Home / Knox Asset Intelligence / Dashboard / Security / SOC enablement / Sentinel /

Security events

Last updated August 6th, 2025

The following table provides additional security event details, expanding on the descriptions provided on the Security events page.

Some security events are Android OS and device model dependent. While configuring Security Log settings, refer to the Dependencies information of each event description to ensure that your devices are supported.

Essential security events

Event Name Event Description Severity Type MITRE Technique IDs Default?
BOOT_COMPROMISED_SOFTWARE_BINARY
Indicates the device boot binary is at risk of compromise

Dependencies: none

Notes: none

Properties:

  • ArpDevice (String)
  • AvbBootPatchLevel (String)
  • AvbBootState (String)
  • AvbDeviceLocked (String)
  • AvbOsPatchLevel (String)
  • AvbOsVersion (String)
  • AvbVendorPatchLevel (String)
  • AvbVerityMode (String)
  • BLBuildId (String)
  • BLBuildType (String)
  • BLEvent (String)
  • BLEventTarget (String)
  • BLMode (String)
  • BLRP (String)
  • CCModeState (String)
  • CustomCount (String)
  • EDLCount (String)
  • EmFuseHistory (String)
  • EmStatus (String)
  • EmTokens (String)
  • FOTACount (String)
  • FrpState (String)
  • ImgStatus (String)
  • KernelBuildId (String)
  • KernelBuildType (String)
  • KernelRP (String)
  • KernelState (String)
  • KGFuse (String)
  • KGState (String)
  • MDMState (String)
  • ODINCount (String)
  • RebootReason (String)
  • RPMBState (String)
  • SecureBoot (String)
  • SystemBuildId0 (String)
  • SystemBuildId1 (String)
  • SystemBuildId2 (String)
  • SystemRP (String)
  • UnlockCount (String)
  • VbMetaType (String)
  • WbFuse (String)
  • WbReason (String)
  • WpState (String)
 High System T1645 Yes
BOOT_STATE
Indicates the device boot state

Dependencies: none

Notes: none

Properties:

  • ArpDevice (String)
  • AvbBootPatchLevel (String)
  • AvbBootState (String)
  • AvbDeviceLocked (String)
  • AvbOsPatchLevel (String)
  • AvbOsVersion (String)
  • AvbVendorPatchLevel (String)
  • AvbVerityMode (String)
  • BLBuildId (String)
  • BLBuildType (String)
  • BLEvent (String)
  • BLEventTarget (String)
  • BLMode (String)
  • BLRP (String)
  • CCModeState (String)
  • CustomCount (String)
  • EDLCount (String)
  • EmFuseHistory (String)
  • EmStatus (String)
  • EmTokens (String)
  • FOTACount (String)
  • FrpState (String)
  • ImgStatus (String)
  • KernelBuildId (String)
  • KernelBuildType (String)
  • KernelRP (String)
  • KernelState (String)
  • KGFuse (String)
  • KGState (String)
  • MDMState (String)
  • ODINCount (String)
  • RebootReason (String)
  • RPMBState (String)
  • SecureBoot (String)
  • SystemBuildId0 (String)
  • SystemBuildId1 (String)
  • SystemBuildId2 (String)
  • SystemRP (String)
  • UnlockCount (String)
  • VbMetaType (String)
  • WbFuse (String)
  • WbReason (String)
  • WpState (String)
 Low System - Yes
KEY_INPUT_CAPTURE_CAPABILITY
Indicates when the key input capture permission for an app is enabled

Dependencies: none

Notes: none

Properties:

  • PkgName (String)
  • AccessibilityApi (String)
  • RestrictedPerms [((String)]
 Low Application T1417 No
LOG_IS_FULL
Indicates the on-device Knox Security Log is full

Dependencies: none

Notes: none

Properties: none

 High Audit KNOX.1 Yes
PASSWORD_LOCKOUT
Indicates when the device is locked out after the user has reached maximum password attempts

Dependencies: none

Notes: none

Properties: none

 High User T1110 No
PERIPHERAL_ACCESS_THROUGH_POLICY_DETECTED_CAMERA
Indicates when the device camera access has been detected while it is disabled by a system policy

