started. |
Log Cleared Successfully | A log file has been deleted or has had its content erased. |
Log Full | A log file has reached the capacity allocated by the system or governing policy. |
Backup Completed | A backup operation has been completed successfully. |
System Started | A system or host has started. |
System Shutdown | A system or host has, or is being shut down. |
Auditing Error | An error was encountered during the auditing or logging process. |
Process Started | A process was started on a host system. |
Process Stopped | A running process was stopped/terminated on a host system. |
General Health Information | The message contains general health information. |
General Performance Information | The message contains general performance information. |
Backup Failed | A backup operation failed to complete. |
Restore Completed | A restore operation, typically from a backup, was completed successfully. |
Restore Failed | A restore operation failed to complete. |
Scheduled Task Ended | A scheduled task or job has ended/stopped. |
Scheduled Task Started | A scheduled task or job has started. |
Script Execution | A script, such as a PowerShell script, is being executed on the system. |
Scan Completed | A security control has successfully completed a scan of a device, system, or application. |
Scan Failed | A security control scan action failed. |
Scan Paused | A security control scan has been paused. |
Scan Started | A security control has started a scan of a device, system, or application. |
Scan Stopped | A scan initiated by a security control has stopped. |
General Backup Information | Messages describe high-level activity related to backups. |
Device Inserted | A new device has been inserted into the system. |
Device Removed | A device has been removed/ejected from a system. |
Device Initialized | A device has been initialized on a system. |
Package loaded | A package/DLL has been loaded by Windows service. |
System Time Changed | System time was changed. |
Token Assigned | A token was assigned to process. |
Privilege Assigned | Privileged access was granted to an account. |
Privilege Revoked | Privileged access was revoked from an account. |
Integrity Violation | Integrity violation event was recorded. |
CRL Published | Certificate Revocation List (CRL) was published by Certificate Services. |
Key Retrieved | A key was retrieved by Certificate Services. |
Certificate Imported | A Certificate was imported by Certificate Services. |
Key Archived | A key was archived by Certificate Services. |
Key Imported | Key was imported by Certificate Services. |
Certificate Published | CA certificate was published by Certificate Services. |
Group Assigned | A group was assigned to an object. |
Audit Failure | Audit failure event was recorded. |
Service Aborted | Services Stopped abnormally. |
Cryptographic Operation | General Cryptographic Operation. |
Cryptographic Failure | Cryptographic Operation Failure. |
Registration Complete | An registration was completed successfully. |
Registration Failure | The registration was failed. |
New Device Found | The new device was found. |
Hardware Installed | An hardware installation was completed successfully. |
Request Failed to Validate | The request was not validated |
Process Completed | The process completed successfully. |
Request Validated | A request was validated successfully. |
Threat Detection Group
This group's Common Events describe messages that detect real and potential threats. These types of messages originate from technologies such as Malware Detection and Response, Network/Host-based Antivirus, Intrusion Detection/Protection Systems, and Web Application Firewalls.
Name | Description |
|---|---|
General Threat Detected | A security control has identified a threat. This is meant to be a general category for detections that do not fit another more specific category. This detection was not blocked by the control. |
Threat Blocked | A security control has identified and blocked a threat. |
Threat Allowed | A security control has identified a threat, but did not block or prevent it. |
Threat Allowed by User | A security control identified and blocked a threat but that block was overridden by user action. |
Threat Quarantined | A security control has identified and quarantined a threat. |
Host Quarantined | A security control has quarantined, or contained, a host. |
Host Quarantine Removed | A previously quarantined host has had the quarantine lifted. |
General Detection Information | A security control is reporting on the status of an alert, case, or detection produced by that control. |
Detection Updated | A security control has updated the status or details of an alert, case, or detection. This is typically done by a user. |
Watchlist Hit | A security control has detected a file, process, other object, or behavior that matches a watchlist. |
Suspicious Activity | An abnormal activity has been detected. |
Malware | A security control has detected malware, which can be a Virus, Ransomware, Trojan, Adware, Spyware, etc. |
Phishing | A security control has identified a Phishing alert, which can be Spear Phishing, Vishing, Email Phishing, Smishing, etc. |