Column_name Type Length Index Description Example
ProcessID bigint   4 Ascending Identity 1
ProcessGUID uniqueidentifier   2 UUID of the process 98C99D96-6DFA-4C95-9A87-C8665C166286
EventNumber int     Event Number. See List of Events section. 153
TimeGenerated datetime     Event generation date/time 2017-02-20 13:11:11.217
TimeReceived datetime     Event received at ER date/time 2017-02-20 13:16:28.047
EventGUID uniqueidentifier     Event UUID 9F8EB86C-AA0D-42B9-8720-166FAB91F1ED
PID int     Process ID 8723
ParentPID int     Parent Process ID 142916
CommandLine nvarchar   1024 Command Line "C:\cygwin64\bin\sh.exe"
FileName nvarchar   255 File Name c:\cygwin64\bin\sh.exe
ProcessStartTime datetime   1 Date/Time Process Started 2017-02-20 13:11:11.217
Reason nvarchar   1024 Reason entered by user <None>
ClientIPV4 nvarchar   15 Client IP Address
ClientName nvarchar   1024 Client Name L-CNU410DJJ7
UACTriggered bit     1 if UAC shown 0
ParentProcessUniqueID uniqueidentifier     Parent process UUID C404C7F5-3A93-4C0E-81BC-9902D220C21E
COMCLSID uniqueidentifier     COM CLSID NULL
COMAppID uniqueidentifier     COM Application ID NULL
COMDisplayName nvarchar 1024   COM Display Name <None>
ApplicationType nvarchar 4   Application Type svc
TokenGUID uniqueidentifier     UUID of token in policy F30A3824-27AF-4D69-9125-C78E44764AC1
Executed bit     1 if executed, 0 otherwise 1
Elevated bit     1 if elevated, 0 otherwise 1
Blocked bit     1 if blocked, 0 otherwise 0
Passive bit     1 if passive, 0 otherwise 0
Cancelled bit     1 if cancelled, 0 otherwise 0
DropAdmin bit     1 if admin rights dropped, 0 otherwise 0
EnforceUsersDefault bit     1 if user default permissions were enforced, 0 otherwise 0
Custom bit     1 if Custom Token, 0 otherwise 0
SourceURL nvarchar 2048   Source URL <None>
AuthorizationChallenge nvarchar 9   Challenge Response authorization code <None>
WindowsStoreAppName nvarchar 200   Windows Store application name (appx app type only) <None>
WindowsStoreAppPublisher nvarchar 200   Windows Store application publisher (appx app type only) <None>
WindowsStoreAppVersion nvarchar 200   Window Store application version (appx app type only) <None>
DeviceType nvarchar 40   Device Type Fixed Disk
ServiceName nvarchar 1024   Service name (svc events only) <None>
ServiceDisplayName nvarchar 1024   Service Display Name (svc app type only) <None>
PowerShellCommand nvarchar 1024   PowerShell Command (ps1/rpsc/rpss app types only) <None>
ApplicationPolicyDescription nvarchar 1024   Policy Description <None>
SandboxGUID uniqueidentifier     Sandbox UUID (sandbox events only) NULL
SandboxName nvarchar 1024   Sandbox Name (sandbox events only) NULL
BrowseSourceURL nvarchar 2048   Sandbox browse source (sandbox events only) <None>
BrowseDestinationURL nvarchar 2048   Sandbox destination source (sandbox events only) <None>
Classification nvarchar 200   Sandbox classification (sandbox events only) Private (Local)
IEZoneTag nvarchar 200   IE Zone Tag <None>
OriginSandbox nvarchar 40   Origin Sandbox <None>
OriginIEZone nvarchar 40   Origin IE Zone <None>
TargetSandbox nvarchar 40   Target Sandbox <None>
TargetIEZone nvarchar 40   Target IE Zone <None>
AuthRequestURI nvarchar 1024   Authorization request URL (osx challenge/response only) <None>
PlatformVersion nvarchar 10   Platform Version <None>
ControlAuthorization bit     1 is Endpoint Privilege Management authorized this macOS application 0
TrustedApplicationName nvarchar 1024   Name of the trusted application Microsoft Word
TrustedApplicationVersion nvarchar 1024   Version of the trusted application 11.1715.14393.0
ParentProcessFileName nvarchar 1024   Parent process file name Google Chrome
ApplicationHash nvarchar 40   SHA1 of the application C22FF10511ECCEA1824A8DE64B678619C21B4BEE
ProductCode nvarchar 1024   Product Code <None>
UpgradeCode nvarchar 1024   Upgrade Code <None>
FileVersion nvarchar 1024   File Version <None>
MD5 nvarchar 32   MD5 hash of the app 6E641CAE42A2A7C89442AF99613FE6D6
TokenAssignmentGUID uniqueidentifier     UUID of the token assignment in the policy E7654321-BBBB-5AD2-B954-1234DDC7A89D
TokenAssignmentIsShell bit     Token assignment is for shell 1
UserSID nvarchar 200   User SID S-1-21-123456789-123456789-16357176381125883508
UserName nvarchar 1024   User Name EGUser18
UserDomainSID nvarchar 200   User Domain SID S-1-21-123456789-123456789-1635717638
UserDomainName nvarchar 1024   User Domain EGDomain
UserDomain NameNETBIOS nvarchar 15   User Domain NETBIOS EGDOMAIN
ChassisType nvarchar 40   Chassis Type Laptop
HostSID nvarchar 200   Host SID S-1-21-123456789-123456789-1635717638775838649
