GIM Category: agent
The Agent category includes events generated by software agents that operate autonomously on a system, such as antivirus clients, endpoint detection and response (EDR) sensors, or management agents. These agents typically perform monitoring, scanning, update, or remediation actions. Tracking agent activity helps validate system health, detect tampering, and ensure security services are functioning as intended.
activity
Events that describe the operational activity of a system agent, such as scanning, monitoring, or enforcement actions. These events often include both the performed action and its outcome, indicating whether the task completed successfully or failed.
Required Fields
event_actionevent_outcome
Optional Fields
event_component
| gim_event_type_code | gim_event_class | gim_event_category | gim_event_subcategory | gim_event_type | description |
|---|---|---|---|---|---|
|
280000 |
agent |
agent.activity |
agent activity |
General activity performed by a system agent, such as a periodic scan or enforcement action. |
|
|
280001 |
agent |
agent.activity |
antivirus or malware scan |
A system agent performed a malware or antivirus scan. The event_action field indicates the specific task, and event_outcome indicates success or failure. |
update
Events that record update activity by a system agent, including updates to signatures, threat intelligence data, configuration, or the agent software itself. Monitoring update events helps confirm that agents remain current and functioning correctly.
Required Fields
event_actionevent_outcome
Optional Fields
event_component
| gim_event_type_code | gim_event_class | gim_event_category | gim_event_subcategory | gim_event_type | description |
|---|---|---|---|---|---|
|
280100 |
agent |
agent.update |
agent update |
A system agent initiated or completed an update of its configuration, threat intelligence, or software package. |
status
Events that describe the operational status or health of an agent or one of its components. Status events typically indicate whether the agent is running, idle, in error, or communicating properly with its management infrastructure.
Optional Fields
event_actionevent_componentevent_outcome
| gim_event_type_code | gim_event_class | gim_event_category | gim_event_subcategory | gim_event_type | description |
|---|---|---|---|---|---|
|
280200 |
agent |
agent.status |
agent status |
An agent reported its current operational status or health state. |
default
General messages related to agent or component activity that do not fit more specific subcategories. These may include initialization messages, generic alerts, or vendor-specific telemetry.
Optional Fields
event_actionevent_componentevent_outcome
| gim_event_type_code | gim_event_class | gim_event_category | gim_event_subcategory | gim_event_type | description |
|---|---|---|---|---|---|
|
289999 |
agent |
agent.default |
agent default |
Messages related to or from a system agent/function/component. |
