EDR Event detection types and descriptions

The following are the events that EDR detects:
Event type and ID number
1: Application Activity
Reports status information about an application activity an end user performed. For example, an administrator runs a database search or endpoint search. Or the administrator runs a command line interface command (e.g., expand_storage).
20: User Session Audit
Reports user logon and logoff activity at a management console or a managed client.
21: Entity Audit
Reports activity by a managed client, a micro service, or a user at a management console. The activity can be a create, update, and delete operation on a managed entity. For example, the Policy service records policy change events, the SEP client reports local policy changes, and the policy administrator updates policies at the console.
238: Device Control
Reports a device control disabled device.
239: Device Control
Reports a buffer overflow event.
240: Device Control
Reports software protection has thrown an exception.
502: Application Control
Reports agent behavior events.
1000: System Health
Reports any change to a component's health which impacts overall health of the
Symantec EDR
appliance, software, or hardware. For example "DB Connection failure/success ", "Low Disk", or "High CPU".
8000: Session Event
Reports when a user attempts a log on or log off, successfully or otherwise.
8001: Process Event
Reports when a process launches, terminates, or opens another process, successful or otherwise.
8002: Module Event
Reports when a process loads or unloads a module.
8003: File Event
Reports operations on file system objects.
8004: Directory Event
Reports operations on directories.
8005: Registry Key Event
Reports actions on Windows registry keys.
8006: Registry Value Event
Reports actions on Windows registry values.
8007: Network Event
  • Netstat Event
Reports attempted network connections, successful or otherwise.
Netstat events is a sub-category of Network event. The Netstat events report on the high-level summary of network activity such as the protocol used and how much data is transferred between local and remote computers. The Network event summary displays disposition statistics value 3 to for the netstat events.
If you are an existing user, then you must upgrade the Detection and Response Policy to generate the netstat events.
8009: Kernel Event
Reports when an actor process creates, reads, or deletes a kernel object.
8015: Monitored Source
Reports when an ETW activity event occurs.
8018: AMSI Activity
Reports when an AMIS activity event occurs.
8071:  Compliance
Reports the results of a compliance and remediation check.
8080: Session Query Result
Reports information on existing user sessions.
8081: Process Query Result
Reports information on a running process.
8082: Module Query Result
Reports information on loaded modules.
8083: File Query Result
Reports information on file system objects.
8084: Directory Query Result
Reports directory information.
8085: Registry Key Query Result
Reports information on Windows Registry keys.
8086: Registry Value Query Result
Reports information on Windows Registry values.
8087: Network Query Event
Reports information for network queries.
8089: Kernel Object Query Result
Reports information on kernel objects.
8090: Service Query Result
Reports information service queries.
8061: Entity Change Event (for SES Mobile)
Reports information on change in security status of SES Mobile Apps (Android and iOS).
8071: Compliance Event (for SES Mobile)
Reports information when SES Mobile device (Android and iOS) is scanned for compliance.