Format of the events used in indicators of attack (IOA)

accesstype

File access mask:

• (54) WMI_CREATEPROC: Local WMI.

For all other operations:

• https://docs.microsoft.com/en-us/windows/win32/secauthz/access-mask

• https://docs.microsoft.com/en-us/windows/win32/fileio/file-access-rights-constants

• https://docs.microsoft.com/en-us/windows/win32/fileio/file-security-and-access-rights

accnube

The agent installed on the customer’s computer can access the Cytomic cloud.

action

Type of action taken by the Advanced EDR or Advanced EPDR agent, by the user, or by the affected process:

• 0 (Allow): The agent allowed the process to run.

• 1 (Block): The agent blocked the process from running.

• 2 (BlockTimeout): The agent displayed a pop-up message to the user but the user did not respond in time.

• 3 (AllowWL): The agent allowed the process to run because it is on the local goodware whitelist.

• 4 (BlockBL): The agent blocked the process from running because it is on the local malware blacklist.

• 5 (Disinfect): The agent disinfected the process.

• 6 (Delete): The agent classified the process as malware and deleted it because it could not be disinfected.

• 7 (Quarantine): The agent classified the process as malware and moved it to the computer’s quarantine folder.

• 8 (AllowByUser): The agent displayed a pop-up message to the user and the user responded with ‘Allow execution’.

• 9 (Informed): The agent displayed a pop-up message to the user.

• 10 (Unquarantine): The agent removed the file from the quarantine folder.

• 11 (Rename): The agent renamed the file (this action is used only for testing).

• 12 (BlockURL): The agent blocked the URL.

• 13 (KillProcess): The agent closed the process.

• 14 (BlockExploit): The agent stopped an attempt to exploit a vulnerable process.

• 15 (ExploitAllowByUser): The user did not allow the exploited process to be closed.

• 16 (RebootNeeded): The agent requires that the computer be rebooted to block the exploit attempt.

• 17 (ExploitInformed): The agent displayed a pop-up message to the user, reporting an attempt to exploit a vulnerable process.

• 18 (AllowSonGWInstaller): The agent allowed the process to run because it belongs to an installation package classified as goodware.

• 19 (EmbebedInformed): The agent sent internal operation information to the cloud to improve detection routines.

• 21 (SuspendProcess): The monitored process tried to suspend the antivirus service.

• 22 (ModifyDiskResource): The monitored process tried to modify a resource protected by the agent shield.

• 23 (ModifyRegistry): The monitored process tried to modify a registry key protected by the agent shield.

• 24 (RenameRegistry): The monitored process tried to rename a registry key protected by the agent shield.

• 25 (ModifyMarkFile): The monitored process tried to modify a file protected by the agent shield.

• 26 (Undefined): Error monitoring the process operation.

• 28 (AllowFGW): The agent allowed the operation performed by the monitored process because it is on the local goodware whitelist.

• 29 (AllowSWAuthorized): The agent allowed the operation performed by the monitored process because the administrator marked the file as authorized software.

• 30 (InformNewPE): The agent reported the appearance of a new file on the computer because the Drag&Drop feature is turned on in Cytomic Data Watch.

• 31 (ExploitAllowByAdmin): The agent allowed the operation performed by the monitored process because the network administrator excluded the exploit.

• 32 (IPBlocked): The agent blocked IPs to mitigate an RDP (Remote Desktop Protocol) attack.

actiontype

Indicates the session type:

• 0 (Login): Login on the customer’s computer.

• 1 (Logout): Logout on the customer’s computer.

• -1 (Desconocido): The session type could not be determined.

age

Date the file was last modified.

blockreason

Reason for the pop-up message displayed on the computer:

• 0: The file was blocked because it is unknown and the Advanced EDR or Advanced EPDR advanced protection mode is set to Hardening or Lock.

• 1: The file was blocked by local rules.

• 2: The file was blocked because the source is untrusted.

• 3: The file was blocked by a context rule.

• 4: The file was blocked because it is an exploit.

