Security events list

Last updated May 27th, 2026

This page describes every security event available in Knox Asset Intelligence, divided into two sections (Essential and Advanced security events). Each event includes the following primary information:

Severity: The severity of the event:
- High severity events are typically Indicators of Attack or Indicators of Compromise that could be malicious, resulting in potentially significant damage.
- High and Medium severity events are generally actionable
- Low severity events are mainly to provide contextual information for incident investigations and policy violations.
Type: The type of event, as categorized by Knox Asset Intelligence. See Security events summary for a detailed description of each type.
- Application: Events that trigger when an app’s permission state is enabled or changed.
- Audit: A general event type that captures a wide range of scenarios, typically when an admin makes a privilege change or performs an action.
- Process: Events that trigger when an app changes its identity in a way that grants itself escalated privileges.
- System: Events that indicate the device binary or peripherals (like the camera or microphone) were compromised.
- User: Events triggered by actions such as a device user tapping or copying a potentially suspicious URL.
- Network: Events related to network connectivity, such as VPN binding failures.
MITRE Technique ID: Technique ID from the MITRE ATT&CK framework.
Default: Indicates if this event is captured from Knox Asset Intelligence by default, or if you need to manually select it when configuring your security log settings.
Additional details: Provides additional information for the event, such as its dependencies and unique contextual properties.

Common event properties

In addition to the primary information, each event also includes the following common properties when sent to your Microsoft Sentinel environment:

DeviceImei1: Main IMEI number of the device
DeviceImei2: Secondary IMEI number of the device
DeviceModel: Model number of the device
DeviceSerialNumber: Serial number of the device
DeviceWifimac: Hardware Wi-fi MAC address of the device
EventId: ID associated with the event
EventTime: Timestamp when the event was generated on the device
MitreTtp: Technique ID from the MITRE ATT&CK framework for the event
Name: Name of the event
PrimaryImei: Primary IMEI of the device
Profile: Indicates whether the event contain sensitive security metadata, related to the device management type:
- Public profile — Indicates that the security event includes non-sensitive metadata, or metadata that doesn’t necessarily infringe on a user’s privacy. Metadata from security events triggered from company-owned devices, dedicated devices, or the work profile on company-owned devices are considered public, as these events are usually associated with a company’s work activity, and not a user’s private activities. For example, if a suspicious URL is clicked by the device user in a Work profile, the URL metadata is stored.
- Private profile — Indicates that the security event includes sensitive metadata related to a user’s private activities. Metadata from security events triggered by the personal profile on company-owned devices are considered private, as these events are associated with a user’s personal activity. For example, if a suspicious URL is clicked by the device user in a Personal profile, the URL metadata is considered private, and is not stored.
TimeGenerated: Timestamp (in UTC) when the event was ingested into Sentinel. EventTime and TimeGenerated generally will refer to the same timestamp, unless the event is ingested in Sentinel 3 days after it is generated on the device. In such cases, TimeGenerated will reflect when the event was ingested into Sentinel.
Version: Version number of the datasource that generated the event

Some security events are Android OS and device model dependent. While configuring Security Log settings, refer to the Dependencies information of each event description to ensure that your devices are supported.

Essential security events

High severity

Severity	Type	MITRE Technique IDs	Default?	Additional details
BOOT_COMPROMISED_SOFTWARE_BINARY
Indicates the device boot binary is at risk of compromise
High	System	T1645	Yes	View BOOT_COMPROMISED_SOFTWARE_BINARY Dependencies: none Notes: none Properties: ArpDevice (String) AvbBootPatchLevel (String) AvbBootState (String) AvbDeviceLocked (String) AvbOsPatchLevel (String) AvbOsVersion (String) AvbVendorPatchLevel (String) AvbVerityMode (String) BLBuildId (String) BLBuildType (String) BLEvent (String) BLEventTarget (String) BLMode (String) BLRP (String) CCModeState (String) CustomCount (String) EDLCount (String) EmFuseHistory (String) EmStatus (String) EmTokens (String) FOTACount (String) FrpState (String) ImgStatus (String) KernelBuildId (String) KernelBuildType (String) KernelRP (String) KernelState (String) KGFuse (String) KGState (String) MDMState (String) ODINCount (String) RebootReason (String) RPMBState (String) SecureBoot (String) SystemBuildId0 (String) SystemBuildId1 (String) SystemBuildId2 (String) SystemRP (String) UnlockCount (String) VbMetaType (String) WbFuse (String) WbReason (String) WpState (String)

