Action tables

Advanced EDR shows the actions taken by the programs detected on users’ computers by any of the advanced detection technologies it incorporates.

To view a threat’s action table, access its details page (see Details of blocked programs) and click the Activity tab.

The action table shows the most relevant events triggered by a threat.

The number of actions and events triggered by a process is very high. Showing all of them would hinder the extraction of useful information to perform a forensic analysis.

The table content is initially sorted by date, making it easier to follow the progress of the threat.

The following table shows the fields included in action tables:

Field	Comment	Values
Date	Action date.	Date
Times	Number of times the action was executed. A single action executed several times consecutively will appear only once in the list.	Numeric value
Action	Action logged on the system and command-line parameters associated with it.	Downloaded from Communicates with Accesses data Accesses Is accessed by LSASS.EXE opens LSASS.EXE is opened by Is run by Runs Is created by Creates Is modified by Modifies Is loaded by Loads Is deleted by Deletes Is renamed by Renames Is killed by Kills process Process suspended Creates remote thread Thread injected by Is opened by Opens Creates Is created by Creates key pointing to EXE file Modifies key to point to EXE file Tries to stop Ended by
Path/URL/Registry Key/IP:Port	Action entity. It has different values depending on the action type. Registry Key: For actions that involve modifying the Windows registry. IP:Port: For actions that involve communicating with a local or remote computer. Path: For actions that involve access to the computer hard disk. For more information, see Path format . URL: For actions that involve access to a URL.
File Hash/Registry Value/Protocol-Direction/Description	This field complements the entity. File Hash: For all actions that involve access to a file. Registry Value: For all actions that involve access to the registry. Protocol-Direction: For all actions that involve communicating with a local or remote computer. Possible values are: TCP UDP Bidirectional Unknown Description
Trusted	The file is digitally signed.	Binary value
Fields shown in a threat’s action table

Path format

We use numbers and the “|” character to indicate the storage drive and system folders respectively:

Code	Storage drive type
0	Unknown drive.
1	Invalid path. For example, a drive that does not have a mounted volume.
2	Removable drive. For example, a floppy disk, a USB memory device, or a card reader.
3	Internal drive. For example, a hard disk or an SSD disk.
4	Remote drive. For example, a network drive.
5	CD-ROM/DVD drive.
6	RAM disk drive.
Codes used for indicating the drive type

The following is an example of a path:

3|TEMP|\app\a_470.exe

3: Internal drive. The file is located on the computer’s hard disk.
|TEMP|: The file is located in the computer’s \windows\temp\ system folder.
\app\: Name of the folder where the file is located.
a_470.exe: File name.

Subject and predicate in actions

To correctly understand the format used to present the information in the action list, a parallel needs to be drawn with the natural language:

All actions have as the subject the file classified as a threat. This subject is not specified in each line of the action table because it is common throughout the table.
All actions have a verb which relates the subject (the classified threat) to an object, called entity. The entity is specified in the Path/URL/Registry Key/IP:Port field of the table.
The entity is complemented with a second field which adds information to the action: File Hash/Registry Value/Protocol-Direction/Description.

Action list of a sample threat illustrates two actions carried out by the same hypothetical malware:

Date	Times	Action	Path/URL/Registry Key/IP:Port	File Hash/Registry Value/Protocol/Description	Trusted
3/30/2015 4:38:40 PM	1	Communicates with	54.69.32.99/80	TCP-Bidirectional	NO
3/30/2015 4:38:45 PM	1	Loads	PROGRAM_FILES\|\ MOVIES TOOLBAR\SAFETYN	9994BF035813FE8EB6BC98E CCBD5B0E1	NO
Action list of a sample threat

The first action indicates that the malware (subject) connected to (Communicates with action) the IP address IP 54.69.32.99:80 (entity) through the TCP-bidirectional protocol.

The second action indicates that the malware (subject) loaded (Loads action) the library PROGRAM_FILES|\MOVIES TOOLBAR\SAFETYNUT\SAFETYCRT.DLL with hash 9994BF035813FE8EB6BC98ECCBD5B0E1.

As with natural language, two types of sentences are implemented in Advanced EDR:

Active: These are predicative actions (with a subject and predicate) related by an active verb. In these actions, the verb of the action relates the subject, which is always the process classified as a threat, and a direct object, the entity, which can vary based on the type of action. Examples of active actions are:
- Communicates with
- Loads
- Creates
Passive: These are actions where the subject (the process classified as a threat) becomes the passive subject (which receives, rather than executes, the action), and the verb is passive (to be + participle). In this case, the passive verb relates the passive subject (which receives the action) to the entity, which performs the action. Examples of passive actions are:
- Is created by
- Downloaded from

Example of a passive action shows an example of a passive action for a hypothetical malware:

Date	Times	Action	Path/URL/Registry Key/IP:Port	File Hash/Registry Value/Protocol/Description	Trusted
3/30/2015 4:51:46 PM	1	Is run by	WINDOWS\|\explorer.exe	7522F548A84ABAD8FA516D E5AB3931EF	NO
Example of a passive action

In this action, the malware (passive subject) is run by (passive action) the WINDOWS|\explorer.exe program (entity) with hash 7522F548A84ABAD8FA516DE5AB3931EF.

Active actions enable you to inspect, in detail, the steps taken by a threat. By contrast, passive actions usually reflect the infection vector used by the malware (which process ran it, which process copied it to the user’s computer, etc.).