• 5: The file was blocked after asking the user to close the process.

bytesreceived

Total bytes received by the monitored process.

bytessent

Total bytes sent by the monitored process.

callstack/sonsize

Size in bytes of the child file.

childattributes

Attributes of the child process:

• 0x0000000000000001 (ISINSTALLER): Self-extracting (SFX) file.

• 0x0000000000000002 (ISDRIVER): Driver-type file.

• 0x0000000000000008 (ISRESOURCESDLL): Resource DLL-type file.

• 0x0000000000000010 (EXTERNAL): File from outside the computer.

• 0x0000000000000020 (ISFRESHUNK): File recently added to the Cytomic knowledge base.

• 0x0000000000000040 (ISDISSINFECTABLE): File for which there is a recommended disinfection action.

• 0x0000000000000080 (DETEVENT_DISCARD): The event-based context detection technology did not detect anything suspicious.

• 0x0000000000000100 (WAITED_FOR_VINDEX): Execution of a file whose creation had not been registered.

• 0x0000000000000200 (ISACTIONSEND): The local technologies did not detect malware in the file and it was sent to Cytomic for classification.

• 0x0000000000000400 (ISLANSHARED): File stored on a network drive.

• 0x0000000000000800 (USERALLOWUNK): File with permission to import unknown DLLs.

• 0x0000000000001000 (ISSESIONREMOTE): Event originating from a remote session.

• 0x0000000000002000 (LOADLIB_TIMEOUT): The time elapsed between when the protection intercepted the loading of the library and when it was scanned exceeded 1 second. As a result, the scan changed from synchronous to asynchronous to avoid impacting performance.

• 0x0000000000004000 (ISPE): Executable file.

• 0x0000000000008000 (ISNOPE): Non-executable file.

• 0x0000000000020000 (NOSHELL): The agent did not detect the execution of a shell command on the system.

• 0x0000000000080000 (ISNETNATIVE): NET Native file.

• 0x0000000000100000 (ISSERIALIZER): Serializer file.

• 0x0000000000200000 (PANDEX): File included in the list of processes created by Cytomic Patch.

• 0x0000000000400000 (SONOFGWINSTALLER): File created by an installer classified as goodware.

• 0x0000000000800000 (PROCESS_EXCLUDED): File not scanned because of the Advanced EDR exclusions.

• 0x0000000001000000 (INTERCEPTION_TXF): The intercepted operation was originated by an executable whose image on the disk is being modified.

• 0x0000000002000000 (HASMACROS): Microsoft Office document with macros.

• 0x0000000008000000 (ISPEARM): Executable file for ARM microprocessors.

• 0x0000000010000000 (ISDYNFILTERED): The file was allowed on the computer because there are no technologies to classify it.

• 0x0000000020000000 (ISDISINFECTED): The file was disinfected.

• 0x0000000040000000 (PROCESSLOST): The operation was not logged.

• 0x0000000080000000 (OPERATION_LOST): Operation with a pre-scan report for which the post-scan report has not been received yet.

childblake

Blake2 signature of the child file.

childclassification

Classification of the child process that performed the logged action.

• 0 (Unknown): File in the process of classification.

• 1 (Goodware): File classified as goodware.

• 2 (Malware): File classified as malware.

• 3 (Suspect): The file is in the process of classification and there is a high probability that it turns out to be malware.

• 4 (Compromised): Process compromised by an exploit attack.

• 5 (GWNotConfirmed): The file is in the process of classification and there is a high probability that it is malware.

• 6 (Pup): File classified as an unwanted program.

• 7 (GwUnwanted): Equivalent to PUP.

• 8 (GwRanked): Process classified as goodware.

• -1 (Unknown)

childfiletime

Date of the child file logged by the agent.

childfilesize

Size of the child file logged by the agent.

childmd5

Child file hash.

childpath

Path of the child file that performed the logged operation.

childpid

Child process ID.

childurl

File download URL.

childstatus

Child process status.

• 0 (StatusOk): Status OK.

• 1 (NotFound): Item not found.

• 2 (UnexpectedError): Unknown error.

• 3 (StaticFiltered): File identified as malware using static information contained in the Advanced EDR or Advanced EPDR protection.

• 4 (DynamicFiltered): File identified as malware using local technology implemented in Advanced EDR or Advanced EPDR.