Dependencies: none Not supported on the following device models:

  • SM-A042
  • SM-A045
  • SM-A055 / M055 / E055
  • SM-A057
  • SM-A065 / M065
  • SM-A066 / M066 /E066
  • SM-A075 / M075 / E075
  • SM-A076
  • SM-A145
  • SM-A146 / S146
  • SM-A155
  • SM-A156 / S156
  • SM-A165
  • SM-A166 / S166
  • SM-A175
  • SM-A176 / M* / E* / S*
  • SM-A253
  • SM-A266 / S266
  • SM-M145 / E145
  • SM-M146 / E146
  • SM-M156 / E156
  • SM-M166 / E166
  • SM-M55* / E556 / C5560
  • SM-X21*
  • SM-X11*
  • SM-X13*

Notes: none

Properties: none

 High System KNOX.2 No
PERIPHERAL_ACCESS_THROUGH_POLICY_DETECTED_MIC
Indicates when the device microphone access has been detected while it is disabled by a system policy

Dependencies: Not supported on the following device models:

  • SM-A042
  • SM-A045
  • SM-A055 / M055 / E055
  • SM-A057
  • SM-A065 / M065
  • SM-A066 / M066 /E066
  • SM-A075 / M075 / E075
  • SM-A076
  • SM-A145
  • SM-A146 / S146
  • SM-A155
  • SM-A156 / S156
  • SM-A165
  • SM-A166 / S166
  • SM-A175
  • SM-A176 / M* / E* / S*
  • SM-A253
  • SM-A266 / S266
  • SM-M145 / E145
  • SM-M146 / E146
  • SM-M156 / E156
  • SM-M166 / E166
  • SM-M55* / E556 / C5560
  • SM-X21*
  • SM-X11*
  • SM-X13*
  • SM-A236V
  • SM-A256B
  • SM-A336B
  • SM-A346B
  • SM-A356B
  • SM-A536B
  • SM-A546B
  • SM-A736B
  • SM-M336B
  • SM-E346B
  • SM-M356B
  • SM-E366B
  • SM-M536B
  • SM-E546B
  • SM-P620_
  • SM-T636B
  • SM-X306B
  • SM-X406B
  • SM-X826B
  • SM-X926B
  • SM-X736B
  • SM-X936B
  • SM-X516B
  • SM-X616B
  • SM-G556B
  • SM-G736B

Notes: none

Properties: none

 High System KNOX.2 No
PREVENT_APP_REMOVAL_CAPABILITY
Indicates when an app removal is prevented

Dependencies: none

Notes: none

Properties:

  • PkgName (String)
  • AccessibilityApi (String)
  • RestrictedPerms [((String)]
 Low Application T1629 No
TAG_ADB_SHELL_INTERACTIVE
Indicates an ADB interactive shell was opened via "adb shell"

Dependencies: none

Notes: none

Properties: none

 Medium Audit T1623 No
TAG_ADMIN_HAS_REQUESTED_FULL_WIPE_OF_DEVICE
Indicates an administrator requested full wipe of device

Dependencies: none

Notes: none

Properties:

  • UserId (Integer)
  • AdmPkgName (Integer)
 Low Audit T1630 No
TAG_FAILED_TO_WIPE_USER_DATA
Indicates the process of wiping user data on the device failed for a specific reason

Dependencies: none

Notes: none

Properties:

  • Reason (String)
 Low Audit T1630 No
TAG_WIPING_DATA_IS_NOT_ALLOWED_FOR_THIS_USER
Indicates the process of wiping data (factory reset) is not allowed for this user

Dependencies: none

Notes: none

Properties: none

 Low Audit T1630 No
USER_INTERACTION_CONTROL_CAPABILITY
Indicates when the user screen control permission in a app is enabled

Dependencies: none

Notes: none

Properties:

  • PkgName (String)
  • AccessibilityApi (String)
  • RestrictedPerms [((String)]
 Low Application T1516 No

Advanced security events

Event Name Event Description Severity Type MITRE Technique IDs Default?
ACCESS_CALL_LOG_PERMISSION
Indicates when an app has permission to access call logs on launch