HostName nvarchar 1024 3* Host Name EGHostWin18
HostNameNETBIOS nvarchar 15 3* Host NETBIOS EGHOSTWIN18
OS nvarchar     OS Version 10.0
OSProductType int     OS Product Type  
HostDomainSID nvarchar 200   Host Domain SID S-1-21-123456789-123456789-1635717638
HostDomainName nvarchar 1024   Host Domain EGDomain
HostDomain NameNETBIOS nvarchar 15   Host Domain NETBIOS EGDOMAIN
AuthUserSID nvarchar 200   Authorizing User SID <None>
AuthUserName nvarchar 1024   Authorizing User <None>
AuthUserDomainSID nvarchar 200   Authorizing User Domain SID <None>
AuthUserDomainName nvarchar 1024   Authorizing User Domain <None>
AuthUserDomain NameNETBIOS nvarchar 15   Authorizing User Domain NETBIOS <None>
FileOwnerUserSID nvarchar 200   File Owner SID S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464
FileOwnerUserName nvarchar 1024   File Owner NT SERVICE\TrustedInstaller
FileOwnerDomainSID nvarchar 200   File Owner Domain SID S-1-5-80
FileOwnerDomainName nvarchar 1024   File Owner Domain NT SERVICE
FileOwnerDomain NameNETBIOS nvarchar 15   File Owner Domain NETBIOS <None>
ApplicationURI nvarchar 1024   URI of the macOS Application com.apple.preference.datetime
ApplicationDescription nvarchar 2048   Application Description c:\cygwin64\bin\sh.exe
FirstDiscovered datetime     Time application first seen 2017-02-07 09:14:39.413
FirstExecuted datetime     Time application first executed 2017-02-07 09:07:00.000
PlatformType nvarchar 10   Platform Type Windows
ProductName nvarchar 1024   Product Name ADelRCP Dynamic Link Library
ProductVersion nvarchar 1024   Product Version 15.10.20056.167417
Publisher nvarchar 1024   Publisher Adobe Systems, Incorporated
TrustedOwner bit     1 if a trusted owner, 0 otherwise 0
MessageGUID uniqueidentifier     UUID of the message in the policy 00000000-0000-0000-0000-000000000000
MessageName nvarchar 1024   Name of the message in the policy Block Message
MessageType nvarchar 40   Message Type Prompt
AppGroupGUID uniqueidentifier     UUID of the Application Group in the Policy 47E4A204-FC06-428B-8E73-1E36E3A65430
AppGroupName nvarchar 1024   Application Group Name in the Policy Test Policy.test
PolicyID bigint     Internal ID of the Policy 2
PolicyGUID uniqueidentifier     UUID of the Policy E7654321-AAAA-5AD2-B954-12342918D604
PolicyName nvarchar 1024   Policy Name EventGen Test Policy
WorkstyleName nvarchar 1024   Workstyle Name EventGen Test Workstyle
ContentFileName nvarchar 255   Content File Name c:\users\user.wp-epo-win7-64\downloads\con29 selectable feestable (1).pdf
ContentFileDescription nvarchar 1024   Content File Description <None>
ContentFileVersion nvarchar 1024   Content File Version <None>
ContentOwnerSID nvarchar 200   Content Owner SID S-1-21-123456789-123456789-1635717638-1072059836
ContentOwnerName nvarchar 1024   Content Owner EGUser1
ContentOwnerDomainSID nvarchar 200   Content Owner Domain SID S-1-5-21-2217285736-120021366-3854014904
ContentOwnerDomainName nvarchar 1024   Content Owner Domain BEYONDTRUSTTEST58\BEYONDTRUSTTEST58.QA
ContentOwnerDomain NameNetBIOS nvarchar 15   Content Owner Domain NETBIOS BEYONDTRUSTTEST58
UninstallAction nvarchar 20   The uninstall action carried out Change/Modify
TokenName nvarchar 20   The name of the event action Blocked
TieStatus int     Threat Intelligence Exchange status for the reputation of this application 0
TieScore int     Threat Intelligence Exchange score for the application  
VtStatus int     VirusTotal status for the reputation of this application  
RuleScriptFileName nvarchar 200   The name in config of the script associated with the rule Get-McAfeeGTIReputation
RuleScriptName nvarchar 200   The name of the script set by interface Get-McAfeeGTIReputation
RuleScriptVersion nvarchar 20   Version number of the script. 1.1.0
RuleScriptPublisher nvarchar 200   Publisher that signed the script BeyondTrust
RuleScriptRuleAffected bit     True when the script has set all settable rule properties; otherwise false True
RuleScriptStatus nvarchar 100   Success OR Why the configured script didn't run or set rule properties Success
RuleScriptResult nvarchar 1024   Result of the script run Script ran successfully
RuleScriptOutput nvarchar 1024   The output of the script  
AuthorizationSource nvarchar 200   The Authorizing User Credential Source  
AuthMethods nvarchar 1024   The type of authentication method selected in the Policy Editor. Possible values: Identity Provider, Password, Challenge Response, Smart Card and User Request. Multiple values can be present and will be comma separated.
IdPAuthentication nvarchar 400   The credential provided when adding an Identity Provider authorization message in the Policy Editor.