• 5 (FileIsTooBig): File too big.

• 6 (PEUploadNotAllowed): File send was disabled.

• 11 (FileWasUploaded): File sent to the cloud for analysis.

• 12 (FiletypeFiltered): Resource DLL, NET Native, or Serializer-type file.

• 13 (NotUploadGWLocal): Goodware file not saved to the cloud.

• 14 (NotUploadMWdisinfect): Disinfected malware file not saved to the cloud.

classname

Type of device where the process resides. It corresponds to the class specified in the .INF file associated with the device.

configstring

Version of the MVMF.xml file in use.

commandline

Command line configured as a task to be run via WMI.

confadvancedrules

Advanced EDR or Advanced EPDR advanced security policy settings.

copy

Name of the service that triggered the event.

details

Summary in the form of a group of relevant fields from the event.

description

Description of the USB device that performed the operation.

detectionid

Unique identifier of the detection made.

devicetype

Type of drive where the process or file that triggered the logged operation resides.

• 0 (UNKNOWN): Unknown.

• 1 (CD_DVD): CD or DVD drive.

• 2 (USB_STORAGE): USB storage device.

• 3 (IMAGE): Image file.

• 4 (BLUETOOTH): Bluetooth device.

• 5 (MODEM): Modem.

• 6 (USB_PRINTER): USB printer.

• 7 (PHONE): Mobile phone.

• 8 (KEYBOARD): Keyboard.

• 9 (HID): Mouse.

direction

Network connection direction.

• 0 (UnKnown): Unknown.

• 1 (Incoming): Connection established from outside the network to a computer on the customer’s network.

• 2 (Outgoing): Connection established from a computer on the customer’s network to a computer outside the network.

• 3 (Bidirectional): Bidirectional.

domainlist

List of domains sent by the process to the DNS server for resolution and number of resolutions per domain.

domainname

Name of the domain the process tries to access/resolve.

errorcode

Error code returned by the operating system when there is a failed login attempt.

• 1073741724 (Invalid username): The user name does not exist.

• 1073741730 (Login server is unavailable): The server required to validate the login is not available.

• 1073741718 (Invalid password): The user name is correct but the password is incorrect.

• 1073741715 (Invalid username or authentication info): The user name or the authentication information is wrong.

• 1073741714 (Invalid username or password): Unknown user name or wrong password.

• 1073741260 (Account blocked): Access blocked.

• 1073741710 (Account disabled): Account disabled.

• 1073741713 (User account day restriction): An attempt was made to log in at a restricted time.

• 1073741712 (Invalid workstation for login): An attempt was made to log in from an unauthorized computer.

• 1073741604 (Sam server is invalid): The validation server has failed. Cannot perform operation.

• 1073741421 (Account expired): The account has expired.

• 1073741711 (Password expired): The password has expired.

• 1073741517 (Clock difference is too big): The connected computers’ clocks are too far out of sync.

• 1073741276 (Password change required on reboot): The user’s password must be changed on next boot.

• 1073741275 (Windows error (no risk)): A bug in Windows and not a risk.

• 1073741428 (Domains trust failed): The login request failed because the trust relationship between the primary domain and the trusted domain failed.

• 1073741422 (Netlogon not initialized): An attempt was made to log in, but the Netlogon service was not started.

• 1073741074 (Session start error): An error occurred during login.

• 1073740781 (Firewall protected): The computer you are logging in to is protected by an authentication firewall. The specified account is not allowed to authenticate to the computer.

• 1073741477 (Invalid permission): The user has requested a type of login that has not been granted.

errorstring

Character string with debug information on the security product settings.

eventtype

Event type logged by the agent.

• 1 (ProcessOps): The process performed operations on the computer’s hard disk.

• 14 (Download): The process downloaded data.

• 22 (NetworkOps): The process performed network operations.

• 26 (DataAccess): The process accessed data files hosted on internal mass-storage devices.

• 27 (RegistryOps): The process accessed the Windows Registry.

• 30 (ScriptOps): Operation performed by a script-type process.

• 31 (ScriptOps): Operation performed by a script-type process.

• 40 (Detection): Detection made by the Advanced EDR active protections.