Severity	Type	MITRE Technique IDs	Default?	Additional details
LOG_IS_FULL
Indicates the on-device Knox Security Log is full
High	Audit	KNOX.1	Yes	View LOG_IS_FULL Dependencies: none Notes: none Properties: none

Severity	Type	MITRE Technique IDs	Default?	Additional details
PASSWORD_LOCKOUT
Indicates when the device is locked out after the device user has reached the maximum password attempts
High	User	T1110	No	View PASSWORD_LOCKOUT Dependencies: none Notes: none Properties: none

Severity	Type	MITRE Technique IDs	Default?	Additional details
PERIPHERAL_ACCESS_THROUGH_POLICY_DETECTED_CAMERA
Indicates when the device camera access has been detected while it is disabled by a system policy
High	System	KNOX.2	No	View PERIPHERAL_ACCESS_THROUGH_POLICY_DETECTED_CAMERA Dependencies: none Not supported on the following device models: SM-A042 SM-A045 SM-A055 / M055 / E055 SM-A057 SM-A065 / M065 SM-A066 / M066 /E066 SM-A075 / M075 / E075 SM-A076 SM-A145 SM-A146 / S146 SM-A155 SM-A156 / S156 SM-A165 SM-A166 / S166 SM-A175 SM-A176 / M* / E* / S* SM-A253 SM-A266 / S266 SM-M145 / E145 SM-M146 / E146 SM-M156 / E156 SM-M166 / E166 SM-M55* / E556 / C5560 SM-X21* SM-X11* SM-X13* Notes: none Properties: none

Severity	Type	MITRE Technique IDs	Default?	Additional details
PERIPHERAL_ACCESS_THROUGH_POLICY_DETECTED_MIC
Indicates when the device microphone access has been detected while it is disabled by a system policy
High	System	KNOX.2	No	View PERIPHERAL_ACCESS_THROUGH_POLICY_DETECTED_MIC Dependencies: Not supported on the following device models: SM-A042 SM-A045 SM-A055 / M055 / E055 SM-A057 SM-A065 / M065 SM-A066 / M066 /E066 SM-A075 / M075 / E075 SM-A076 SM-A145 SM-A146 / S146 SM-A155 SM-A156 / S156 SM-A165 SM-A166 / S166 SM-A175 SM-A176 / M* / E* / S* SM-A253 SM-A266 / S266 SM-M145 / E145 SM-M146 / E146 SM-M156 / E156 SM-M166 / E166 SM-M55* / E556 / C5560 SM-X21* SM-X11* SM-X13* SM-A236V SM-A256B SM-A336B SM-A346B SM-A356B SM-A536B SM-A546B SM-A736B SM-M336B SM-E346B SM-M356B SM-E366B SM-M536B SM-E546B SM-P620_ SM-T636B SM-X306B SM-X406B SM-X826B SM-X926B SM-X736B SM-X936B SM-X516B SM-X616B SM-G556B SM-G736B Notes: none Properties: none

Medium severity

Severity	Type	MITRE Technique IDs	Default?	Additional details
TAG_ADB_SHELL_INTERACTIVE
Indicates an ADB interactive shell was opened via "adb shell"
Medium	Audit	T1623	No	View TAG_ADB_SHELL_INTERACTIVE Dependencies: none Notes: none Properties: none

Low severity

Severity	Type	MITRE Technique IDs	Default?	Additional details
BOOT_STATE
Indicates the device boot state
Low	System	-	Yes	View BOOT_STATE Dependencies: none Notes: none Properties: ArpDevice (String) AvbBootPatchLevel (String) AvbBootState (String) AvbDeviceLocked (String) AvbOsPatchLevel (String) AvbOsVersion (String) AvbVendorPatchLevel (String) AvbVerityMode (String) BLBuildId (String) BLBuildType (String) BLEvent (String) BLEventTarget (String) BLMode (String) BLRP (String) CCModeState (String) CustomCount (String) EDLCount (String) EmFuseHistory (String) EmStatus (String) EmTokens (String) FOTACount (String) FrpState (String) ImgStatus (String) KernelBuildId (String) KernelBuildType (String) KernelRP (String) KernelState (String) KGFuse (String) KGState (String) MDMState (String) ODINCount (String) RebootReason (String) RPMBState (String) SecureBoot (String) SystemBuildId0 (String) SystemBuildId1 (String) SystemBuildId2 (String) SystemRP (String) UnlockCount (String) VbMetaType (String) WbFuse (String) WbReason (String) WpState (String)

