Microsoft-Antimalware-RTP

29 events across 1 channel

Event ID	Title	Channel
1		Application
2		Application
3		Application
4		Application
5		Application
6		Application
7		Application
8		Application
9		Application
10		Application
11		Application
12		Application
13		Application
14		Application
15		Application
16		Application
17		Application
18		Application
19		Application
20		Application
21		Application
22		Application
23		Application
24		Application
25		Application
26		Application
27		Application
28		Application
29		Application

Event ID 1 —

Provider: Microsoft-Antimalware-RTP
Channel: Application
Task: RTPPassthrough
Opcode: Start

Event ID 2 —

Provider: Microsoft-Antimalware-RTP
Channel: Application
Task: RTPPassthrough
Opcode: Stop

Event ID 3 —

Provider: Microsoft-Antimalware-RTP
Channel: Application
Task: RTPPlugin
Opcode: Start

Event ID 4 —

Provider: Microsoft-Antimalware-RTP
Channel: Application
Task: RTPPlugin
Opcode: Stop

Event ID 5 —

Provider: Microsoft-Antimalware-RTP
Channel: Application
Task: RTPFilterLoad

Event ID 6 —

Provider: Microsoft-Antimalware-RTP
Channel: Application
Task: RTPFilterUnload

Event ID 7 —

Provider: Microsoft-Antimalware-RTP
Channel: Application
Task: RTPSetEngine

Event ID 8 —

Provider: Microsoft-Antimalware-RTP
Channel: Application
Task: RTPFlushCache

Event ID 9 —

Provider: Microsoft-Antimalware-RTP
Channel: Application
Task: RTPScanTimeout

Event ID 10 —

Provider: Microsoft-Antimalware-RTP
Channel: Application
Task: RTPEnabled

Event ID 11 —

Provider: Microsoft-Antimalware-RTP
Channel: Application
Task: RTPDisabled

Event ID 12 —

Provider: Microsoft-Antimalware-RTP
Channel: Application
Task: RTPConfigUpdate

Event ID 13 —

Provider: Microsoft-Antimalware-RTP
Channel: Application
Task: RTPSetRegistryMonitoring

Event ID 14 —

Provider: Microsoft-Antimalware-RTP
Channel: Application
Task: RTPThreatDetection

Fields #

Name	Description
`File` UnicodeString	—

Event ID 15 —

Provider: Microsoft-Antimalware-RTP
Channel: Application
Task: RTPSampleDetection

Fields #

Name	Description
`File` UnicodeString	—

Event ID 16 —

Provider: Microsoft-Antimalware-RTP
Channel: Application
Task: RTPLofiDetection

Fields #

Name	Description
`File` UnicodeString	—

Event ID 17 —

Provider: Microsoft-Antimalware-RTP
Channel: Application
Task: RTPExpensiveDetection

Fields #

Name	Description
`File` UnicodeString	—

Event ID 18 —

Provider: Microsoft-Antimalware-RTP
Channel: Application
Task: RTPBMDetection

Event ID 19 —

Provider: Microsoft-Antimalware-RTP
Channel: Application
Task: RTPSeqRead

Event ID 20 —

Provider: Microsoft-Antimalware-RTP
Channel: Application
Task: RTPSuspend

Event ID 21 —

Provider: Microsoft-Antimalware-RTP
Channel: Application
Task: RTPResume

Event ID 22 —

Provider: Microsoft-Antimalware-RTP
Channel: Application
Task: RTPPriority

Fields #

Name	Description
`Description` UnicodeString	—
`PreviousValue` UInt32	—
`IntendedValueOrHResult` UInt32	—
`LatestValue` UInt32	—

Event ID 23 —

Provider: Microsoft-Antimalware-RTP
Channel: Application
Task: DlpPerfOperation
Opcode: Start

Fields #

Name	Description
`Operation` UInt32	— Known values `%%2456` Open key file. `%%2457` Delete key file. `%%2458` Read persisted key from file. `%%2459` Write persisted key to file. `%%2464` Export of persistent cryptographic key. `%%2465` Import of persistent cryptographic key. `%%2480` Open Key. `%%2481` Create Key. `%%2482` Delete Key. `%%2483` Encrypt. `%%2484` Decrypt. `%%2485` Sign hash. `%%2486` Secret agreement. `%%2487` Domain settings. `%%2488` Local settings. `%%2489` Add provider. `%%2490` Remove provider. `%%2491` Add context. `%%2492` Remove context. `%%2493` Add function. `%%2494` Remove function. `%%2495` Add function provider. `%%2496` Remove function provider. `%%2497` Add function property. `%%2498` Remove function property. `%%2499` Machine key. `%%2500` User key. `%%2501` Key Derivation. `%%2502` Claim Creation. `%%2503` Claim Verification.
`SubOperation` UInt32	—
`AccessCheck` UInt32	—