• 42 (BandwidthUsage): Volume of information handled in each data transfer operation performed by the process.

• 45 (SystemOps): Operation performed by the Windows operating system WMI engine.

• 46 (DnsOps): The process accessed the DNS name server.

• 47 (DeviceOps): The process accessed an external device.

• 50 (UserNotification): Notification displayed to the user and response (if any).

• 52 (LoginOutOps): Login or logout operation performed by the user.

• 99 (RemediationOps): Detection, blocking, and disinfection events from the Advanced EDR or Advanced EPDR agent.

• 100 (HeaderEvent): Administrative event with information about the protection software settings and version, as well as computer and customer information.

• 199 (HiddenAction): Detection event that did not trigger an alert.

exploitorigin

Origin of the process exploit attempt.

• 1 (URL): URL address.

• 2 (FILE): File.

extendedinfo

Additional information about Type events:

• 0 (Command line event creation): Empty.

• 1 (Active script event creation): Script file name.

• 2 (Event consumer to filter consumer): Empty.

• 3 (Event consumer to filter query): Empty.

• 4 (Create User): Empty.

• 5 (Delete User): Empty.

• 6 (Add user group): Group SID.

• 7 (Delete user group): Group SID.

• 8 (User group admin): Group SID.

• 9 (User group rdp): Group SID.

failedqueries

Number of failed DNS resolution requests sent by the process in the last hour.

friendlyname

The device’s easily readable name.

firstseen

Date the file was first seen.

hostname

Name of the computer that ran the process.

infodiscard

Quarantine file internal information.

ipv4status

IP address type:

• 0 (Private)

• 1 (Public)

isdenied

Indicates whether the reported action was denied.

islocal

Indicates whether the task was created on the local computer or on a remote computer.

interactive

Indicates whether the login is an interactive login.

idname

Device name.

key

Affected registry branch or key.

lastquery

Last query sent to the cloud by the Advanced EDR or Advanced EPDR agent.

localip

Local IP address of the process.

localport

Depends on the direction field:

• outgoing: The port of the process run on the computer protected with Advanced EDR and Advanced EPDR.

• incoming:The port of the process run on the remote computer.

localdatetime

The computer’s date (in UTC format) at the time the logged event occurred. This date depends on the computer settings. As a result, it can be incorrect.

loggeduser

The user that was logged in to the computer at the time the event was generated.

machinename

Name of the computer that ran the process.

manufacturer

Device manufacturer.

MUID

Internal ID of the customer’s computer.

objectname

Unique name of the object within the WMI hierarchy.

opentstamp

Date of the WMI notification for WMI_CREATEPROC (54) events.

operation

Type of operation performed by the process.

• 0 (CreateProc): Process created.

• 1 (PECreat): Executable program created.

• 2 (PEModif): Executable program modified.

• 3 (LibraryLoad): Library loaded.

• 4 (SvcInst): Service installed.

• 5 (PEMapWrite): Executable program mapped for write access.

• 6 (PEDelet): Executable program deleted.

• 7 (PERenam): Executable program renamed.

• 8 (DirCreate): Folder created.

• 9 (CMPCreat): Compressed file created.

• 10 (CMOpened): Compressed file opened.

• 11 (RegKExeCreat): A registry branch pointing to an executable file was created.

• 12 (RegKExeModif): A registry branch was modified, which now points to an executable file.

• 15 (PENeverSeen): Executable program never seen before by Advanced EDR.

• 17 (RemoteThreadCreated): Remote thread created.

• 18 (ProcessKilled): Process killed.

• 25 (SamAccess): Access to the computer’s SAM.

• 30 (ExploitSniffer): Sniffing exploit technique detected.

• 31 (ExploitWSAStartup): WSAStartup exploit technique detected.

• 32 (ExploitInternetReadFile): InternetReadFile exploit technique detected.

• 34 (ExploitCMD): CMD exploit technique detected.

• 39 (CargaDeFicheroD16bitsPorNtvdm.exe): 16-bit file loaded by ntvdm.exe.

• 43 (Heuhooks): Anti-exploit technology detected.

• 54 (Create process by WMI): Process created by a modified WMI.