Severity	Type	MITRE Technique IDs	Default?	Additional details
KEY_INPUT_CAPTURE_CAPABILITY
Indicates when the key input capture permission for an app is enabled
Low	Application	T1417	No	View KEY_INPUT_CAPTURE_CAPABILITY Dependencies: none Notes: none Properties: PkgName (String) AccessibilityApi (String) RestrictedPerms (String)

Severity	Type	MITRE Technique IDs	Default?	Additional details
PREVENT_APP_REMOVAL_CAPABILITY
Indicates when an app removal is prevented
Low	Application	T1629	No	View PREVENT_APP_REMOVAL_CAPABILITY Dependencies: none Notes: none Properties: PkgName (String) AccessibilityApi (String) RestrictedPerms) (String)

Severity	Type	MITRE Technique IDs	Default?	Additional details
TAG_ADMIN_HAS_REQUESTED_FULL_WIPE_OF_DEVICE
Indicates an IT admin requested full wipe of device
Low	Audit	T1630	No	View TAG_ADMIN_HAS_REQUESTED_FULL_WIPE_OF_DEVICE Dependencies: none Notes: none Properties: UserId (Integer) AdmPkgName (Integer)

Severity	Type	MITRE Technique IDs	Default?	Additional details
TAG_FAILED_TO_WIPE_USER_DATA
Indicates the process of wiping user data on the device failed for a specific reason
Low	Audit	T1630	No	View TAG_FAILED_TO_WIPE_USER_DATA Dependencies: none Notes: none Properties: Reason (String)

Severity	Type	MITRE Technique IDs	Default?	Additional details
TAG_WIPING_DATA_IS_NOT_ALLOWED_FOR_THIS_USER
Indicates the process of wiping data (factory reset) is not allowed for this user
Low	Audit	T1630	No	View TAG_WIPING_DATA_IS_NOT_ALLOWED_FOR_THIS_USER Dependencies: none Notes: none Properties: none

Severity	Type	MITRE Technique IDs	Default?	Additional details
USER_INTERACTION_CONTROL_CAPABILITY
Indicates when the user screen control permission in an app is enabled
Low	Application	T1516	No	View USER_INTERACTION_CONTROL_CAPABILITY Dependencies: none Notes: none Properties: PkgName (String) AccessibilityApi (String) RestrictedPerms) (String)

Advanced security events

High severity

Severity	Type	MITRE Technique IDs	Default?	Additional details
PROCESS_PRIVILEGE_ESCALATION
Indicates when an app has transitioned from an acceptable uid/esuid/fsuid to a non-app id
High	Process	T1548, T1543	No	View PROCESS_PRIVILEGE_ESCALATION Dependencies: Device models compatible with 32-bit apps (ABI) are not supported. These include: SM-A736 SM-F711 SM-F926 SM-G990 SM-G991 SM-G996 SM-G736 SM-G998 SM-M446 SM-T630 SM-T636 Notes: none Properties: Atime (Long) CmdLine (String) Ctime (Long) Cwd (String) Egid (Integer) Euid (Integer) ExitCode (Integer) Fsgid (Integer) Fsuid (Integer) Gid (Integer) Hash (String) ModifiedEgid (Integer) ModifiedEuid (Integer) ModifiedFsgid (Integer) ModifiedFsuid (Integer) ModifiedGid (Integer) ModifiedUid (Integer) Mtime (Long) OwnerGid (Integer) OwnerUid (Integer) Path (String) Pid (Integer) PkgName (String) Ppid (Integer) SeTag (String) Sgid (Integer) StartTime (Long) Suid (Integer) Syscall (Integer) Tid (Integer) Uid (Integer)

Medium severity

Severity	Type	MITRE Technique IDs	Default?	Additional details
SUSPICIOUS_URL_ACCESSED
Indicates when the device user tapped or clicked on a potentially suspicious URL on the device
Medium	User	T1566, T1660	No	View SUSPICIOUS_URL_ACCESSED Dependencies: 32-bit device models are not supported Notes: none Properties: ConfidenceScore (Real) PkgName (String) Url (String) UrlType (Integer)