Dependencies: none

Notes: none

Properties:

  • PkgName (String)
  • AccessibilityApi (String)
  • RestrictedPerms [((String)]
 Low Application T1636 No
ACCESS_NOTIFICATION_PERMISSION
Indicates when permission to access/manage notification in an app is enabled

Dependencies: none

Notes: none

Properties:

  • PkgName (String)
  • AccessibilityApi (String)
  • RestrictedPerms [((String)]
 Low Application T1517 No
PROCESS_PRIVILEGE_ESCALATION
Indicates when an app has transitioned from an acceptable uid/esuid/fsuid to a non-app id

Dependencies: Device models compatible with 32-bit apps (ABI) are not supported. These include:

  • SM-A736
  • SM-F711
  • SM-F926
  • SM-G990
  • SM-G991
  • SM-G996
  • SM-G736
  • SM-G998
  • SM-M446
  • SM-T630
  • SM-T636

Notes: none

Properties:

  • Atime (Long)
  • CmdLine (String)
  • Ctime (Long)
  • Cwd (String)
  • Egid (Integer)
  • Euid (Integer)
  • ExitCode (Integer)
  • Fsgid (Integer)
  • Fsuid (Integer)
  • Gid (Integer)
  • Hash (String)
  • ModifiedEgid (Integer)
  • ModifiedEuid (Integer)
  • ModifiedFsgid (Integer)
  • ModifiedFsuid (Integer)
  • ModifiedGid (Integer)
  • ModifiedUid (Integer)
  • Mtime (Long)
  • OwnerGid (Integer)
  • OwnerUid (Integer)
  • Path (String)
  • Pid (Integer)
  • PkgName (String)
  • Ppid (Integer)
  • SeTag (String)
  • Sgid (Integer)
  • StartTime (Long)
  • Suid (Integer)
  • Syscall (Integer)
  • Tid (Integer)
  • Uid (Integer)
 High Process T1548, T1543 No
RESTRICTED_PERMISSION
Indicates the launched app has 'restricted permission'

Dependencies: none

Notes: none

Properties: none

 Low Application - No
SCREEN_CAPTURE_CAPABILITY
Indicates when the use of device screen capture permission for an app is enabled

Dependencies: none

Notes: none

Properties: none

 Low Application T1513 No
SUSPICIOUS_URL_ACCESSED
Indicates when the user tapped or clicked on a potentially suspicious URL on the device

Dependencies: 32-bit device models are not supported

Notes: none

Properties:

  • ConfidenceScore (Real)
  • PkgName (String)
  • Url (String)
  • UrlType (Integer)
 Medium User T1566, T1660 No
SUSPICIOUS_URL_DETECTED
Indicates when the user has copied a potentially suspicious URL on the device

Dependencies: 32-bit device models are not supported

Notes: none

Properties:

  • ConfidenceScore (Real)
  • PkgName (String)
  • Url (String)
  • UrlType (Integer)
 Low User T1566, T1660 No
TAG_ADB_SHELL_CMD
Indicates that a shell command was issued over ADB via adb shell

Dependencies: none

Notes: Potentially high volume event, triggered when the device is being used with a USB cable or in wireless debug mode.

Properties:

  • Cmd (String)
 Low Audit - No
TAG_ADD_UNTRUSTED
Indicates an administrator added a certificate to the trusted database

Dependencies: none

Notes: none

Properties:

  • AdmPkgName (String)
  • Issuer (String)
  • Subject (String)
  • UserId (Integer)
 Low Audit - No
TAG_ADMIN_HAS_ADDED_SSID_TO_THE_RESTRICTION_ALLOWLIST
Indicates an administrator added a SSID to restriction allowlist

Dependencies: none

Notes: none

Properties:

  • AdmPkgName (String)
  • Ssid (String)
  • UserId (Integer)
 Low Audit - No
TAG_ADMIN_HAS_ADDED_TO_CAMERA_ALLOWLIST
Indicates an administrator added package and signature to camera allowlist

Dependencies: none

Notes: none

Properties:

  • AdmPkgName (String)
  • PkgName (String)
  • Signature (String)
  • UserId (Integer)
 Low Audit - No
TAG_ADMIN_HAS_ALLOWED_CAMERA
Indicates an administrator allowed camera

Dependencies: none

Notes: none

Properties:

  • AdmPkgName (String)
  • UserId (Integer)
 Low Audit - No
TAG_ADMIN_HAS_ALLOWED_MICROPHONE
Indicates an administrator allowed microphone

Dependencies: none

Notes: none

Properties:

  • AdmPkgName (String)
  • UserId (Integer)
 Low Audit - No
TAG_ADMIN_HAS_ALLOWED_TO_INSTALL_APPLICATION
Indicates an administrator allowed application install

Dependencies: none

Notes: none

Properties:

  • AdmPkgName (String)
  • PkgName (String)
  • UserId (Integer)
 Low Audit - No
TAG_ADMIN_HAS_CHANGED_LOCK_SCREEN_STATE_TO_DISABLED
Indicates an administrator changed lock screen state to disabled

Dependencies: none

Notes: none

Properties:

  • AdmPkgName (String)
  • UserId (Integer)
 Low Audit - No
TAG_ADMIN_HAS_CHANGED_NFC_STATE_CHANGE
Indicates an administrator has allowed the NFC state change

Dependencies: none

Notes: none

Properties:

  • AdmPkgName (String)
  • Allow (String)
  • UserId (Integer)
 Low Audit - No
TAG_ADMIN_HAS_CHANGED_SCREEN_LOCK_TIME_OUT
Indicates an administrator changed screen lock time out

Dependencies: none

Notes: none

Properties:

  • AdmPkgName (String)
  • Timeout (Integer)
  • UserId (Integer)
 Low Audit - No
TAG_ADMIN_HAS_DISALLOWED_MICROPHONE
Indicates an administrator disallowed microphone

Dependencies: none

Notes: none

Properties:

  • AdmPkgName (String)
  • UserId (Integer)
 Low Audit - No
TAG_ADMIN_HAS_ENABLED_BLUETOOTH_DISCOVERABLE_STATE
Indicates an administrator enabled bluetooth discoverable state

Dependencies: none

Notes: none

Properties:

  • AdmPkgName (String)
  • UserId (Integer)
 Low Audit - No
TAG_ADMIN_HAS_ENABLED_WIFI_DIRECT
Indicates an administrator enabled Wi-Fi direct

Dependencies: none

Notes: none

Properties: none

 Low Audit - No
TAG_ADMIN_HAS_LOCKED_WORKSPACE
Indicates an administrator locked workspace

Dependencies: none

Notes: none

Properties:

  • AdmPkgName (String)
  • UserId (Integer)
 Low Audit - No
TAG_ADMIN_HAS_REMOVED_ALL_SSID_FROM_THE_RESTRICTION_BLOCKLIST
Indicates an administrator removed all SSIDs from restriction blocklist

Dependencies: none

Notes: none

Properties:

  • AdmPkgName (String)
  • UserId (Integer)
 Low Audit - No
TAG_ADMIN_HAS_REMOVED_SSID_FROM_THE_RESTRICTION_BLOCKLIST
Indicates an administrator removed a SSID from restriction blocklist

Dependencies: none

Notes: none

Properties:

  • AdmPkgName (String)
  • Ssid (String)
  • UserId (Integer)
 Low Audit - No
TAG_ADMIN_HAS_SUCCESSFULLY_LOCKED_WORKSPACE
Indicates an administrator successfully locked workspace

Dependencies: none

Notes: none

Properties:

  • AdmPkgName (String)
  • UserId (Integer)
 Low Audit - No
TAG_ADMIN_HAS_SUCCESSFULLY_UNLOCKED_WORKSPACE
Indicates an administrator successfully unlocked workspace

Dependencies: none

Notes: none

Properties:

  • AdmPkgName (String)
  • UserId (Integer)
 Low Audit - No
TAG_ADMIN_HAS_UNLOCKED_WORKSPACE
Indicates an administrator unlocked workspace

Dependencies: none

Notes: none

Properties:

  • AdmPkgName (String)
  • UserId (Integer)
 Low Audit - No
TAG_APPLICATION_ACTION_FAILED_BECAUSE_OF_SIGNATURE_VERIFICATION_FAILURE
Indicates the application action has failed because of signature verification failure

Dependencies: none

Notes: none

Properties:

  • Action (String)
  • PkgName (String)
  • Reason (String)
  • UserId (Integer)
 Low Audit - No
TAG_APPLICATION_INSTALLATION_NOT_ALLOWED_BECAUSE_SIGNED_UNTRUSTED_CA
Indicates an app installation is not allowed because it is signed by an untrusted CA

Dependencies: none

Notes: none

Properties:

  • PkgName (String)
  • UserId (Integer)
 Low Audit - No
TAG_APPLICATION_INSTALLATION_NOT_ALLOWED_BY_ADMIN_BLOCKLIST
Indicates the application is being blocked from installation by a device policy enforced by an administrator

Dependencies: none

Notes: none

Properties:

  • AdmPkgName (String)
  • PkgName (String)
  • Policy (String)
  • UserId (Integer)
 Low Application - No
TAG_APPLICATION_INSTALLATION_NOT_ALLOWED_BY_ADMIN_INSTALLER_BLOCKLIST
Indicates that an administrator has blocked the installation of an application from a specific installer

Dependencies: none

Notes: none

Properties:

  • AdmPkgName (String)
  • PkgName (String)
  • Policy (String)
  • UserId (Integer)
 Low Application - No
TAG_BACKUP_SERVICE_TOGGLED
Indicates an administrator has enabled or disabled backup service

Dependencies: none

Notes: none

Properties:

  • AdmPkgName (String)
  • AdmUserId (Integer)
  • Enabled (Boolean)
 Low Audit - No
TAG_BIND_TO_VPN_FAILED_COULD_NOT_FIND_PACKAGE
Indicates when a bind to VPN vendor service failed as vendor package could not be found

Dependencies: none

Notes: none

Properties:

  • PkgName (String)
  • UserId (Integer)
 Low Network - No
TAG_BLUETOOTH_CONNECTION
Indicates the device attempts to connect to a Bluetooth device

Dependencies: none

Notes: none

Properties:

  • MacAddr (String)
  • Reason (String)
  • Result (Boolean)
 Low Audit - No
TAG_CERT_AUTHORITY_INSTALLED
Indicates a new root certificate has been installed into system's trusted credential storage

Dependencies: none

Notes: none

Properties:

  • Result (Boolean)
  • Subject (String)
  • UserId (Integer)
 Low Audit - No
TAG_CERT_AUTHORITY_REMOVED
Indicates a new root certificate has been removed from system's trusted credential storage

Dependencies: none

Notes: none

Properties:

  • Result (Boolean)
  • Subject (String)
  • UserId (Integer)
 Low Audit - No
TAG_ERROR_OCCURRED_WHILE_VALIDATING_PROFILE_INFORMATION_FOR_VENDOR
Indicates that during VPN profile creation, an error occurred while validating vendor

Dependencies: none

Notes: none

Properties:

  • PkgName (String)
  • UserId (Integer)
 Low Audit - No
TAG_KEY_INTEGRITY_VIOLATION
Indicates a failed cryptographic key integrity check

Dependencies: none

Notes: none

Properties:

  • Alias (String)
  • Uid (Integer)
 Low Audit - No
TAG_KEYGUARD_DISMISS_AUTH_ATTEMPT
Indicates there has been an authentication attempt to dismiss the keyguard

Dependencies: none

Notes: none

Properties:

  • Result (Boolean)
  • Strong (Boolean)
 Low Audit - No
TAG_LOG_BUFFER_SIZE_CRITICAL
Indicates that the audit log buffer has reached 90% of its capacity

Dependencies: none

Notes: none

Properties: none

 Low Audit - No
TAG_MEDIA_MOUNT
Indicates removable media has been mounted on the device

Dependencies: none

Notes: none

Properties:

  • MountPoint (String)
  • VolLabel (String)
 Low Audit - No
TAG_MEDIA_UNMOUNT
Indicates that removable media was unmounted from the device