• 55 (AttackProduct): Attack detected on the agent service, a file, or registry key.

• 61 (OpenProcess LSASS): LSASS process opened.

operationflags/ integrityLevel

Indicates the integrity level assigned by Windows to the item.

• 0x0000 Untrusted level.

• 0x1000 Low integrity level.

• 0x2000 Medium integrity level.

• 0x3000 High integrity level.

• 0x4000 System integrity level.

• 0x5000 Protected.

operationstatus

Indicates whether the event must be sent to Cytomic Insights or not:

• 0: Send.

• 1: Filtered by the agent.

• 2: Do not send.

origusername

User of the computer which performed the operation.

pandaid

Customer ID.

pandaorionstatus

Indicates the status of the customer’s computer’s time settings compared to the clock in Cytomic.

• 0 (Version not supported): The customer’s computer does not support synchronization of its time settings to the Cytomic settings.

• 1 (Recalculated Panda Time): The customer has fixed and synced the computer’s time settings to the Cytomic settings.

• 2: (Panda Time Ok): The customer’s computer’s time settings are correct.

• 3: (Panda Time calculation error): Error fixing the computer’s time settings.

pandatimestatus

Contents of the DateTime, Date, and LocalDateTime fields.

parentattributes

Attributes of the parent process.

• 0x0000000000000001 (ISINSTALLER): Self-extracting (SFX) file.

• 0x0000000000000002 (ISDRIVER): Driver-type file.

• 0x0000000000000008 (ISRESOURCESDLL): Resource DLL-type file.

• 0x0000000000000010 (EXTERNAL): File from outside the computer.

• 0x0000000000000020 (ISFRESHUNK): File recently added to the Cytomic knowledge base.

• 0x0000000000000040 (ISDISSINFECTABLE): File for which there is a recommended disinfection action.

• 0x0000000000000080 (DETEVENT_DISCARD): The event-based context detection technology did not detect anything suspicious.

• 0x0000000000000100 (WAITED_FOR_VINDEX): Execution of a file whose creation had not been registered.

• 0x0000000000000200 (ISACTIONSEND): The local technologies did not detect malware in the file and it was sent to Cytomic for classification.

• 0x0000000000000400 (ISLANSHARED): File stored on a network drive.

• 0x0000000000000800 (USERALLOWUNK): File with permission to import unknown DLLs.

• 0x0000000000001000 (ISSESIONREMOTE): Event originating from a remote session.

• 0x0000000000002000 (LOADLIB_TIMEOUT): The time elapsed between when the protection intercepted the loading of the library and when it was scanned exceeded 1 second. As a result, the scan changed from synchronous to asynchronous to avoid impacting performance.

• 0x0000000000004000 (ISPE): Executable file.

• 0x0000000000008000 (ISNOPE): Non-executable file.

• 0x0000000000020000 (NOSHELL): The agent did not detect the execution of a shell command on the system.

• 0x0000000000080000 (ISNETNATIVE): NET Native file.

• 0x0000000000100000 (ISSERIALIZER): Serializer file.

• 0x0000000000200000 (PANDEX): File included in the list of processes created by Cytomic Patch.

• 0x0000000000400000 (SONOFGWINSTALLER): File created by an installer classified as goodware.

• 0x0000000000800000 (PROCESS_EXCLUDED): File not scanned because of the Cytomic Orion exclusions.

• 0x0000000001000000 (INTERCEPTION_TXF): The intercepted operation was originated by an executable whose image on the disk is being modified.

• 0x0000000002000000 (HASMACROS): Microsoft Office document with macros.

• 0x0000000008000000 (ISPEARM): Executable file for ARM microprocessors.

• 0x0000000010000000 (ISDYNFILTERED): The file was allowed on the computer because there are no technologies to classify it.

• 0x0000000020000000 (ISDISINFECTED): The file was disinfected.

• 0x0000000040000000 (PROCESSLOST): The operation was not logged.

• 0x0000000080000000 (OPERATION_LOST): Operation with a pre-scan report for which the post-scan report has not been received yet.

parentblake

Blake2 signature of the parent file that performed the operation.

parentcount

Number of processes with DNS failures.

parentmd5

Parent file hash.

parentpath

Path of the parent file that performed the logged operation.

parentpid

Parent process ID.

parentstatus

Parent process status.