Low severity

Severity	Type	MITRE Technique IDs	Default?	Additional details
ACCESS_CALL_LOG_PERMISSION
Indicates when an app has permission to access call logs on launch
Low	Application	T1636	No	View ACCESS_CALL_LOG_PERMISSION Dependencies: none Notes: none Properties: PkgName (String) AccessibilityApi (String) RestrictedPerms) (String)

Severity	Type	MITRE Technique IDs	Default?	Additional details
ACCESS_NOTIFICATION_PERMISSION
Indicates when permission to access/manage notifications in an app is enabled
Low	Application	T1517	No	View ACCESS_NOTIFICATION_PERMISSION Dependencies: none Notes: none Properties: PkgName (String) AccessibilityApi (String) RestrictedPerms) (String)

Severity	Type	MITRE Technique IDs	Default?	Additional details
RESTRICTED_PERMISSION
Indicates the launched app has 'restricted permission'
Low	Application	-	No	View RESTRICTED_PERMISSION Dependencies: none Notes: none Properties: none

Severity	Type	MITRE Technique IDs	Default?	Additional details
SCREEN_CAPTURE_CAPABILITY
Indicates when the use of device screen capture permission for an app is enabled
Low	Application	T1513	No	View SCREEN_CAPTURE_CAPABILITY Dependencies: none Notes: none Properties: none

Severity	Type	MITRE Technique IDs	Default?	Additional details
SUSPICIOUS_URL_DETECTED
Indicates when the device user has copied a potentially suspicious URL on the device
Low	User	T1566, T1660	No	View SUSPICIOUS_URL_DETECTED Dependencies: 32-bit device models are not supported Notes: none Properties: ConfidenceScore (Real) PkgName (String) Url (String) UrlType (Integer)

Severity	Type	MITRE Technique IDs	Default?	Additional details
TAG_ADB_SHELL_CMD
Indicates that a shell command was issued over ADB via adb shell
Low	Audit	-	No	View TAG_ADB_SHELL_CMD Dependencies: none Notes: Potentially high volume event, triggered when the device is being used with a USB cable or in wireless debug mode. Properties: Cmd (String)

Severity	Type	MITRE Technique IDs	Default?	Additional details
TAG_ADD_UNTRUSTED
Indicates an IT admin added a certificate to the trusted database
Low	Audit	-	No	View TAG_ADD_UNTRUSTED Dependencies: none Notes: none Properties: AdmPkgName (String) Issuer (String) Subject (String) UserId (Integer)

Severity	Type	MITRE Technique IDs	Default?	Additional details
TAG_ADMIN_HAS_ADDED_SSID_TO_THE_RESTRICTION_ALLOWLIST
Indicates an IT admin added an SSID to the restriction allowlist
Low	Audit	-	No	View TAG_ADMIN_HAS_ADDED_SSID_TO_THE_RESTRICTION_ALLOWLIST Dependencies: none Notes: none Properties: AdmPkgName (String) Ssid (String) UserId (Integer)

Severity	Type	MITRE Technique IDs	Default?	Additional details
TAG_ADMIN_HAS_ADDED_TO_CAMERA_ALLOWLIST
Indicates an IT admin added a package and signature to the camera allowlist
Low	Audit	-	No	View TAG_ADMIN_HAS_ADDED_TO_CAMERA_ALLOWLIST Dependencies: none Notes: none Properties: AdmPkgName (String) PkgName (String) Signature (String) UserId (Integer)

Severity	Type	MITRE Technique IDs	Default?	Additional details
TAG_ADMIN_HAS_ALLOWED_CAMERA
Indicates an IT admin allowed the camera
Low	Audit	-	No	View TAG_ADMIN_HAS_ALLOWED_CAMERA Dependencies: none Notes: none Properties: AdmPkgName (String) UserId (Integer)

Severity	Type	MITRE Technique IDs	Default?	Additional details
TAG_ADMIN_HAS_ALLOWED_MICROPHONE
Indicates an IT admin allowed the microphone
Low	Audit	-	No	View TAG_ADMIN_HAS_ALLOWED_MICROPHONE Dependencies: none Notes: none Properties: AdmPkgName (String) UserId (Integer)