Dependencies: none

Notes: none

Properties:

  • MountPoint (String)
  • VolLabel (String)
 Low Audit - No
TAG_MICROPHONE_ENABLED
Indicates the microphone is enabled

Dependencies: none

Notes: none

Properties:

  • PkgName (String)
  • UserId (Integer)
 Low Audit - No
TAG_PACKAGE_INSTALLED
Indicates a package is installed

Dependencies: none

Notes: none

Properties:

  • PkgName (String)
  • VerCode (Long)
  • UserId (Integer)
 Low Application - No
TAG_PACKAGE_NAME_HAS_BEEN_ACTIVATED_AS_ADMIN
Indicates the application was activated as administrator

Dependencies: none

Notes: none

Properties:

  • AdmPkgName (String)
  • UserId (Integer)
 Low Audit - No
TAG_PACKAGE_NAME_HAS_BEEN_REMOVED_AS_ADMIN
Indicates the application was removed as administrator

Dependencies: none

Notes: none

Properties:

  • AdmPkgName (String)
  • UserId (Integer)
 Low Audit - No
TAG_PACKAGE_UNINSTALLED
Indicates a package is uninstalled

Dependencies: none

Notes: none

Properties:

  • PkgName (String)
  • VerCode (Long)
  • UserId (Integer)
 Low Application - No
TAG_PACKAGE_UPDATED
Indicates a package is updated

Dependencies: none

Notes: none

Properties:

  • PkgName (String)
  • VerCode (Long)
  • UserId (Integer)
 Low Application - No
TAG_PASSWORD_CHANGED
Indicates the user has just changed their lock screen password

Dependencies: none

Notes: none

Properties:

  • PwComplexity (String)
  • UserId (Integer)
 Low User - No
TAG_PASSWORD_COMPLEXITY_REQUIRED
Indicates an administrator has set a password complexity requirement, using the platform's pre-defined complexity levels

Dependencies: none

Notes: none

Properties:

  • AdmPkgName (String)
  • AdmUserId (Integer)
  • PwComplexity (String)
  • UserId (Integer)
 Low Audit - No
TAG_PASSWORD_COMPLEXITY_SET
Indicates an administrator has set a requirement for password complexity

Dependencies: none

Notes: none

Properties:

  • AdmPkgName (String)
  • AdmUserId (Integer)
  • MinPwLength (Integer)
  • MinNumOfLetters (Integer)
  • MinNumOfNonLetters (Integer)
  • MinNumOfDigits (Integer)
  • MinNumOfUpperLetters (Integer)
  • MinNumOfLowerLetters (Integer)
  • MinNumOfSymbols (Integer)
  • PwComplexity (String)
  • PwConstraint (String)
  • UserId (Integer)
 Low Audit - No
TAG_REMOTE_LOCK
Indicates an administrator remotely locked the device or profile

Dependencies: none

Notes: none

Properties:

  • AdmPkgName (String)
  • AdmUserId (Integer)
  • UserId (Integer)
 Low Audit - No
TAG_REMOVE_UNTRUSTED
Indicates an administrator removed a certificate from the untrusted database

Dependencies: none

Notes: none

Properties:

  • AdmPkgName (String)
  • Issuer (String)
  • Subject (String)
  • UserId (Integer)
 Low Audit - No
TAG_SYNC_RECV_FILE
Indicates a file was pulled from the device via the adb daemon, for example via adb pull

Dependencies: none

Notes: none

Properties:

  • Path (String)
 Low Audit - No
TAG_SYNC_SEND_FILE
Indicates a file was pushed to the device via the adb daemon, for example via adb push

Dependencies: none

Notes: none

Properties:

  • Path (String)
 Low Audit - No
TAG_WIPE_FAILURE
Indicates a failure to wipe device or user data

Dependencies: none

Notes: none

Properties: none

 Low Audit - No
VIDEO_CAPTURE_PERMISSION
Indicates when the video capture permission is requested by the app

Dependencies: none

Notes: none

Properties:

  • PkgName (String)
  • AccessibilityApi (String)
  • RestrictedPerms [((String)]
 Low Application T1512 No

On this page

Is this page helpful?