• 0 (StatusOk): Status OK.

• 1 (NotFound): Item not found.

• 2 (UnexpectedError): Unknown error.

• 3 (StaticFiltered): File identified as malware using static information contained in the Advanced EDR or Advanced EPDR protection.

• 4 (DynamicFiltered): File identified as malware using local technology implemented in Advanced EDR or Advanced EPDR.

• 5 (FileIsTooBig): File too big.

• 6 (PEUploadNotAllowed): File send was disabled.

• 11 (FileWasUploaded): File sent to the cloud.

• 12 (FiletypeFiltered): Resource DLL, NET Native, or Serializer-type file.

• 13 (NotUploadGWLocal): Goodware file not saved to the cloud.

• 14 (NotUploadMWdisinfect): Disinfected malware file not saved to the cloud.

pecreationsource

Type of drive where the process was created:

• (0) Unknown: The device type cannot be determined.

• (1) No root dir: The device path is invalid. For example, the external storage media was extracted.

• (2) Removable media: Removable storage media.

• (3) Fixed media: Internal storage media.

• (4) Remote drive: Remote storage media (for example, a network drive).

• (5) CD-ROM drive.

• (6) RAM disk.

phonedescription

Phone description if the operation involved a device of this type.

protocol

Communications protocol used by the process.

• 1 (ICMP)

• 2 (IGMP)

• 3 (RFCOMM)

• 6 (TCP)

• 12 (RDP)

• 17 (UDP)

• 58 (ICMPV6)

• 113 (RM)

querieddomaincount

Number of different domains sent by the process for which there was a DNS resolution failure in the last hour.

regaction

Type of operation performed on the computer’s Windows registry.

• 0 (CreateKey): A new registry branch was created.

• 1 (CreateValue): A value was assigned to a registry branch.

• 2 (ModifyValue): A registry branch value was modified.

remediationresult

User’s response to the pop-up message shown by Advanced EDR or Advanced EPDR.

• 0 (Ok): The customer accepted the message.

• 1 (Timeout): The pop-up message disappeared due to lack of action by the user.

• 2 (Angry): The user chose the option to not block the item from the pop-up message displayed.

• 3 (Block): The item was blocked because the user did not reply to the pop-up message.

• 4 (Allow): The user accepted the solution.

• -1 (Unknown)

remoteip

IP address of the computer that started the remote session.

remotemachinename

Name of the computer that started the remote session.

remoteport

Depends on the direction field:

• incoming: The port of the process run on the computer protected with Advanced EDR and Advanced EPDR.

• outcoming: The port of the process run on the remote computer.

remoteusername

Name of the computer that started the remote session.

sessiondate

Date the antivirus service was last started or last time it was started since the last update.

sessiontype

Login type:

• 0 (System Only): Session started with a system account.

• 2 (Local): Session created physically through a keyboard or via KVM over IP.

• 3 (Remote): Session created remotely in shared folders or printers. This login type uses secure authentication.

• 4 (Scheduled): Session created by the Windows task scheduler.

• -1 (Unknown)

• 5 (Service): Session created when a service that needs to run in the user session is launched. The session is deleted when the service stops.

• 7 (Blocked): Session created when a user tries to join a previously blocked session.

• 8 (Remote Unsecure): Same as type 3 but the password is sent in plain text.

• 9 (RunAs): Session created when the “RunAs” command is used under an account other than the account used to log in, and the “/netonly” parameter is specified. If the “/netonly” parameter is not specified, a type 2 session is created.

• 10 (TsClient): Session created when accessing via “Terminal Service”, “Remote Desktop” or “Remote Assistance”. It identifies a remote user connection.

• 11 (Domain Cached): User session created with domain credentials cached on the computer, but with no connection to the domain controller.

servicelevel

Agent execution mode.

• 0 (Learning): The agent does not block any items but monitors all running processes.

• 1 (Hardening): The agent blocks all unclassified programs coming from an untrusted source, and items classified as malware.

• 2 (Block): The agent blocks all unclassified executables and items classified as malware.