Severity	Type	MITRE Technique IDs	Default?	Additional details
TAG_ADMIN_HAS_ALLOWED_TO_INSTALL_APPLICATION
Indicates an IT admin allowed application installation
Low	Audit	-	No	View TAG_ADMIN_HAS_ALLOWED_TO_INSTALL_APPLICATION Dependencies: none Notes: none Properties: AdmPkgName (String) PkgName (String) UserId (Integer)

Severity	Type	MITRE Technique IDs	Default?	Additional details
TAG_ADMIN_HAS_CHANGED_LOCK_SCREEN_STATE_TO_DISABLED
Indicates an IT admin changed the lock screen state to disabled
Low	Audit	-	No	View TAG_ADMIN_HAS_CHANGED_LOCK_SCREEN_STATE_TO_DISABLED Dependencies: none Notes: none Properties: AdmPkgName (String) UserId (Integer)

Severity	Type	MITRE Technique IDs	Default?	Additional details
TAG_ADMIN_HAS_CHANGED_NFC_STATE_CHANGE
Indicates an IT admin has allowed the NFC state change
Low	Audit	-	No	View TAG_ADMIN_HAS_CHANGED_NFC_STATE_CHANGE Dependencies: none Notes: none Properties: AdmPkgName (String) Allow (String) UserId (Integer)

Severity	Type	MITRE Technique IDs	Default?	Additional details
TAG_ADMIN_HAS_CHANGED_SCREEN_LOCK_TIME_OUT
Indicates an IT admin changed the screen lock timeout
Low	Audit	-	No	View TAG_ADMIN_HAS_CHANGED_SCREEN_LOCK_TIME_OUT Dependencies: none Notes: none Properties: AdmPkgName (String) Timeout (Integer) UserId (Integer)

Severity	Type	MITRE Technique IDs	Default?	Additional details
TAG_ADMIN_HAS_DISALLOWED_MICROPHONE
Indicates an IT admin disallowed the microphone
Low	Audit	-	No	View TAG_ADMIN_HAS_DISALLOWED_MICROPHONE Dependencies: none Notes: none Properties: AdmPkgName (String) UserId (Integer)

Severity	Type	MITRE Technique IDs	Default?	Additional details
TAG_ADMIN_HAS_ENABLED_BLUETOOTH_DISCOVERABLE_STATE
Indicates an IT admin enabled Bluetooth discoverable state
Low	Audit	-	No	View TAG_ADMIN_HAS_ENABLED_BLUETOOTH_DISCOVERABLE_STATE Dependencies: none Notes: none Properties: AdmPkgName (String) UserId (Integer)

Severity	Type	MITRE Technique IDs	Default?	Additional details
TAG_ADMIN_HAS_ENABLED_WIFI_DIRECT
Indicates an IT admin enabled Wi-Fi Direct
Low	Audit	-	No	View TAG_ADMIN_HAS_ENABLED_WIFI_DIRECT Dependencies: none Notes: none Properties: none

Severity	Type	MITRE Technique IDs	Default?	Additional details
TAG_ADMIN_HAS_LOCKED_WORKSPACE
Indicates an IT admin locked the workspace
Low	Audit	-	No	View TAG_ADMIN_HAS_LOCKED_WORKSPACE Dependencies: none Notes: none Properties: AdmPkgName (String) UserId (Integer)

Severity	Type	MITRE Technique IDs	Default?	Additional details
TAG_ADMIN_HAS_REMOVED_ALL_SSID_FROM_THE_RESTRICTION_BLOCKLIST
Indicates an IT admin removed all SSIDs from the restriction blocklist
Low	Audit	-	No	View TAG_ADMIN_HAS_REMOVED_ALL_SSID_FROM_THE_RESTRICTION_BLOCKLIST Dependencies: none Notes: none Properties: AdmPkgName (String) UserId (Integer)

Severity	Type	MITRE Technique IDs	Default?	Additional details
TAG_ADMIN_HAS_REMOVED_SSID_FROM_THE_RESTRICTION_BLOCKLIST
Indicates an IT admin removed an SSID from the restriction blocklist
Low	Audit	-	No	View TAG_ADMIN_HAS_REMOVED_SSID_FROM_THE_RESTRICTION_BLOCKLIST Dependencies: none Notes: none Properties: AdmPkgName (String) Ssid (String) UserId (Integer)

