13. List of Event IDs

This list contains all event IDs that Aurora can produce. Event IDs are used when logging to the Windows Eventlog, and can also be included in the log message using --print-event-id.

13.1. Sigma related event IDs

Event ID	Description
1	A process creation Sigma rule matched.
2	A set file creation time sigma rule matched.
3	A network connection sigma rule matched.
4	A sysmon status Sigma rule matched.
5	A process termination Sigma rule matched.
6	A driver loaded Sigma rule matched.
7	An image loaded Sigma rule matched.
8	A create remote thread Sigma rule matched.
9	A raw disk access Sigma rule matched.
10	A process access Sigma rule matched.
11	A file creation Sigma rule matched.
12	A registry event Sigma rule matched.
15	A create stream hash Sigma rule matched.
17	A pipe event Sigma rule matched.
19	A WMI event Sigma rule matched.
12	A registry event Sigma rule matched.
22	A DNS query Sigma rule matched.
23	A file deletion Sigma rule matched.
95	An error occurred while loading the Sigma rules.
96	Sigma rules were reloaded.
97	No Sigma rule files were found.
98	Unspecified log message from Sigma module.
99	Another Sigma rule (that did not belong to one of the above categories) matched.
6000	A response for a sigma match was executed.
6001	A response for a sigma match was simulated.

13.2. Internal event IDs

Event ID	Description
100	A license file was found.
101	Status message (from `--report-stats`)
102	Aurora Agent started.
103	Aurora Agent is terminating.
104	The current license expired.
105	No valid license file was found.
107	A process created a large amount of events.
108	An internal panic occurred.

13.3. Event IDs for other modules

Event ID	Module
200	BeaconHunter
300	Lsass Dump Detector
400	ETW Canary
500	Process Tampering Detector
600	Temporary Driver Load Detector
700	Command Line Mismatch Detector
800	Event Distributor
900	ETW Provider
1000	Eventlog Provider
1100	Handle Polling Provider
1200	Resource Control
1301	Filename IOC Match Found