• -1 (N/A).

timeout

The local scan took too long to complete and the process was delegated to other mechanisms that do not impact performance.

times

Number of times the same communication event occurred in the last hour.

timestamp

Timestamp of the action detected on the customer’s computer that generated the indicator.

totalresolutiontime

Indicates the time it took the cloud to respond, and whether the error code query failed.

• 0: The cloud was not queried.

• >0: Time in milliseconds it took the cloud to respond to the query.

• <0: Cloud query error code.

type

Type of WMI operation performed by the process.

• 0 (Command line event creation): WMI launched a command line in response to a change in the database.

• 1 (Active script event creation): A script was run in response to receiving an event.

• 2 (Event consumer to filter consumer): This event is generated whenever a process subscribes to receive notifications. The name of the created filter is received.

• 3 (Event consumer to filter query): This event is generated whenever a process subscribes to receive notifications. The query run by the process to subscribe is received.

• 4 (Create User): A user account was added to the operating system.

• 5 (Delete User): A user account was deleted from the operating system.

• 6 (Add user group): A group was added to the operating system.

• 7 (Delete user group): A group was deleted from the operating system.

• 8 (User group admin): A user was added to the admin group.

• 9 (User group rdp): A user was added to the RDP group.

uniqueid

Unique ID of the device.

url

Download URL launched by the process that generated the logged event.

value

Type of operation performed on the computer’s Windows registry.

• 0 (CreateKey): A new registry branch was created.

• 1 (CreateValue): A value was assigned to a registry branch.

• 2 (ModifyValue): A registry branch value was modified.

valuedata

Data type of the value contained in the registry branch.

• 00 (REG_NONE)

• 01 (REG_SZ)

• 02 (REG_EXPAND_SZ)

• 03 (REG_BINARY)

• 04 (REG_DWORD)

• 05 (REG_DWORD_BIG_ENDIAN)

• 06 (REG_LINK)

• 07 (REG_MULTI_SZ)

• 08 (REG_RESOURCE_LIST)

• 09 (REG_FULL_RESOURCE_DESCRIPTOR)

• 0A (REG_RESOURCE_REQUIREMENTS_LIST)

• 0B (REG_QWORD)

• 0C (REG_QWORD_LITTLE_ENDIAN)

vdetevent

Deteven.dll DLL version.

version

Operating system version of the computer that ran the vulnerable software.

versionagent

Installed agent version.

versioncontroller

Psnmvctrl.dll DLL version.

vtabledetevent

TblEven.dll DLL version.

vtableramsomevent

TblRansomEven.dll DLL version.

vramsomevent

RansomEvent.dll DLL version.

vantiexploit

Anti-exploit technology version.

vtfilteraxtiexploit

Anti-exploit technology filter version.

versionproduct

Installed protection product version.

winningtech

Advanced EPDR or Advanced EDR agent technology raising the event.

• 0 (Unknown).

• 1 (Cache): Locally cached classification.

• 2 (Cloud): Classification downloaded from the cloud.

• 3 (Context): Local context rule.

• 4 (Serializer): Binary type.

• 5 (User): The user was asked about the action to take.

• 6 (LegacyUser): The user was asked about the action to take.

• 7 (NetNative): Binary type.

• 8 (CertifUA): Detection by digital certificates.

• 9 (LocalSignature): Local signature.

• 10 (ContextMinerva): Cloud-hosted context rule.

• 11 (Blockmode): The agent was in Hardening or Lock mode when the process was blocked from running.

• 12 (Metasploit): Attack created with the Metasploit Framework.

• 13 (DLP): Data Leak Prevention technology.

• 14 (AntiExploit): Technology that identifies attempts to exploit vulnerable processes.

• 15 (GWFilter): Technology that identifies goodware processes.

• 16 (Policy):Advanced EDRadvanced security policies.

• 17 (SecAppControl): Security app control technologies.

• 18 (ProdAppControl): Productivity app control technologies.

• 19 (EVTContext): Linux contextual technology.

• 20 (RDP): Technology to detect/block RDP (Remote Desktop Protocol) intrusions and attacks.

• 21 (AMSI): Technology to detect malware in AMSI notifications.

• -1 (Unknown)