Severity	Type	MITRE Technique IDs	Default?	Additional details
TAG_ADMIN_HAS_SUCCESSFULLY_LOCKED_WORKSPACE
Indicates an IT admin successfully locked the workspace
Low	Audit	-	No	View TAG_ADMIN_HAS_SUCCESSFULLY_LOCKED_WORKSPACE Dependencies: none Notes: none Properties: AdmPkgName (String) UserId (Integer)

Severity	Type	MITRE Technique IDs	Default?	Additional details
TAG_ADMIN_HAS_SUCCESSFULLY_UNLOCKED_WORKSPACE
Indicates an IT admin successfully unlocked the workspace
Low	Audit	-	No	View TAG_ADMIN_HAS_SUCCESSFULLY_UNLOCKED_WORKSPACE Dependencies: none Notes: none Properties: AdmPkgName (String) UserId (Integer)

Severity	Type	MITRE Technique IDs	Default?	Additional details
TAG_ADMIN_HAS_UNLOCKED_WORKSPACE
Indicates an IT admin unlocked the workspace
Low	Audit	-	No	View TAG_ADMIN_HAS_UNLOCKED_WORKSPACE Dependencies: none Notes: none Properties: AdmPkgName (String) UserId (Integer)

Severity	Type	MITRE Technique IDs	Default?	Additional details
TAG_APPLICATION_ACTION_FAILED_BECAUSE_OF_SIGNATURE_VERIFICATION_FAILURE
Indicates the application action has failed because of signature verification failure
Low	Audit	-	No	View TAG_APPLICATION_ACTION_FAILED_BECAUSE_OF_SIGNATURE_VERIFICATION_FAILURE Dependencies: none Notes: none Properties: Action (String) PkgName (String) Reason (String) UserId (Integer)

Severity	Type	MITRE Technique IDs	Default?	Additional details
TAG_APPLICATION_INSTALLATION_NOT_ALLOWED_BECAUSE_SIGNED_UNTRUSTED_CA
Indicates an app installation is not allowed because it is signed by an untrusted CA
Low	Audit	-	No	View TAG_APPLICATION_INSTALLATION_NOT_ALLOWED_BECAUSE_SIGNED_UNTRUSTED_CA Dependencies: none Notes: none Properties: PkgName (String) UserId (Integer)

Severity	Type	MITRE Technique IDs	Default?	Additional details
TAG_APPLICATION_INSTALLATION_NOT_ALLOWED_BY_ADMIN_BLOCKLIST
Indicates the application is being blocked from installation by a device policy enforced by an IT admin
Low	Application	-	No	View TAG_APPLICATION_INSTALLATION_NOT_ALLOWED_BY_ADMIN_BLOCKLIST Dependencies: none Notes: none Properties: AdmPkgName (String) PkgName (String) Policy (String) UserId (Integer)

Severity	Type	MITRE Technique IDs	Default?	Additional details
TAG_APPLICATION_INSTALLATION_NOT_ALLOWED_BY_ADMIN_INSTALLER_BLOCKLIST
Indicates that an IT admin has blocked the installation of an application from a specific installer
Low	Application	-	No	View TAG_APPLICATION_INSTALLATION_NOT_ALLOWED_BY_ADMIN_INSTALLER_BLOCKLIST Dependencies: none Notes: none Properties: AdmPkgName (String) PkgName (String) Policy (String) UserId (Integer)

Severity	Type	MITRE Technique IDs	Default?	Additional details
TAG_BACKUP_SERVICE_TOGGLED
Indicates an IT admin has enabled or disabled the backup service
Low	Audit	-	No	View TAG_BACKUP_SERVICE_TOGGLED Dependencies: none Notes: none Properties: AdmPkgName (String) AdmUserId (Integer) Enabled (Boolean)

Severity	Type	MITRE Technique IDs	Default?	Additional details
TAG_BIND_TO_VPN_FAILED_COULD_NOT_FIND_PACKAGE
Indicates when a bind to the VPN vendor service failed as the vendor package could not be found
Low	Network	-	No	View TAG_BIND_TO_VPN_FAILED_COULD_NOT_FIND_PACKAGE Dependencies: none Notes: none Properties: PkgName (String) UserId (Integer)

Severity	Type	MITRE Technique IDs	Default?	Additional details
TAG_BLUETOOTH_CONNECTION
Indicates the device attempts to connect to a Bluetooth device
Low	Audit	-	No	View TAG_BLUETOOTH_CONNECTION Dependencies: none Notes: none Properties: MacAddr (String) Reason (String) Result (Boolean)

