Need to know the information for the action types values sent by the Symantec Endpoint Protection Manager (SEPM) to an External Logging Server.

14.3.x

In SEPM Reporting, the values for the Action Type in AGENT_BEHAVIOR_LOG* tables are mapped as follows:

1 = Create - Event for File System creation.

2 = Delete - Event for File System deletion.

3 = Open - For open File System.

4 = Rename - For Renaming a File System.

5 = Set Attributes for - For setting an attribute for File System.

6 = Create -  For creating directory in a File System.

7 = Delete - For deleting a directory in a File System.

8 = Rename - For renaming a directory in a File System.

9 = Set Attributes for - For setting an attribute for a directory in File System.

10 = Open - For open processes.

11 = Open - For open threads.

12 = Duplicate - For duplicate objects.

13 = Open - For open registry key.

14 = Create - For creating a registry key.

15 = Delete - For deletion of a registry key.

16 = Delete - For deletion of a value in a registry key.

17 = Set - For setting a registry key.

18 = Rename - For renaming a registry key.

19 = Set Security for - For setting a security key in a registry.

20 = Terminate - For termination of a Process.

21 = Debug Process - For debugging an active process.

22 = Set Information - For setting information process.

23 = Impersonate Anonymous User - For impersonation of an anonymous user.

24 = Open Token - For Open process token.

25 = Open Token - For Open thread token.

26 = Allocation - For virtual memory allocation.

27 = Write - For Writing in Virtual Memory.

28 = Free - For freeing the Virtual memory.

29 = Map View - For Mapping a view of a section.

30 = Unmap View - For Un-Mapping a view of a section.

31 = Create - For creation of a Thread.

32 = Set Execution Context for - For setting an execution thread.

33 = Set Information for - For setting information on a thread.

34 =Terminate - For termination of a thread.

35 = Suspend - For deletion of a thread.

36 = Resume - For resume of a thread.

37 = Alert - For alert of a Thread.

38 = Alert Resume - For alert resume of a thread.

39 = Impersonate User - For impersonation of a thread.

40 = Create - For mutex of a thread.

41 = Open - For open mutex of a thread.

42 = Create - For creation of an event.

43 = Open - For opening of an event.

44 = Suspend - For suspension of a Process.

45 = Set Security for - For setting security of a File System.

46 = Set Security for - For setting security of a Directory in File System.

47 = Create Hardlink - For creation of a Hard Link.

48 = Assign Process - For Assigning a process to a Job.

49 = Protect - For protection of Virtual Memory.

50 = FileSystem Control - For File System Control.

51 = FileSystem Control - For Directory file system control.

52 = Send Terminate Message for - For Sending a termination message.

53 = Post Terminate Message for - For Posting a termination message.

54 = Post Thread Terminate Message - For posting a thread termination message.

55 = Create - For creation of thread process handles.

56 = Duplicate - For duplication of a thread process handle.

57 = Create - For creation of a thread handle.

58 = Duplicate - For duplication of a thread handle.

The values are the same in different versions of Symantec Endpoint Protection (SEP).