Event ID 24 —

Provider: Microsoft-Antimalware-RTP
Channel: Application
Task: DlpPerfOperation
Opcode: Stop

Fields #

Name	Description
`Operation` UInt32	— Known values `%%2456` Open key file. `%%2457` Delete key file. `%%2458` Read persisted key from file. `%%2459` Write persisted key to file. `%%2464` Export of persistent cryptographic key. `%%2465` Import of persistent cryptographic key. `%%2480` Open Key. `%%2481` Create Key. `%%2482` Delete Key. `%%2483` Encrypt. `%%2484` Decrypt. `%%2485` Sign hash. `%%2486` Secret agreement. `%%2487` Domain settings. `%%2488` Local settings. `%%2489` Add provider. `%%2490` Remove provider. `%%2491` Add context. `%%2492` Remove context. `%%2493` Add function. `%%2494` Remove function. `%%2495` Add function provider. `%%2496` Remove function provider. `%%2497` Add function property. `%%2498` Remove function property. `%%2499` Machine key. `%%2500` User key. `%%2501` Key Derivation. `%%2502` Claim Creation. `%%2503` Claim Verification.
`SubOperation` UInt32	—
`AccessCheck` UInt32	—

Event ID 25 —

Provider: Microsoft-Antimalware-RTP
Channel: Application
Task: DCEvent

Fields #

Name	Description
`Timestamp` UInt64	—
`ActionType` UnicodeString	—
`Access` UnicodeString	—
`Policy` UnicodeString	—
`MachineName` UnicodeString	—
`MediaName` UnicodeString	—
`ClassName` UnicodeString	—
`ClassGuid` UnicodeString	—
`UserName` UnicodeString	—
`VendorId` UnicodeString	—
`ProductId` UnicodeString	—
`DeviceId` UnicodeString	—
`InstanceId` UnicodeString	—
`SerialNumber` UnicodeString	—
`BusType` UnicodeString	—
`FilePath` UnicodeString	—
`FileSize` UInt64	—
`Tag` UInt64	—
`DomainAuthenticatedNetworkPresent` UnicodeString	—
`ActiveVPNConnections` UnicodeString	—
`ProcessImageName` UnicodeString	—
`PolicyId` UnicodeString	—
`AccessChainRuleIds` UnicodeString	—
`AccessChainRuleEntryIds` UnicodeString	—
`PrinterPortName` UnicodeString	—

Event ID 26 —

Provider: Microsoft-Antimalware-RTP
Channel: Application
Task: DCEvent

Fields #

Name	Description
`Timestamp` UInt64	—
`Policy` UnicodeString	—
`PolicyRuleId` UnicodeString	—
`DuplicatedOperation` UnicodeString	—
`MachineName` UnicodeString	—
`UserName` UnicodeString	—
`ClassName` UnicodeString	—
`MediaName` UnicodeString	—
`InstanceId` UnicodeString	—
`SerialNumber` UnicodeString	—
`VendorId` UnicodeString	—
`ProductId` UnicodeString	—
`DeviceFilePath` UnicodeString	—
`EvidenceFileSize` UInt64	—
`EvidenceFileLocation` UnicodeString	—
`Tag` UInt64	—

Event ID 27 —

Provider: Microsoft-Antimalware-RTP
Channel: Application
Task: RTPFileScanResult

Fields #

Name	Description
`FileName` UnicodeString	—
`ScanReason` UInt32	—
`FileId` UInt64	—
`USN` UInt64	—
`RtpScanResult` UInt32	—
`RtpScanAction` UInt32	—
`DoNotCache` UInt32	—
`Flags` UInt32	—
`ScanResult` UInt32	—
`hr` UInt32	—

Event ID 28 —

Provider: Microsoft-Antimalware-RTP
Channel: Application
Task: DCEvent

Fields #

Name	Description
`Timestamp` UInt64	—
`CurrentGrantedAccess` UnicodeString	—
`MaximumPossibleGrantedAccess` UnicodeString	—
`CurrentDeniedAccess` UnicodeString	—
`MinimumGuaranteedDeniedAccess` UnicodeString	—
`MachineName` UnicodeString	—
`UserName` UnicodeString	—
`ClassName` UnicodeString	—
`MediaName` UnicodeString	—
`BusType` UnicodeString	—
`DeviceId` UnicodeString	—
`InstanceId` UnicodeString	—
`SerialNumber` UnicodeString	—
`VendorId` UnicodeString	—
`ProductId` UnicodeString	—
`DomainAuthenticatedNetworkPresent` UnicodeString	—
`ActiveVPNConnections` UnicodeString	—
`ActiveNetworks` UnicodeString	—
`DevicePolicyGroupMembership` UnicodeString	—

Event ID 29 —

Provider: Microsoft-Antimalware-RTP
Channel: Application
Task: DCEvent

Fields #

Name	Description
`Timestamp` UInt64	—
`State` UnicodeString	—