Severity	Type	MITRE Technique IDs	Default?	Additional details
TAG_CERT_AUTHORITY_INSTALLED
Indicates a new root certificate has been installed into the system's trusted credential storage
Low	Audit	-	No	View TAG_CERT_AUTHORITY_INSTALLED Dependencies: none Notes: none Properties: Result (Boolean) Subject (String) UserId (Integer)

Severity	Type	MITRE Technique IDs	Default?	Additional details
TAG_CERT_AUTHORITY_REMOVED
Indicates a new root certificate has been removed from the system's trusted credential storage
Low	Audit	-	No	View TAG_CERT_AUTHORITY_REMOVED Dependencies: none Notes: none Properties: Result (Boolean) Subject (String) UserId (Integer)

Severity	Type	MITRE Technique IDs	Default?	Additional details
TAG_ERROR_OCCURRED_WHILE_VALIDATING_PROFILE_INFORMATION_FOR_VENDOR
Indicates that during VPN profile creation, an error occurred while validating the vendor
Low	Audit	-	No	View TAG_ERROR_OCCURRED_WHILE_VALIDATING_PROFILE_INFORMATION_FOR_VENDOR Dependencies: none Notes: none Properties: PkgName (String) UserId (Integer)

Severity	Type	MITRE Technique IDs	Default?	Additional details
TAG_KEY_INTEGRITY_VIOLATION
Indicates a failed cryptographic key integrity check
Low	Audit	-	No	View TAG_KEY_INTEGRITY_VIOLATION Dependencies: none Notes: none Properties: Alias (String) Uid (Integer)

Severity	Type	MITRE Technique IDs	Default?	Additional details
TAG_KEYGUARD_DISMISS_AUTH_ATTEMPT
Indicates there has been an authentication attempt to dismiss the keyguard
Low	Audit	-	No	View TAG_KEYGUARD_DISMISS_AUTH_ATTEMPT Dependencies: none Notes: none Properties: Result (Boolean) Strong (Boolean)

Severity	Type	MITRE Technique IDs	Default?	Additional details
TAG_LOG_BUFFER_SIZE_CRITICAL
Indicates that the audit log buffer has reached 90% of its capacity
Low	Audit	-	No	View TAG_LOG_BUFFER_SIZE_CRITICAL Dependencies: none Notes: none Properties: none

Severity	Type	MITRE Technique IDs	Default?	Additional details
TAG_MEDIA_MOUNT
Indicates removable media has been mounted on the device
Low	Audit	-	No	View TAG_MEDIA_MOUNT Dependencies: none Notes: none Properties: MountPoint (String) VolLabel (String)

Severity	Type	MITRE Technique IDs	Default?	Additional details
TAG_MEDIA_UNMOUNT
Indicates that removable media was unmounted from the device
Low	Audit	-	No	View TAG_MEDIA_UNMOUNT Dependencies: none Notes: none Properties: MountPoint (String) VolLabel (String)

Severity	Type	MITRE Technique IDs	Default?	Additional details
TAG_MICROPHONE_ENABLED
Indicates the microphone is enabled
Low	Audit	-	No	View TAG_MICROPHONE_ENABLED Dependencies: none Notes: none Properties: PkgName (String) UserId (Integer)

Severity	Type	MITRE Technique IDs	Default?	Additional details
TAG_PACKAGE_INSTALLED
Indicates a package is installed
Low	Application	-	No	View TAG_PACKAGE_INSTALLED Dependencies: none Notes: none Properties: PkgName (String) VerCode (Long) UserId (Integer)

Severity	Type	MITRE Technique IDs	Default?	Additional details
TAG_PACKAGE_NAME_HAS_BEEN_ACTIVATED_AS_ADMIN
Indicates the application was activated as an IT admin
Low	Audit	-	No	View TAG_PACKAGE_NAME_HAS_BEEN_ACTIVATED_AS_ADMIN Dependencies: none Notes: none Properties: AdmPkgName (String) UserId (Integer)

Severity	Type	MITRE Technique IDs	Default?	Additional details
TAG_PACKAGE_NAME_HAS_BEEN_REMOVED_AS_ADMIN
Indicates the application was removed as an IT admin
Low	Audit	-	No	View TAG_PACKAGE_NAME_HAS_BEEN_REMOVED_AS_ADMIN Dependencies: none Notes: none Properties: AdmPkgName (String) UserId (Integer)

Severity	Type	MITRE Technique IDs	Default?	Additional details
TAG_PACKAGE_UNINSTALLED
Indicates a package is uninstalled
Low	Application	-	No	View TAG_PACKAGE_UNINSTALLED Dependencies: none Notes: none Properties: PkgName (String) VerCode (Long) UserId (Integer)

Severity	Type	MITRE Technique IDs	Default?	Additional details
TAG_PACKAGE_UPDATED
Indicates a package is updated
Low	Application	-	No	View TAG_PACKAGE_UPDATED Dependencies: none Notes: none Properties: PkgName (String) VerCode (Long) UserId (Integer)

Severity	Type	MITRE Technique IDs	Default?	Additional details
TAG_PASSWORD_CHANGED
Indicates the device user has just changed their lock screen password
Low	User	-	No	View TAG_PASSWORD_CHANGED Dependencies: none Notes: none Properties: PwComplexity (String) UserId (Integer)

Severity	Type	MITRE Technique IDs	Default?	Additional details
TAG_PASSWORD_COMPLEXITY_REQUIRED
Indicates an IT admin has set a password complexity requirement, using the platform's pre-defined complexity levels
Low	Audit	-	No	View TAG_PASSWORD_COMPLEXITY_REQUIRED Dependencies: none Notes: none Properties: AdmPkgName (String) AdmUserId (Integer) PwComplexity (String) UserId (Integer)

Severity	Type	MITRE Technique IDs	Default?	Additional details
TAG_PASSWORD_COMPLEXITY_SET
Indicates an IT admin has set a requirement for password complexity
Low	Audit	-	No	View TAG_PASSWORD_COMPLEXITY_SET Dependencies: none Notes: none Properties: AdmPkgName (String) AdmUserId (Integer) MinPwLength (Integer) MinNumOfLetters (Integer) MinNumOfNonLetters (Integer) MinNumOfDigits (Integer) MinNumOfUpperLetters (Integer) MinNumOfLowerLetters (Integer) MinNumOfSymbols (Integer) PwComplexity (String) PwConstraint (String) UserId (Integer)

Severity	Type	MITRE Technique IDs	Default?	Additional details
TAG_REMOTE_LOCK
Indicates an IT admin remotely locked the device or profile
Low	Audit	-	No	View TAG_REMOTE_LOCK Dependencies: none Notes: none Properties: AdmPkgName (String) AdmUserId (Integer) UserId (Integer)

Severity	Type	MITRE Technique IDs	Default?	Additional details
TAG_REMOVE_UNTRUSTED
Indicates an IT admin removed a certificate from the untrusted database
Low	Audit	-	No	View TAG_REMOVE_UNTRUSTED Dependencies: none Notes: none Properties: AdmPkgName (String) Issuer (String) Subject (String) UserId (Integer)

Severity	Type	MITRE Technique IDs	Default?	Additional details
TAG_SYNC_RECV_FILE
Indicates a file was pulled from the device via the adb daemon, for example via adb pull
Low	Audit	-	No	View TAG_SYNC_RECV_FILE Dependencies: none Notes: none Properties: Path (String)

Severity	Type	MITRE Technique IDs	Default?	Additional details
TAG_SYNC_SEND_FILE
Indicates a file was pushed to the device via the adb daemon, for example via adb push
Low	Audit	-	No	View TAG_SYNC_SEND_FILE Dependencies: none Notes: none Properties: Path (String)

Severity	Type	MITRE Technique IDs	Default?	Additional details
TAG_WIPE_FAILURE
Indicates a failure to wipe the device or user data
Low	Audit	-	No	View TAG_WIPE_FAILURE Dependencies: none Notes: none Properties: none

Severity	Type	MITRE Technique IDs	Default?	Additional details
VIDEO_CAPTURE_PERMISSION
Indicates when the video capture permission is requested by the app
Low	Application	T1512	No	View VIDEO_CAPTURE_PERMISSION Dependencies: none Notes: none Properties: PkgName (String) AccessibilityApi (String) RestrictedPerms) (String)

Security events list

Common event properties

Essential security events

High severity

Medium severity

Low severity

Advanced security events

High severity

Medium severity

Low severity

On this page